Analysis
-
max time kernel
129s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 12:51
Behavioral task
behavioral1
Sample
1914a2c8d1589d346dec86208bbbee37.exe
Resource
win7-20231215-en
General
-
Target
1914a2c8d1589d346dec86208bbbee37.exe
-
Size
502KB
-
MD5
1914a2c8d1589d346dec86208bbbee37
-
SHA1
c9f854cb866fc0dfa54ad4438fb1e3479a9a384e
-
SHA256
a725bb8800499239e18eb3973b4c4371214e8da4efb12108ac42957a3819572b
-
SHA512
fb7c411b9aa69deb8ac2660846a555e3bc2481dea13b858f1aa214a67160f02eb205dd08e84c6867c06deddca00ca562c938e2f667e05faac67adfcd9385799c
-
SSDEEP
6144:RTEgdc0Y3XAGbgiIN2RSBytYsf4q2gRslboscE6Ob8F9SAO+uKaE6lcTR3S:RTEgdfYvbgeeAb5sqpAx+uKadlcdS
Malware Config
Extracted
quasar
1.4.0
test1
166.62.33.218:6624
b2e23ea3-acf2-4226-ae2a-ae57e85e6e82
-
encryption_key
C8BFD012DB4B42D492F03E53D34F6E70BFC0E813
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2624-0-0x00000000000F0000-0x0000000000174000-memory.dmp family_quasar behavioral1/memory/2624-2-0x000000001AD30000-0x000000001ADB0000-memory.dmp family_quasar -
Drops file in Program Files directory 2 IoCs
Processes:
1914a2c8d1589d346dec86208bbbee37.exedescription ioc process File created C:\Program Files\SubDir\Client.exe 1914a2c8d1589d346dec86208bbbee37.exe File opened for modification C:\Program Files\SubDir\Client.exe 1914a2c8d1589d346dec86208bbbee37.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1914a2c8d1589d346dec86208bbbee37.exedescription pid process Token: SeDebugPrivilege 2624 1914a2c8d1589d346dec86208bbbee37.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1914a2c8d1589d346dec86208bbbee37.exedescription pid process target process PID 2624 wrote to memory of 2916 2624 1914a2c8d1589d346dec86208bbbee37.exe schtasks.exe PID 2624 wrote to memory of 2916 2624 1914a2c8d1589d346dec86208bbbee37.exe schtasks.exe PID 2624 wrote to memory of 2916 2624 1914a2c8d1589d346dec86208bbbee37.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1914a2c8d1589d346dec86208bbbee37.exe"C:\Users\Admin\AppData\Local\Temp\1914a2c8d1589d346dec86208bbbee37.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\1914a2c8d1589d346dec86208bbbee37.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2624-0-0x00000000000F0000-0x0000000000174000-memory.dmpFilesize
528KB
-
memory/2624-1-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmpFilesize
9.9MB
-
memory/2624-2-0x000000001AD30000-0x000000001ADB0000-memory.dmpFilesize
512KB
-
memory/2624-4-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmpFilesize
9.9MB