Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 09:13
Behavioral task
behavioral1
Sample
2386d1e1a35e51b0c869655580ab6431.exe
Resource
win7-20240221-en
General
-
Target
2386d1e1a35e51b0c869655580ab6431.exe
-
Size
3.1MB
-
MD5
2386d1e1a35e51b0c869655580ab6431
-
SHA1
44de49d3050793f1cea18a62fc7649c96deebaa7
-
SHA256
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
-
SHA512
69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946
-
SSDEEP
49152:nv+lL26AaNeWgPhlmVqvMQ7XSKOEoDkE2HBk/+F5oGd1LTHHB72eh2NT:nvuL26AaNeWgPhlmVqkQ7XSKroDKX
Malware Config
Extracted
quasar
1.4.1
Office01
www.exiles.site:14782
192.151.244.144:14782
32d6a0e2-190a-4f87-8d62-64ccb78f703b
-
encryption_key
A1F8672246A55DFAFA317BFDC5F14C91A5B344B9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral1/memory/2176-0-0x0000000000E70000-0x0000000001194000-memory.dmp family_quasar behavioral1/files/0x000b000000015546-6.dat family_quasar behavioral1/memory/1104-8-0x0000000000310000-0x0000000000634000-memory.dmp family_quasar behavioral1/files/0x000b000000015546-7.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1104 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2964 schtasks.exe 2812 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2176 2386d1e1a35e51b0c869655580ab6431.exe Token: SeDebugPrivilege 1104 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1104 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2964 2176 2386d1e1a35e51b0c869655580ab6431.exe 28 PID 2176 wrote to memory of 2964 2176 2386d1e1a35e51b0c869655580ab6431.exe 28 PID 2176 wrote to memory of 2964 2176 2386d1e1a35e51b0c869655580ab6431.exe 28 PID 2176 wrote to memory of 1104 2176 2386d1e1a35e51b0c869655580ab6431.exe 30 PID 2176 wrote to memory of 1104 2176 2386d1e1a35e51b0c869655580ab6431.exe 30 PID 2176 wrote to memory of 1104 2176 2386d1e1a35e51b0c869655580ab6431.exe 30 PID 1104 wrote to memory of 2812 1104 Client.exe 31 PID 1104 wrote to memory of 2812 1104 Client.exe 31 PID 1104 wrote to memory of 2812 1104 Client.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2964
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2812
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD516015fbd05ec4aa780ac649ecb3f00fd
SHA17bf57070a7d0e29a78e71f6dd6dc7d084f98a8f3
SHA2565e626d87f6b38d573e4a12250e440f16d42600f76788077693833976dbee22c7
SHA512fa3f601e0f9efaa473f70ac7862d851d2747911dc0f0edf15067f0a0326c60c86e5e0a1eb1d4cfc3dccd4602dfffc2621a55a38b1a9d859f8874e70dd4226756
-
Filesize
3.1MB
MD52386d1e1a35e51b0c869655580ab6431
SHA144de49d3050793f1cea18a62fc7649c96deebaa7
SHA256a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
SHA51269d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946