Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 09:13
Behavioral task
behavioral1
Sample
2386d1e1a35e51b0c869655580ab6431.exe
Resource
win7-20240221-en
General
-
Target
2386d1e1a35e51b0c869655580ab6431.exe
-
Size
3.1MB
-
MD5
2386d1e1a35e51b0c869655580ab6431
-
SHA1
44de49d3050793f1cea18a62fc7649c96deebaa7
-
SHA256
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
-
SHA512
69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946
-
SSDEEP
49152:nv+lL26AaNeWgPhlmVqvMQ7XSKOEoDkE2HBk/+F5oGd1LTHHB72eh2NT:nvuL26AaNeWgPhlmVqkQ7XSKroDKX
Malware Config
Extracted
quasar
1.4.1
Office01
www.exiles.site:14782
192.151.244.144:14782
32d6a0e2-190a-4f87-8d62-64ccb78f703b
-
encryption_key
A1F8672246A55DFAFA317BFDC5F14C91A5B344B9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2176-0-0x0000000000E70000-0x0000000001194000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/1104-8-0x0000000000310000-0x0000000000634000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1104 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2964 schtasks.exe 2812 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2386d1e1a35e51b0c869655580ab6431.exeClient.exedescription pid process Token: SeDebugPrivilege 2176 2386d1e1a35e51b0c869655580ab6431.exe Token: SeDebugPrivilege 1104 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1104 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2386d1e1a35e51b0c869655580ab6431.exeClient.exedescription pid process target process PID 2176 wrote to memory of 2964 2176 2386d1e1a35e51b0c869655580ab6431.exe schtasks.exe PID 2176 wrote to memory of 2964 2176 2386d1e1a35e51b0c869655580ab6431.exe schtasks.exe PID 2176 wrote to memory of 2964 2176 2386d1e1a35e51b0c869655580ab6431.exe schtasks.exe PID 2176 wrote to memory of 1104 2176 2386d1e1a35e51b0c869655580ab6431.exe Client.exe PID 2176 wrote to memory of 1104 2176 2386d1e1a35e51b0c869655580ab6431.exe Client.exe PID 2176 wrote to memory of 1104 2176 2386d1e1a35e51b0c869655580ab6431.exe Client.exe PID 1104 wrote to memory of 2812 1104 Client.exe schtasks.exe PID 1104 wrote to memory of 2812 1104 Client.exe schtasks.exe PID 1104 wrote to memory of 2812 1104 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
1024KB
MD516015fbd05ec4aa780ac649ecb3f00fd
SHA17bf57070a7d0e29a78e71f6dd6dc7d084f98a8f3
SHA2565e626d87f6b38d573e4a12250e440f16d42600f76788077693833976dbee22c7
SHA512fa3f601e0f9efaa473f70ac7862d851d2747911dc0f0edf15067f0a0326c60c86e5e0a1eb1d4cfc3dccd4602dfffc2621a55a38b1a9d859f8874e70dd4226756
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD52386d1e1a35e51b0c869655580ab6431
SHA144de49d3050793f1cea18a62fc7649c96deebaa7
SHA256a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
SHA51269d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946
-
memory/1104-8-0x0000000000310000-0x0000000000634000-memory.dmpFilesize
3.1MB
-
memory/1104-9-0x000007FEF5E60000-0x000007FEF684C000-memory.dmpFilesize
9.9MB
-
memory/1104-10-0x000000001B040000-0x000000001B0C0000-memory.dmpFilesize
512KB
-
memory/1104-12-0x000007FEF5E60000-0x000007FEF684C000-memory.dmpFilesize
9.9MB
-
memory/1104-13-0x000000001B040000-0x000000001B0C0000-memory.dmpFilesize
512KB
-
memory/2176-0-0x0000000000E70000-0x0000000001194000-memory.dmpFilesize
3.1MB
-
memory/2176-1-0x000007FEF5E60000-0x000007FEF684C000-memory.dmpFilesize
9.9MB
-
memory/2176-2-0x000000001B1B0000-0x000000001B230000-memory.dmpFilesize
512KB
-
memory/2176-11-0x000007FEF5E60000-0x000007FEF684C000-memory.dmpFilesize
9.9MB