Analysis
-
max time kernel
125s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-03-2024 02:41
Behavioral task
behavioral1
Sample
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe
Resource
win7-20240221-en
General
-
Target
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe
-
Size
3.1MB
-
MD5
2386d1e1a35e51b0c869655580ab6431
-
SHA1
44de49d3050793f1cea18a62fc7649c96deebaa7
-
SHA256
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
-
SHA512
69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946
-
SSDEEP
49152:nv+lL26AaNeWgPhlmVqvMQ7XSKOEoDkE2HBk/+F5oGd1LTHHB72eh2NT:nvuL26AaNeWgPhlmVqkQ7XSKroDKX
Malware Config
Extracted
quasar
1.4.1
Office01
www.exiles.site:14782
192.151.244.144:14782
32d6a0e2-190a-4f87-8d62-64ccb78f703b
-
encryption_key
A1F8672246A55DFAFA317BFDC5F14C91A5B344B9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmp family_quasar -
Detects Windows executables referencing non-Windows User-Agents 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_GENInfoStealer C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2624 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2328 schtasks.exe 2636 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exeClient.exedescription pid process Token: SeDebugPrivilege 2752 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe Token: SeDebugPrivilege 2624 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2624 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exeClient.exedescription pid process target process PID 2752 wrote to memory of 2328 2752 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe schtasks.exe PID 2752 wrote to memory of 2328 2752 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe schtasks.exe PID 2752 wrote to memory of 2328 2752 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe schtasks.exe PID 2752 wrote to memory of 2624 2752 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe Client.exe PID 2752 wrote to memory of 2624 2752 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe Client.exe PID 2752 wrote to memory of 2624 2752 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe Client.exe PID 2624 wrote to memory of 2636 2624 Client.exe schtasks.exe PID 2624 wrote to memory of 2636 2624 Client.exe schtasks.exe PID 2624 wrote to memory of 2636 2624 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe"C:\Users\Admin\AppData\Local\Temp\a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
2.2MB
MD55296e7dbcd44917276ae895ac4847670
SHA1c7415505776a0a740f8c6784a9a4d6355efbd30e
SHA256397f92ed8e371bef7b8e25983ab3a14f547a60e7aef99949ca6654eec23f06c2
SHA5127f396ef0fdb607243309dd926b05cd008f292ee0d10de05bccad70cbf4247d242dafdc0e08cbb41afd5b9ed450671b29fb5dc88f1d4dfbb53ce71fc27a6f8bf9
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
2.4MB
MD55fa12506f8b5f72e59bfbf12c1739c77
SHA11d7a579953ac54d6e8a534e5cbd0b23743c0fdc9
SHA256ef3fe6ad97140a8d7e2dd5c93da46807776358e955fe7bad999f472470f6d0d1
SHA512ef7841aa0ed84e0662d7c8ac61d10ff7cfda46542f223a389027b0150e9098ef86bd7e8c666d3ea06ee180b99f7ae1ad249984d0ed92536141bb4f7d9c8c0109
-
memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmpFilesize
3.1MB
-
memory/2624-10-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2624-11-0x000000001B350000-0x000000001B3D0000-memory.dmpFilesize
512KB
-
memory/2624-12-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2624-13-0x000000001B350000-0x000000001B3D0000-memory.dmpFilesize
512KB
-
memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmpFilesize
3.1MB
-
memory/2752-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2752-2-0x000000001B270000-0x000000001B2F0000-memory.dmpFilesize
512KB
-
memory/2752-9-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB