Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
07-12-2023 06:14
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231130-en
General
-
Target
tmp.exe
-
Size
3.1MB
-
MD5
e606a8d90dc0458e72508b428e950038
-
SHA1
5ca61eaf0e2d26e1cf70ff2da183440fe2792081
-
SHA256
1fea532c75a33209f094f835261b4f579613a7b2ece7f046a11309d34537f8d5
-
SHA512
e0b0a4c33f9256415802beed59913b3db9b02b146eebd9f599abfd2099dc5a4695e2163c6b5a481ff6f52e68173463347b4cd2e5e238a01f75c0c06a79c04dc4
-
SSDEEP
49152:evlt62XlaSFNWPjljiFa2RoUYItiRJ6CbR3LoGdWTHHB72eh2NT:evX62XlaSFNWPjljiFXRoUYItiRJ68
Malware Config
Extracted
quasar
1.4.1
Office04
41.216.183.22:4782
73d47cb4-df1b-4a92-9966-ab4a6e59fac1
-
encryption_key
9BB10B12B951D4020613CEC9F1D40DD2EE861BD7
-
install_name
Office365.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Office365
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/2112-0-0x0000000001260000-0x0000000001584000-memory.dmp family_quasar -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2344 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2112 tmp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2344 2112 tmp.exe 29 PID 2112 wrote to memory of 2344 2112 tmp.exe 29 PID 2112 wrote to memory of 2344 2112 tmp.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Office365" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Office365.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2344
-