Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2023 07:17
General
-
Target
d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09.exe
-
Size
3.1MB
-
MD5
f0207a4a17b47cba7d87142363b12477
-
SHA1
c2203e69e92e6ba6394e6f711429fadf8b65845e
-
SHA256
d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09
-
SHA512
35f37bb38a070220dbe9f6511ab5bf8bca07fae46b5edefa5356a9294fc98b97735719410887b40776a7232711620f5c92f6bb45a7a54d597faef675196da810
-
SSDEEP
49152:Kvpt62XlaSFNWPjljiFa2RoUYIAunRJ65bR3LoGdcTHHB72eh2NT:Kvj62XlaSFNWPjljiFXRoUYIAunRJ67
Malware Config
Extracted
quasar
1.4.1
Office04
127.0.0.1:4782
4b2195e4-fb92-4868-914b-7332837f4388
-
encryption_key
26FFD71DADD23C1D90404D858942E1C47093C7CF
-
install_name
Synecs.exe
-
log_directory
pergs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/1976-0-0x00000000006D0000-0x00000000009F6000-memory.dmp family_quasar behavioral1/files/0x00080000000230e1-5.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4720 Synecs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1976 d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09.exe Token: SeDebugPrivilege 4720 Synecs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4720 Synecs.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1976 wrote to memory of 4720 1976 d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09.exe 91 PID 1976 wrote to memory of 4720 1976 d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09.exe"C:\Users\Admin\AppData\Local\Temp\d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe"C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4720
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5f0207a4a17b47cba7d87142363b12477
SHA1c2203e69e92e6ba6394e6f711429fadf8b65845e
SHA256d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09
SHA51235f37bb38a070220dbe9f6511ab5bf8bca07fae46b5edefa5356a9294fc98b97735719410887b40776a7232711620f5c92f6bb45a7a54d597faef675196da810