Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2024, 09:11
Behavioral task
behavioral1
Sample
2386d1e1a35e51b0c869655580ab6431.exe
Resource
win7-20240215-en
General
-
Target
2386d1e1a35e51b0c869655580ab6431.exe
-
Size
3.1MB
-
MD5
2386d1e1a35e51b0c869655580ab6431
-
SHA1
44de49d3050793f1cea18a62fc7649c96deebaa7
-
SHA256
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
-
SHA512
69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946
-
SSDEEP
49152:nv+lL26AaNeWgPhlmVqvMQ7XSKOEoDkE2HBk/+F5oGd1LTHHB72eh2NT:nvuL26AaNeWgPhlmVqkQ7XSKroDKX
Malware Config
Extracted
quasar
1.4.1
Office01
www.exiles.site:14782
192.151.244.144:14782
32d6a0e2-190a-4f87-8d62-64ccb78f703b
-
encryption_key
A1F8672246A55DFAFA317BFDC5F14C91A5B344B9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/memory/2556-0-0x0000000000990000-0x0000000000CB4000-memory.dmp family_quasar behavioral2/files/0x0002000000022853-6.dat family_quasar behavioral2/files/0x0002000000022853-8.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2264 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1160 schtasks.exe 2416 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2556 2386d1e1a35e51b0c869655580ab6431.exe Token: SeDebugPrivilege 2264 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2264 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2556 wrote to memory of 1160 2556 2386d1e1a35e51b0c869655580ab6431.exe 98 PID 2556 wrote to memory of 1160 2556 2386d1e1a35e51b0c869655580ab6431.exe 98 PID 2556 wrote to memory of 2264 2556 2386d1e1a35e51b0c869655580ab6431.exe 100 PID 2556 wrote to memory of 2264 2556 2386d1e1a35e51b0c869655580ab6431.exe 100 PID 2264 wrote to memory of 2416 2264 Client.exe 101 PID 2264 wrote to memory of 2416 2264 Client.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1160
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2416
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:2532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD53c4347d83ca7602c0c80de91f5b34c08
SHA1666cadb2d48797bf177a917071760a4d393d2b8a
SHA2562500c8b9240d16ca983ec8f7e32140baf687871f6df8171186c9097280496959
SHA512969ae42794e346eb007722ae51f374c63aff22a309b461a74821f74484d1c1a85ea87b23e5540a741ee3a8c7c4cfd195d2627b965a0ac33446ae42d08476d529
-
Filesize
320KB
MD52ab235cc8ce009416b72bf825b37fbe3
SHA1dfc1907a82eb9e9d5a58af45b0b3e8385e4a9103
SHA256f2ebb80b80ee893d6295258e95f6044df48fc23a6b7e87fea3cea74111f73a35
SHA512de0ac41309d921296298f4b2074b24ba020bf367b85de3563cdd994decd68246a2c1e1aee471706fff4a822e92ab066327d583df9a83b7cbcc364a454e704fe1