Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 07:55
Static task
static1
Behavioral task
behavioral1
Sample
96aa210f39830b577164ab716a8290e8.exe
Resource
win7-20231215-en
General
-
Target
96aa210f39830b577164ab716a8290e8.exe
-
Size
681KB
-
MD5
96aa210f39830b577164ab716a8290e8
-
SHA1
04ca9ad6db2b782fb540f923fc07f2a330267ee2
-
SHA256
1a021a6913ffe897a99cab8101bb53e4e809c3d0aaeb4bcfeab5fa1c5d6baa33
-
SHA512
f0e61e0248123366ac99f608db00b3508448dca95f737a90c31f62c45ee04b93aa818a7e1ffc0a1bd00e8bb399f71ee5b0932c38b5c9f36fe40cf5bd74c0ab68
-
SSDEEP
12288:IzxzTDWikLSb4NS7t2X+t40XW9I8LeI2gozUoCGjHg6EDlWpvbHg17O5:+DWHSb4Nc03GDI2ZzmOAtYpvbs7g
Malware Config
Extracted
quasar
1.4.0
Bot
10.240.1.51:5353
e747dbb5-149c-4223-a445-cd8edd6c5d0d
-
encryption_key
2FF224B5EA5C506629D2406BD20ADAA057823ADC
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
system32
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX1\bot.exe family_quasar behavioral1/memory/2012-36-0x0000000000270000-0x00000000002F4000-memory.dmp family_quasar behavioral1/memory/2012-41-0x000000001AF10000-0x000000001AF90000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
bot.sfx.exebot.exepid process 2968 bot.sfx.exe 2012 bot.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.exebot.sfx.exepid process 2712 cmd.exe 2968 bot.sfx.exe 2968 bot.sfx.exe 2968 bot.sfx.exe 2968 bot.sfx.exe -
Drops file in System32 directory 2 IoCs
Processes:
bot.exedescription ioc process File created C:\Windows\system32\SubDir\svchost.exe bot.exe File opened for modification C:\Windows\system32\SubDir\svchost.exe bot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bot.exedescription pid process Token: SeDebugPrivilege 2012 bot.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
96aa210f39830b577164ab716a8290e8.execmd.exebot.sfx.exebot.exedescription pid process target process PID 2644 wrote to memory of 2712 2644 96aa210f39830b577164ab716a8290e8.exe cmd.exe PID 2644 wrote to memory of 2712 2644 96aa210f39830b577164ab716a8290e8.exe cmd.exe PID 2644 wrote to memory of 2712 2644 96aa210f39830b577164ab716a8290e8.exe cmd.exe PID 2644 wrote to memory of 2712 2644 96aa210f39830b577164ab716a8290e8.exe cmd.exe PID 2712 wrote to memory of 2968 2712 cmd.exe bot.sfx.exe PID 2712 wrote to memory of 2968 2712 cmd.exe bot.sfx.exe PID 2712 wrote to memory of 2968 2712 cmd.exe bot.sfx.exe PID 2712 wrote to memory of 2968 2712 cmd.exe bot.sfx.exe PID 2968 wrote to memory of 2012 2968 bot.sfx.exe bot.exe PID 2968 wrote to memory of 2012 2968 bot.sfx.exe bot.exe PID 2968 wrote to memory of 2012 2968 bot.sfx.exe bot.exe PID 2968 wrote to memory of 2012 2968 bot.sfx.exe bot.exe PID 2012 wrote to memory of 2636 2012 bot.exe schtasks.exe PID 2012 wrote to memory of 2636 2012 bot.exe schtasks.exe PID 2012 wrote to memory of 2636 2012 bot.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\96aa210f39830b577164ab716a8290e8.exe"C:\Users\Admin\AppData\Local\Temp\96aa210f39830b577164ab716a8290e8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.sfx.exebot.sfx.exe -p1234 -dC:\Users\Admin\AppData\Roaming3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\bot.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\bot.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX1\bot.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.batFilesize
30B
MD5689619f4817bab514f708f639232c9f4
SHA18ad2290b4e6ee4c99e6e17bd48712bf93ac93604
SHA2566dac159a0bf99d488e0fa13cef502ddddeabeb1bf84296cc347e0b6a3d1992e4
SHA512f46149adb1b5240f2b42ca6fd1013d28e8cb01e5482c30a551d15766f629d9f15be55b850dc292e0dd3e06d39a77b0e1e24ff479355a4e37d1d87e0916f8db3b
-
\Users\Admin\AppData\Local\Temp\RarSFX0\bot.sfx.exeFilesize
518KB
MD5d0d645c5a4552f438538b5684dfa0f57
SHA1cbd14f337d4fa455b0536c4888b74e1ebac10bcf
SHA256b6bf07d20cb3d141ed0eb77bd88802eabd6faf88ebfa9ed33643392d4a00d5eb
SHA5124af478743eb471b6f9fc3974aa589d896faea59b2d67149b6971854bb138912f3f7b32f958eab5aeb44b7bcedd70633c1ea3b1948763bdc69a65bd8f30961e9d
-
\Users\Admin\AppData\Local\Temp\RarSFX1\bot.exeFilesize
502KB
MD5b3e8392a9a2f8c27511fa4991af247ef
SHA1e797ade2348a801319e91419536db899ea4bd148
SHA256b227ed32c1630a5e70259a0e24a2b564276085fdc241491e3b988d3f912075c8
SHA5126c94246b2d93c5754363c0f1a781a3d5627f9ef7903a10ae8584d3ea077b843fa39c8dbf8373f37abf1e6967e5a19bc71f4ee0f14d898cb85c487158ab02528d
-
memory/2012-36-0x0000000000270000-0x00000000002F4000-memory.dmpFilesize
528KB
-
memory/2012-37-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmpFilesize
9.9MB
-
memory/2012-38-0x000000001AF10000-0x000000001AF90000-memory.dmpFilesize
512KB
-
memory/2012-40-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmpFilesize
9.9MB
-
memory/2012-41-0x000000001AF10000-0x000000001AF90000-memory.dmpFilesize
512KB