Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 09:11
Behavioral task
behavioral1
Sample
2386d1e1a35e51b0c869655580ab6431.exe
Resource
win7-20240215-en
General
-
Target
2386d1e1a35e51b0c869655580ab6431.exe
-
Size
3.1MB
-
MD5
2386d1e1a35e51b0c869655580ab6431
-
SHA1
44de49d3050793f1cea18a62fc7649c96deebaa7
-
SHA256
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
-
SHA512
69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946
-
SSDEEP
49152:nv+lL26AaNeWgPhlmVqvMQ7XSKOEoDkE2HBk/+F5oGd1LTHHB72eh2NT:nvuL26AaNeWgPhlmVqkQ7XSKroDKX
Malware Config
Extracted
quasar
1.4.1
Office01
www.exiles.site:14782
192.151.244.144:14782
32d6a0e2-190a-4f87-8d62-64ccb78f703b
-
encryption_key
A1F8672246A55DFAFA317BFDC5F14C91A5B344B9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2388-0-0x0000000000920000-0x0000000000C44000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/3036-10-0x0000000000E10000-0x0000000001134000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 3036 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2864 schtasks.exe 2888 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2386d1e1a35e51b0c869655580ab6431.exeClient.exedescription pid process Token: SeDebugPrivilege 2388 2386d1e1a35e51b0c869655580ab6431.exe Token: SeDebugPrivilege 3036 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 3036 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2386d1e1a35e51b0c869655580ab6431.exeClient.exedescription pid process target process PID 2388 wrote to memory of 2864 2388 2386d1e1a35e51b0c869655580ab6431.exe schtasks.exe PID 2388 wrote to memory of 2864 2388 2386d1e1a35e51b0c869655580ab6431.exe schtasks.exe PID 2388 wrote to memory of 2864 2388 2386d1e1a35e51b0c869655580ab6431.exe schtasks.exe PID 2388 wrote to memory of 3036 2388 2386d1e1a35e51b0c869655580ab6431.exe Client.exe PID 2388 wrote to memory of 3036 2388 2386d1e1a35e51b0c869655580ab6431.exe Client.exe PID 2388 wrote to memory of 3036 2388 2386d1e1a35e51b0c869655580ab6431.exe Client.exe PID 3036 wrote to memory of 2888 3036 Client.exe schtasks.exe PID 3036 wrote to memory of 2888 3036 Client.exe schtasks.exe PID 3036 wrote to memory of 2888 3036 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
1.4MB
MD58a66f525d7e6e8800cd44b102d046424
SHA1945aaae13525ca512884ab7053ea2c84e2a8864f
SHA256d727c015390fc642bedede713885c22813b91007613c662fb6b8884b81764105
SHA512b441de91efbcf50e4807770140bb47c2a4bbf1429238b4a35e126fd7c1ccef3bfb74e3eaadea2921bed7e96904e54c2dce1b72e0d27fdac44eb3ef5dcd9b245b
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
1.6MB
MD57af4bc055bab150645e23ca81473ff6a
SHA16945e71cdfa4db8e9efe37c94fb295be3dbfcc1b
SHA25688b4571bb01e06eaa0990b053d7b4ea7e1061d3f4382223d668a8cd50d3030af
SHA512e689720c5af4644468e776cb5a1335d5ed1624c3d857a12d354cfce9639af233485d8f22ad641a6b2c7dd546ec68e709dbbc87cdd92ac777ae616a0507c9ba3b
-
memory/2388-0-0x0000000000920000-0x0000000000C44000-memory.dmpFilesize
3.1MB
-
memory/2388-1-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmpFilesize
9.9MB
-
memory/2388-2-0x000000001B3A0000-0x000000001B420000-memory.dmpFilesize
512KB
-
memory/2388-9-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmpFilesize
9.9MB
-
memory/3036-8-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmpFilesize
9.9MB
-
memory/3036-11-0x000000001ACF0000-0x000000001AD70000-memory.dmpFilesize
512KB
-
memory/3036-10-0x0000000000E10000-0x0000000001134000-memory.dmpFilesize
3.1MB
-
memory/3036-12-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmpFilesize
9.9MB
-
memory/3036-13-0x000000001ACF0000-0x000000001AD70000-memory.dmpFilesize
512KB