Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 02:10
Behavioral task
behavioral1
Sample
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe
Resource
win7-20240221-en
General
-
Target
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe
-
Size
3.1MB
-
MD5
f54598770f770d815c9707dd33518eac
-
SHA1
6acf4aaf1d74710ef92c0b99a4b263202fbefcb7
-
SHA256
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e
-
SHA512
dc927e84c41121e43f281af15ede1dcce368f1f94e88b56c893a1dfda8aa412547fe5f77d46fcc6a9fc8842b860edf4b3a3c059919b460d0f8611035d9e42d36
-
SSDEEP
49152:SvyI22SsaNYfdPBldt698dBcjHutbXPEhNvJJaoGdwjTHHB72eh2NT:Svf22SsaNYfdPBldt6+dBcjHZhg
Malware Config
Extracted
quasar
1.4.1
Office01
www.exiles.site:14782
a0f587a6-d40f-499d-8e9e-b0831e1cb678
-
encryption_key
49BF5A48970D914C7E70F494A8E16B5EFA3AB6A0
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4564-0-0x00000000008D0000-0x0000000000BF4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4564-0-0x00000000008D0000-0x0000000000BF4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4564-0-0x00000000008D0000-0x0000000000BF4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4564-0-0x00000000008D0000-0x0000000000BF4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_GENInfoStealer C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_GENInfoStealer -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2020 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1056 schtasks.exe 3324 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exeClient.exedescription pid process Token: SeDebugPrivilege 4564 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe Token: SeDebugPrivilege 2020 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2020 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exeClient.exedescription pid process target process PID 4564 wrote to memory of 1056 4564 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe schtasks.exe PID 4564 wrote to memory of 1056 4564 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe schtasks.exe PID 4564 wrote to memory of 2020 4564 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe Client.exe PID 4564 wrote to memory of 2020 4564 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe Client.exe PID 2020 wrote to memory of 3324 2020 Client.exe schtasks.exe PID 2020 wrote to memory of 3324 2020 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe"C:\Users\Admin\AppData\Local\Temp\2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
2.8MB
MD59b8dc488ec3a22fc022e7eec9e80209c
SHA1ea60d5484f2b26996e05b57a42bfd904c30a08f1
SHA25681eecc4c0dd1d3b0e1599fb9ff660f8835716898f2f5c5cd4f82ece25bac0c55
SHA512381cfeb65ee26606ab44ed8d737a4768510c96043808217efaa559af36472ff2df8ee871625cbdb0b8cdd57579ca06fce8f421d49e10e3cdba58b28a2cd04f5b
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
2.9MB
MD5fe047ebcf035cb5de9fdf2671f8ceaa7
SHA1fb08f4c2c938cb6a5771aa56ef175e5bbbc53abc
SHA256ecb5ea086d1b2e04547852a6ffc362a7e501deba8a81dddf5c8fc7a580e02ebd
SHA51250f1695504d33d78b1ede4d28d607c4b6711323c162a4d054c1c19f92c88ca68f10ef16ebf8dd9dca2c3ef00bbc820e91f6b09508d6131607068a0bd80e6199c
-
memory/2020-9-0x00007FFD6B320000-0x00007FFD6BDE1000-memory.dmpFilesize
10.8MB
-
memory/2020-11-0x0000000003200000-0x0000000003210000-memory.dmpFilesize
64KB
-
memory/2020-12-0x000000001C8E0000-0x000000001C930000-memory.dmpFilesize
320KB
-
memory/2020-13-0x000000001C9F0000-0x000000001CAA2000-memory.dmpFilesize
712KB
-
memory/2020-14-0x00007FFD6B320000-0x00007FFD6BDE1000-memory.dmpFilesize
10.8MB
-
memory/2020-15-0x0000000003200000-0x0000000003210000-memory.dmpFilesize
64KB
-
memory/4564-0-0x00000000008D0000-0x0000000000BF4000-memory.dmpFilesize
3.1MB
-
memory/4564-1-0x00007FFD6B320000-0x00007FFD6BDE1000-memory.dmpFilesize
10.8MB
-
memory/4564-2-0x000000001B7D0000-0x000000001B7E0000-memory.dmpFilesize
64KB
-
memory/4564-10-0x00007FFD6B320000-0x00007FFD6BDE1000-memory.dmpFilesize
10.8MB