Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2024 14:33
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20240215-en
General
-
Target
test.exe
-
Size
3.3MB
-
MD5
fbeec3a99ddfa31e7aac9b09f4ca8158
-
SHA1
2b66e39b1e98320db37578a317021f870a39302b
-
SHA256
6aada60dd11d7a1157b24ccffa3d6ef2b5200487779ea648c36a92ffdba93af8
-
SHA512
62bc3ee9f312d341116c37c8c0e781896699aa598e7904c2eb6fe5374aa17eda77fa053346e9909bf5677b4ccd59e7ea8e6d4ac5c637f434532abd040f24f88d
-
SSDEEP
49152:KvyI22SsaNYfdPBldt698dBcjHdffaBxtFoGdKTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHRfK
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.0.220:1234
1086eee1-251e-49e1-b643-b2a2bc0e42ea
-
encryption_key
A0937AB413B78114B0DA85D9EA95BA3AF9187438
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Application Frame Handler
-
subdirectory
Security
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/memory/3600-0-0x0000000000BA0000-0x0000000000EF8000-memory.dmp family_quasar behavioral2/files/0x000600000002324c-6.dat family_quasar behavioral2/files/0x000600000002324c-7.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2284 Updater.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4576 schtasks.exe 1652 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 464 msedge.exe 464 msedge.exe 3256 msedge.exe 3256 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3256 msedge.exe 3256 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3600 test.exe Token: SeDebugPrivilege 2284 Updater.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2284 Updater.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3600 wrote to memory of 4576 3600 test.exe 85 PID 3600 wrote to memory of 4576 3600 test.exe 85 PID 3600 wrote to memory of 2284 3600 test.exe 86 PID 3600 wrote to memory of 2284 3600 test.exe 86 PID 2284 wrote to memory of 1652 2284 Updater.exe 87 PID 2284 wrote to memory of 1652 2284 Updater.exe 87 PID 3256 wrote to memory of 4124 3256 msedge.exe 100 PID 3256 wrote to memory of 4124 3256 msedge.exe 100 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 2572 3256 msedge.exe 101 PID 3256 wrote to memory of 464 3256 msedge.exe 102 PID 3256 wrote to memory of 464 3256 msedge.exe 102 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 PID 3256 wrote to memory of 4764 3256 msedge.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Application Frame Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Security\Updater.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4576
-
-
C:\Users\Admin\AppData\Roaming\Security\Updater.exe"C:\Users\Admin\AppData\Roaming\Security\Updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Application Frame Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Security\Updater.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1652
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6b0b46f8,0x7ffc6b0b4708,0x7ffc6b0b47182⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵PID:1448
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3360
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD584381d71cf667d9a138ea03b3283aea5
SHA133dfc8a32806beaaafaec25850b217c856ce6c7b
SHA25632dd52cc3142b6e758bd60adead81925515b31581437472d1f61bdeda24d5424
SHA512469bfac06152c8b0a82de28e01f7ed36dc27427205830100b1416b7cd8d481f5c4369e2ba89ef1fdd932aaf17289a8e4ede303393feab25afc1158cb931d23a3
-
Filesize
5KB
MD5222e458d0daaa12ccd2b4d0cde00e6a7
SHA1ef0f98291b2b3aa0c3bd28f9a978ee53c9cd4a73
SHA2566a6e104ddf2c37292fe97df4e05c380762281042906c75a399edec9dab8e33e7
SHA512b3acb4524bb591583527d48ce034d9f274c6e02d5fc98999d4ba504156a7cd7c5b011d7f9ec7d43301f71f2a4c8ccf8344b9d60868db4df6dffd7985e22e2ce4
-
Filesize
1.1MB
MD5f255b68f355f71f044d13cfdbbb3abc1
SHA1233031d5596f8395df112b81997473bbe5bc19ab
SHA256fef90b178f13511a959b5347fb4692e20aa1d8d0a06f81bfeb00098945e37871
SHA5122a0a7a8ab8c208b7eb1acac764b76228417d24613ab880985542df4ca6752fdea25718e455f1bd08acc1149bcaa4edfa6221231170d9942ce14da8d3e558cd39
-
Filesize
3.3MB
MD5fbeec3a99ddfa31e7aac9b09f4ca8158
SHA12b66e39b1e98320db37578a317021f870a39302b
SHA2566aada60dd11d7a1157b24ccffa3d6ef2b5200487779ea648c36a92ffdba93af8
SHA51262bc3ee9f312d341116c37c8c0e781896699aa598e7904c2eb6fe5374aa17eda77fa053346e9909bf5677b4ccd59e7ea8e6d4ac5c637f434532abd040f24f88d