Analysis
-
max time kernel
55s -
max time network
58s -
platform
windows11-21h2_x64 -
resource
win11-20231129-en -
resource tags
arch:x64arch:x86image:win11-20231129-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-12-2023 18:10
Behavioral task
behavioral1
Sample
Electron.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Electron.exe
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
Electron.exe
Resource
win10v2004-20231127-en
General
-
Target
Electron.exe
-
Size
3.2MB
-
MD5
5dd7500f21add8f9bc322529a35cb55f
-
SHA1
b12eec8fdf6224f65e27fb9d9b06dc4375e1b37b
-
SHA256
48d2d3e579bbcddda54aa5bd48197b179ca7b75018d05ce12ff3cf9e7b78e40e
-
SHA512
dfbbb5b026e46dd5569814f6e8558678808bf9d4d7c8d4949f8943bb7eb92ecea8f2abfc0f9f2becdd0d2f04b61000262f20e2af87a11e3fc8d4931879633e3b
-
SSDEEP
98304:/veL26AaNeWgPhlmVqkQ7XSKB3OzLRCL:3e4SlPgL
Malware Config
Extracted
quasar
1.4.1
Office04
limehag920-33288.portmap.host:33288
9818b060-d6e3-4e48-b21e-c9ef7bc65511
-
encryption_key
E97F64327412A3864CF0B0BE4A85415B949C39AD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral4/memory/4240-0-0x00000000009D0000-0x0000000000D04000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 4 IoCs
pid Process 4488 PING.EXE 1800 PING.EXE 4484 PING.EXE 904 PING.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4240 Electron.exe Token: SeDebugPrivilege 4768 Electron.exe Token: SeDebugPrivilege 3668 Electron.exe Token: SeDebugPrivilege 2024 Electron.exe Token: SeDebugPrivilege 1636 Electron.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4240 Electron.exe 4768 Electron.exe 3668 Electron.exe 2024 Electron.exe 1636 Electron.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 4240 Electron.exe 4768 Electron.exe 3668 Electron.exe 2024 Electron.exe 1636 Electron.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3668 Electron.exe 2024 Electron.exe 1636 Electron.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4240 wrote to memory of 5104 4240 Electron.exe 78 PID 4240 wrote to memory of 5104 4240 Electron.exe 78 PID 5104 wrote to memory of 996 5104 cmd.exe 80 PID 5104 wrote to memory of 996 5104 cmd.exe 80 PID 5104 wrote to memory of 4484 5104 cmd.exe 81 PID 5104 wrote to memory of 4484 5104 cmd.exe 81 PID 5104 wrote to memory of 4768 5104 cmd.exe 82 PID 5104 wrote to memory of 4768 5104 cmd.exe 82 PID 4768 wrote to memory of 4504 4768 Electron.exe 84 PID 4768 wrote to memory of 4504 4768 Electron.exe 84 PID 4504 wrote to memory of 3784 4504 cmd.exe 85 PID 4504 wrote to memory of 3784 4504 cmd.exe 85 PID 4504 wrote to memory of 904 4504 cmd.exe 86 PID 4504 wrote to memory of 904 4504 cmd.exe 86 PID 4504 wrote to memory of 3668 4504 cmd.exe 87 PID 4504 wrote to memory of 3668 4504 cmd.exe 87 PID 3668 wrote to memory of 3536 3668 Electron.exe 88 PID 3668 wrote to memory of 3536 3668 Electron.exe 88 PID 3536 wrote to memory of 3432 3536 cmd.exe 90 PID 3536 wrote to memory of 3432 3536 cmd.exe 90 PID 3536 wrote to memory of 4488 3536 cmd.exe 91 PID 3536 wrote to memory of 4488 3536 cmd.exe 91 PID 3536 wrote to memory of 2024 3536 cmd.exe 92 PID 3536 wrote to memory of 2024 3536 cmd.exe 92 PID 2024 wrote to memory of 1920 2024 Electron.exe 93 PID 2024 wrote to memory of 1920 2024 Electron.exe 93 PID 1920 wrote to memory of 2704 1920 cmd.exe 95 PID 1920 wrote to memory of 2704 1920 cmd.exe 95 PID 1920 wrote to memory of 1800 1920 cmd.exe 96 PID 1920 wrote to memory of 1800 1920 cmd.exe 96 PID 1920 wrote to memory of 1636 1920 cmd.exe 97 PID 1920 wrote to memory of 1636 1920 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZzVEk7errOBs.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DruAiIwLoJnF.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:3784
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOMuJkUC57IK.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:3432
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:4488
-
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMj2XCyT9gOr.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD515eab799098760706ed95d314e75449d
SHA1273fb07e40148d5c267ca53f958c5075d24c4444
SHA25645030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778
SHA51250c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c
-
Filesize
205B
MD593f04da3f17e7166ee5c0aeca4cfa941
SHA1673f93468c92b4f4fd2b046215b61d305ba8416a
SHA2564f88d7effa3e6bb34a20ed313878a27ed3196708c29eb0c73894ab018980d3c7
SHA512e49701ac8c9a2b21a09eb3b6c3498a75bbac4c884e8ca625e456e0967d2a6973291e07219056deebeaf76e8e25d698513bd388d4374aeee19f9f266b715375bf
-
Filesize
205B
MD537dfc29baa5d52c8169b71d0db2c819f
SHA1e0a8e9144d3d44790ec8085a79b3d1c912afdbfa
SHA256ba0104c96c583f065e4dcb10febafa71d744acb8f4708822cf5214ebc626ad81
SHA5127bd9ed4d0ac01407e5984c48a327e4c2f134e77ea8503cbd9afe5c676df5ae16ee1abc07e09cba7dd38d9831bf43f0caee506542b013b4760456b7b979476df4
-
Filesize
205B
MD53b4653f66e2928d54902ce4aa25cd639
SHA16ecb9edcaf7e8ce89f94679ae08de0a3ccc6b4e0
SHA25691c6cd6075c69cf49eca8e01b479a358d14c89a48560335899718703b74c8ca1
SHA512d2c451ef94154e8c9243850449aa9614dd979d25e3d3cca4c3fc454d94788eab0c24fed3ad3059a16dde0a171f59f6555bbb83a3370d53011937d0cf19a6efa8
-
Filesize
205B
MD516c9a78f013914e91d55b55cc267d881
SHA127c165ae5eb3c9415aa4aee60c597b110ce273c1
SHA256f27851dd08dfef1a9276344f3bbe9c8bc9e0e90497d62155f26657e0239039a6
SHA51268a60868653de6c46a854aba1c364fc842c84ba58368ed41fbd1ecad8403e520afc7290016114ba9903cf22aa8003b98f2faed20c303b7facfde74ff880fd68a