Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2024 04:37
Behavioral task
behavioral1
Sample
359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
Resource
win7-20231215-en
General
-
Target
359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
-
Size
3.1MB
-
MD5
df415a94b93536e36060b33baa82546d
-
SHA1
08cfa785b11927a3053de2eb3ba9c17b313fca82
-
SHA256
359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1
-
SHA512
698547aedf83338f1880a8c1ce65c1913cf77f089a6b41473dc62e585884357a63e0711550ae7dbba98a1719cce3a6424be50d6e15305a73fe5b26544d957654
-
SSDEEP
49152:mvVt62XlaSFNWPjljiFa2RoUYIrT76+zoG6HXu4THHB72eh2NT:mvn62XlaSFNWPjljiFXRoUYIrT76Y
Malware Config
Extracted
quasar
1.4.1
Office01
31.220.97.187:443
0505375d-d956-4c5c-b735-c942a92b89cb
-
encryption_key
535E12CCD94BDC2CFFD2A9CFF6D5C3251B8CDAE3
-
install_name
winboot.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
UEFI boot
-
subdirectory
bootufi
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4260-0-0x00000000008A0000-0x0000000000BC4000-memory.dmp family_quasar C:\Windows\system32\bootufi\winboot.exe family_quasar C:\Windows\System32\bootufi\winboot.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
winboot.exepid process 4148 winboot.exe -
Drops file in System32 directory 5 IoCs
Processes:
359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exewinboot.exedescription ioc process File opened for modification C:\Windows\system32\bootufi 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe File opened for modification C:\Windows\system32\bootufi\winboot.exe winboot.exe File opened for modification C:\Windows\system32\bootufi winboot.exe File created C:\Windows\system32\bootufi\winboot.exe 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe File opened for modification C:\Windows\system32\bootufi\winboot.exe 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3104 schtasks.exe 2280 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exewinboot.exedescription pid process Token: SeDebugPrivilege 4260 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe Token: SeDebugPrivilege 4148 winboot.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exewinboot.exedescription pid process target process PID 4260 wrote to memory of 3104 4260 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe schtasks.exe PID 4260 wrote to memory of 3104 4260 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe schtasks.exe PID 4260 wrote to memory of 4148 4260 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe winboot.exe PID 4260 wrote to memory of 4148 4260 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe winboot.exe PID 4148 wrote to memory of 2280 4148 winboot.exe schtasks.exe PID 4148 wrote to memory of 2280 4148 winboot.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe"C:\Users\Admin\AppData\Local\Temp\359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\bootufi\winboot.exe"C:\Windows\system32\bootufi\winboot.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\bootufi\winboot.exeFilesize
143KB
MD5e77c7d57b0f1a66080941a9e5013ddb6
SHA19a64ea597acfcb5c180d8771138aaaa985f0b258
SHA25600fa52a1e9c92779604f585fff2844366adb79e39e21c9a074bb8b143eeffbd1
SHA512351f6cd949b07cc0b50b24752728c74ecae4cedee1b2e0736c8faeddf8572e9811a82cc5ff8dce9a3b8597a6fd218ee11dc3f7331334d6494cb8fd3a786a1f6f
-
C:\Windows\system32\bootufi\winboot.exeFilesize
91KB
MD5312884482f517fea629ee5deef8b2aca
SHA166b1914ac47fade616cdd126731e0db2f20dd89e
SHA256c3324ce50ea25e444d00e54d5ea4d2c9394971812e2279374933114daeb2d36b
SHA512850429fdfdd496b9c2aa33f180e1d1270021c452ba8dc1e806ec9459660b2eb3df3bba4efc3e7e1d937d0a679db5ab451eb325f214cd603a6cf8cb4ddf4a7953
-
memory/4148-13-0x000000001C430000-0x000000001C4E2000-memory.dmpFilesize
712KB
-
memory/4148-10-0x00007FFE59E90000-0x00007FFE5A951000-memory.dmpFilesize
10.8MB
-
memory/4148-11-0x000000001BF70000-0x000000001BF80000-memory.dmpFilesize
64KB
-
memory/4148-12-0x000000001BEF0000-0x000000001BF40000-memory.dmpFilesize
320KB
-
memory/4148-17-0x000000001C3B0000-0x000000001C3EC000-memory.dmpFilesize
240KB
-
memory/4148-16-0x000000001BEC0000-0x000000001BED2000-memory.dmpFilesize
72KB
-
memory/4148-18-0x00007FFE59E90000-0x00007FFE5A951000-memory.dmpFilesize
10.8MB
-
memory/4148-19-0x000000001BF70000-0x000000001BF80000-memory.dmpFilesize
64KB
-
memory/4260-9-0x00007FFE59E90000-0x00007FFE5A951000-memory.dmpFilesize
10.8MB
-
memory/4260-2-0x0000000002DF0000-0x0000000002E00000-memory.dmpFilesize
64KB
-
memory/4260-1-0x00007FFE59E90000-0x00007FFE5A951000-memory.dmpFilesize
10.8MB
-
memory/4260-0-0x00000000008A0000-0x0000000000BC4000-memory.dmpFilesize
3.1MB