Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
14-12-2023 08:15
Behavioral task
behavioral1
Sample
f0207a4a17b47cba7d87142363b12477.exe
Resource
win7-20231023-en
General
-
Target
f0207a4a17b47cba7d87142363b12477.exe
-
Size
3.1MB
-
MD5
f0207a4a17b47cba7d87142363b12477
-
SHA1
c2203e69e92e6ba6394e6f711429fadf8b65845e
-
SHA256
d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09
-
SHA512
35f37bb38a070220dbe9f6511ab5bf8bca07fae46b5edefa5356a9294fc98b97735719410887b40776a7232711620f5c92f6bb45a7a54d597faef675196da810
-
SSDEEP
49152:Kvpt62XlaSFNWPjljiFa2RoUYIAunRJ65bR3LoGdcTHHB72eh2NT:Kvj62XlaSFNWPjljiFXRoUYIAunRJ67
Malware Config
Extracted
quasar
1.4.1
Office04
127.0.0.1:4782
4b2195e4-fb92-4868-914b-7332837f4388
-
encryption_key
26FFD71DADD23C1D90404D858942E1C47093C7CF
-
install_name
Synecs.exe
-
log_directory
pergs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral1/memory/2852-0-0x00000000011B0000-0x00000000014D6000-memory.dmp family_quasar behavioral1/files/0x000e000000014488-5.dat family_quasar behavioral1/files/0x000e000000014488-6.dat family_quasar behavioral1/memory/2904-7-0x0000000000DA0000-0x00000000010C6000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2904 Synecs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2852 f0207a4a17b47cba7d87142363b12477.exe Token: SeDebugPrivilege 2904 Synecs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2904 Synecs.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2904 2852 f0207a4a17b47cba7d87142363b12477.exe 28 PID 2852 wrote to memory of 2904 2852 f0207a4a17b47cba7d87142363b12477.exe 28 PID 2852 wrote to memory of 2904 2852 f0207a4a17b47cba7d87142363b12477.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0207a4a17b47cba7d87142363b12477.exe"C:\Users\Admin\AppData\Local\Temp\f0207a4a17b47cba7d87142363b12477.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe"C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2904
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5429de06914d1e1a5cf09dd755484477b
SHA1145a12277186734a6ef5c797be7b8c8a88e39741
SHA25638a5b3dd3704940537ab05d6e620a4b3c043552810cfc396b918da9915b77152
SHA5128ef1808c5aa2846ca9b98ec8876d23d8000b578e57a9e5b2a6e1364a5636d18ee1968a0a2f672b69ff7c8a8704498dbc9db7c3d1c575594cddafe48b9f8aed6a
-
Filesize
1.9MB
MD5df53c8bb353c99a68b7a08e825eb9f69
SHA1ca55da52c540241dfa36a8a916323374f3c4a0ce
SHA256c6fa1f2359fe0441ca266220d4e0696e0e713c5bde4dc40e3e5ab7c4bca16515
SHA512fd80f62c5b309252f6678c003dbb38943baed7efaf2da7a36e081c13023eb3785daa6a89941bd4021937126390a715a5be705ad47513d3a8b87f203d97b97ed0