Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2023 08:15
Behavioral task
behavioral1
Sample
f0207a4a17b47cba7d87142363b12477.exe
Resource
win7-20231023-en
General
-
Target
f0207a4a17b47cba7d87142363b12477.exe
-
Size
3.1MB
-
MD5
f0207a4a17b47cba7d87142363b12477
-
SHA1
c2203e69e92e6ba6394e6f711429fadf8b65845e
-
SHA256
d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09
-
SHA512
35f37bb38a070220dbe9f6511ab5bf8bca07fae46b5edefa5356a9294fc98b97735719410887b40776a7232711620f5c92f6bb45a7a54d597faef675196da810
-
SSDEEP
49152:Kvpt62XlaSFNWPjljiFa2RoUYIAunRJ65bR3LoGdcTHHB72eh2NT:Kvj62XlaSFNWPjljiFXRoUYIAunRJ67
Malware Config
Extracted
quasar
1.4.1
Office04
127.0.0.1:4782
4b2195e4-fb92-4868-914b-7332837f4388
-
encryption_key
26FFD71DADD23C1D90404D858942E1C47093C7CF
-
install_name
Synecs.exe
-
log_directory
pergs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4908-0-0x00000000009E0000-0x0000000000D06000-memory.dmp family_quasar behavioral2/files/0x00080000000230cc-5.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2752 Synecs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4908 f0207a4a17b47cba7d87142363b12477.exe Token: SeDebugPrivilege 2752 Synecs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2752 Synecs.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4908 wrote to memory of 2752 4908 f0207a4a17b47cba7d87142363b12477.exe 89 PID 4908 wrote to memory of 2752 4908 f0207a4a17b47cba7d87142363b12477.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0207a4a17b47cba7d87142363b12477.exe"C:\Users\Admin\AppData\Local\Temp\f0207a4a17b47cba7d87142363b12477.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe"C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2752
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5f0207a4a17b47cba7d87142363b12477
SHA1c2203e69e92e6ba6394e6f711429fadf8b65845e
SHA256d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09
SHA51235f37bb38a070220dbe9f6511ab5bf8bca07fae46b5edefa5356a9294fc98b97735719410887b40776a7232711620f5c92f6bb45a7a54d597faef675196da810