Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 09:11
Behavioral task
behavioral1
Sample
f54598770f770d815c9707dd33518eac.exe
Resource
win7-20240221-en
General
-
Target
f54598770f770d815c9707dd33518eac.exe
-
Size
3.1MB
-
MD5
f54598770f770d815c9707dd33518eac
-
SHA1
6acf4aaf1d74710ef92c0b99a4b263202fbefcb7
-
SHA256
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e
-
SHA512
dc927e84c41121e43f281af15ede1dcce368f1f94e88b56c893a1dfda8aa412547fe5f77d46fcc6a9fc8842b860edf4b3a3c059919b460d0f8611035d9e42d36
-
SSDEEP
49152:SvyI22SsaNYfdPBldt698dBcjHutbXPEhNvJJaoGdwjTHHB72eh2NT:Svf22SsaNYfdPBldt6+dBcjHZhg
Malware Config
Extracted
quasar
1.4.1
Office01
www.exiles.site:14782
a0f587a6-d40f-499d-8e9e-b0831e1cb678
-
encryption_key
49BF5A48970D914C7E70F494A8E16B5EFA3AB6A0
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3456-0-0x0000000000B50000-0x0000000000E74000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4672 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4980 schtasks.exe 4864 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f54598770f770d815c9707dd33518eac.exeClient.exedescription pid process Token: SeDebugPrivilege 3456 f54598770f770d815c9707dd33518eac.exe Token: SeDebugPrivilege 4672 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 4672 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f54598770f770d815c9707dd33518eac.exeClient.exedescription pid process target process PID 3456 wrote to memory of 4980 3456 f54598770f770d815c9707dd33518eac.exe schtasks.exe PID 3456 wrote to memory of 4980 3456 f54598770f770d815c9707dd33518eac.exe schtasks.exe PID 3456 wrote to memory of 4672 3456 f54598770f770d815c9707dd33518eac.exe Client.exe PID 3456 wrote to memory of 4672 3456 f54598770f770d815c9707dd33518eac.exe Client.exe PID 4672 wrote to memory of 4864 4672 Client.exe schtasks.exe PID 4672 wrote to memory of 4864 4672 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f54598770f770d815c9707dd33518eac.exe"C:\Users\Admin\AppData\Local\Temp\f54598770f770d815c9707dd33518eac.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
432KB
MD5d53a9394e04521e2b85abd33cada55d7
SHA1f455ba0f476f4037dae6aa0f94c7fa1d8d02bc98
SHA2563caec5c1133187cb65033f6120a0ede0e3c6085b3d2f224a045e833f48fa6450
SHA5124567d3e093fd8d67c56ff2472ce4567b72b8ece6ba3e5f967e84cf03b108516ece1cd8eba4b7e41f87b50b229c86f733d60f2539bc2867d005a9d3ef5e194e4c
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
768KB
MD5b2b596f8691536b12f53af6a419e1c25
SHA10da741ed403ff81713850ab5a9f386aed4d9bbbe
SHA2566758af075e83cbcff235c71b724ac3f1fc57bf781f115120fa0ce728525a4d62
SHA51285834312db0514cef76bdd6a8810b68a8384321d4dea45685f0d3ce15d776a776bb0ed967abc5e792015a2fda8ad4a1781bcfab8ed86953537abf56355414abb
-
memory/3456-10-0x00007FF812EC0000-0x00007FF813981000-memory.dmpFilesize
10.8MB
-
memory/3456-2-0x000000001BA90000-0x000000001BAA0000-memory.dmpFilesize
64KB
-
memory/3456-1-0x00007FF812EC0000-0x00007FF813981000-memory.dmpFilesize
10.8MB
-
memory/3456-0-0x0000000000B50000-0x0000000000E74000-memory.dmpFilesize
3.1MB
-
memory/4672-9-0x00007FF812EC0000-0x00007FF813981000-memory.dmpFilesize
10.8MB
-
memory/4672-11-0x000000001BF50000-0x000000001BF60000-memory.dmpFilesize
64KB
-
memory/4672-12-0x000000001BEC0000-0x000000001BF10000-memory.dmpFilesize
320KB
-
memory/4672-13-0x000000001C710000-0x000000001C7C2000-memory.dmpFilesize
712KB
-
memory/4672-16-0x000000001C650000-0x000000001C662000-memory.dmpFilesize
72KB
-
memory/4672-17-0x000000001C6B0000-0x000000001C6EC000-memory.dmpFilesize
240KB
-
memory/4672-18-0x00007FF812EC0000-0x00007FF813981000-memory.dmpFilesize
10.8MB