Analysis
-
max time kernel
92s -
max time network
133s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-03-2024 09:05
Behavioral task
behavioral1
Sample
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe
Resource
win10v2004-20240226-en
General
-
Target
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe
-
Size
3.1MB
-
MD5
f54598770f770d815c9707dd33518eac
-
SHA1
6acf4aaf1d74710ef92c0b99a4b263202fbefcb7
-
SHA256
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e
-
SHA512
dc927e84c41121e43f281af15ede1dcce368f1f94e88b56c893a1dfda8aa412547fe5f77d46fcc6a9fc8842b860edf4b3a3c059919b460d0f8611035d9e42d36
-
SSDEEP
49152:SvyI22SsaNYfdPBldt698dBcjHutbXPEhNvJJaoGdwjTHHB72eh2NT:Svf22SsaNYfdPBldt6+dBcjHZhg
Malware Config
Extracted
quasar
1.4.1
Office01
www.exiles.site:14782
a0f587a6-d40f-499d-8e9e-b0831e1cb678
-
encryption_key
49BF5A48970D914C7E70F494A8E16B5EFA3AB6A0
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3156-0-0x0000000000140000-0x0000000000464000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1028 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3296 schtasks.exe 3264 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exeClient.exedescription pid process Token: SeDebugPrivilege 3156 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe Token: SeDebugPrivilege 1028 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1028 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exeClient.exedescription pid process target process PID 3156 wrote to memory of 3296 3156 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe schtasks.exe PID 3156 wrote to memory of 3296 3156 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe schtasks.exe PID 3156 wrote to memory of 1028 3156 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe Client.exe PID 3156 wrote to memory of 1028 3156 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe Client.exe PID 1028 wrote to memory of 3264 1028 Client.exe schtasks.exe PID 1028 wrote to memory of 3264 1028 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe"C:\Users\Admin\AppData\Local\Temp\2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
320KB
MD560f22572cacb71dcffdff797e6e19866
SHA185af5e58cb77c4f41ce6f212359a8c7fa620a369
SHA2561f833b975cfdde8ff9680977d47a82e6c8518553d1a2a08220528b51817e77e3
SHA51208ba37fdeff70f65bb2d308cd7392b9eaac3089a5d454de10f2ec2253f8ba12a2d2f334481024065a4dd5194059a7ad56dee694106464d40c7db41c7d2a280e0
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
768KB
MD5b2b596f8691536b12f53af6a419e1c25
SHA10da741ed403ff81713850ab5a9f386aed4d9bbbe
SHA2566758af075e83cbcff235c71b724ac3f1fc57bf781f115120fa0ce728525a4d62
SHA51285834312db0514cef76bdd6a8810b68a8384321d4dea45685f0d3ce15d776a776bb0ed967abc5e792015a2fda8ad4a1781bcfab8ed86953537abf56355414abb
-
memory/1028-13-0x000000001C900000-0x000000001C9B2000-memory.dmpFilesize
712KB
-
memory/1028-11-0x000000001BCA0000-0x000000001BCB0000-memory.dmpFilesize
64KB
-
memory/1028-9-0x00007FFA21620000-0x00007FFA220E2000-memory.dmpFilesize
10.8MB
-
memory/1028-12-0x000000001C7F0000-0x000000001C840000-memory.dmpFilesize
320KB
-
memory/1028-16-0x000000001C880000-0x000000001C892000-memory.dmpFilesize
72KB
-
memory/1028-17-0x000000001D010000-0x000000001D04C000-memory.dmpFilesize
240KB
-
memory/1028-18-0x00007FFA21620000-0x00007FFA220E2000-memory.dmpFilesize
10.8MB
-
memory/1028-19-0x000000001BCA0000-0x000000001BCB0000-memory.dmpFilesize
64KB
-
memory/3156-2-0x000000001B0F0000-0x000000001B100000-memory.dmpFilesize
64KB
-
memory/3156-1-0x00007FFA21620000-0x00007FFA220E2000-memory.dmpFilesize
10.8MB
-
memory/3156-10-0x00007FFA21620000-0x00007FFA220E2000-memory.dmpFilesize
10.8MB
-
memory/3156-0-0x0000000000140000-0x0000000000464000-memory.dmpFilesize
3.1MB