Analysis
-
max time kernel
70s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 20:52
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
5b2ccc8a8d94dde2f51b8311e2548255
-
SHA1
22edf1e9abd6902e1c9b424a548b6d52df20ae22
-
SHA256
df11dd094952f12ea053085c7a7801326a58dc2ce42570b35b2fec98a7801808
-
SHA512
78c8c5d54be2926744351846723903da6e51d517b70f1aac7312a6f29ce64663eb39db905a343a5ddef235c26d093c3e97bbd21abc27ebdf1bc4de257bb4a861
-
SSDEEP
49152:DvRuf2NUaNmwzPWlvdaKM7ZxTwUsEdGWBeLLoBdLTHHB72eh2NT:Dvsf2NUaNmwzPWlvdaB7ZxTwUlGl
Malware Config
Extracted
quasar
1.4.1
Slave
140.238.91.110:38899
uk2.localto.net:38899:38899
276d9dc6-b19c-4958-8ac3-89586bd3b515
-
encryption_key
ABCF70C37D1A79A01712038122D1532DF20DF72A
-
install_name
Client.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
WOS64
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4572-0-0x0000000000670000-0x0000000000994000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\Client.exe family_quasar -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 4 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exepid process 4852 Client.exe 3128 Client.exe 2660 Client.exe 5088 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5080 schtasks.exe 1508 schtasks.exe 3584 schtasks.exe 2604 schtasks.exe 3436 schtasks.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 5052 PING.EXE 1812 PING.EXE 3388 PING.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Client-built.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 4572 Client-built.exe Token: SeDebugPrivilege 4852 Client.exe Token: SeDebugPrivilege 3128 Client.exe Token: SeDebugPrivilege 2660 Client.exe Token: SeDebugPrivilege 5088 Client.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exepid process 4852 Client.exe 3128 Client.exe 2660 Client.exe 5088 Client.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.exedescription pid process target process PID 4572 wrote to memory of 3584 4572 Client-built.exe schtasks.exe PID 4572 wrote to memory of 3584 4572 Client-built.exe schtasks.exe PID 4572 wrote to memory of 4852 4572 Client-built.exe Client.exe PID 4572 wrote to memory of 4852 4572 Client-built.exe Client.exe PID 4852 wrote to memory of 2604 4852 Client.exe schtasks.exe PID 4852 wrote to memory of 2604 4852 Client.exe schtasks.exe PID 4852 wrote to memory of 2240 4852 Client.exe cmd.exe PID 4852 wrote to memory of 2240 4852 Client.exe cmd.exe PID 2240 wrote to memory of 4088 2240 cmd.exe chcp.com PID 2240 wrote to memory of 4088 2240 cmd.exe chcp.com PID 2240 wrote to memory of 5052 2240 cmd.exe PING.EXE PID 2240 wrote to memory of 5052 2240 cmd.exe PING.EXE PID 2240 wrote to memory of 3128 2240 cmd.exe Client.exe PID 2240 wrote to memory of 3128 2240 cmd.exe Client.exe PID 3128 wrote to memory of 3436 3128 Client.exe schtasks.exe PID 3128 wrote to memory of 3436 3128 Client.exe schtasks.exe PID 3128 wrote to memory of 3428 3128 Client.exe cmd.exe PID 3128 wrote to memory of 3428 3128 Client.exe cmd.exe PID 3428 wrote to memory of 1572 3428 cmd.exe chcp.com PID 3428 wrote to memory of 1572 3428 cmd.exe chcp.com PID 3428 wrote to memory of 1812 3428 cmd.exe PING.EXE PID 3428 wrote to memory of 1812 3428 cmd.exe PING.EXE PID 3428 wrote to memory of 2660 3428 cmd.exe Client.exe PID 3428 wrote to memory of 2660 3428 cmd.exe Client.exe PID 2660 wrote to memory of 5080 2660 Client.exe schtasks.exe PID 2660 wrote to memory of 5080 2660 Client.exe schtasks.exe PID 2660 wrote to memory of 232 2660 Client.exe cmd.exe PID 2660 wrote to memory of 232 2660 Client.exe cmd.exe PID 232 wrote to memory of 4796 232 cmd.exe chcp.com PID 232 wrote to memory of 4796 232 cmd.exe chcp.com PID 232 wrote to memory of 3388 232 cmd.exe PING.EXE PID 232 wrote to memory of 3388 232 cmd.exe PING.EXE PID 232 wrote to memory of 5088 232 cmd.exe Client.exe PID 232 wrote to memory of 5088 232 cmd.exe Client.exe PID 5088 wrote to memory of 1508 5088 Client.exe schtasks.exe PID 5088 wrote to memory of 1508 5088 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\Client.exe"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r6q5aHjkOvlD.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\Client.exe"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ju1a3sA5LKzP.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\Client.exe"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cqo9oFGxzilL.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\Client.exe"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\Cqo9oFGxzilL.batFilesize
208B
MD5a4cd2cec7327db2807dc61018dadcb1e
SHA17dcb71abc97891959cd8b2e853ff5c73e5154558
SHA2562be9e602bfac9f98ad821358b0a2b937822663a2ac03e6a0ac698c93715f012e
SHA5127759864e6fdf04d1906cc4a3adb215a94d5a67aaeb2486b61b87c348337c97fe619a95998a893ef68b67ce3acb5d1c129d7fb7d31a15910a5b1df29313eef5ed
-
C:\Users\Admin\AppData\Local\Temp\Ju1a3sA5LKzP.batFilesize
208B
MD57bb1546b1060788d8580ab441d701f30
SHA1e80bff918ee3a9d4b1080c66b34696d0d9a3d099
SHA2566c2db1ada9fdae986a3e6b86d8b66b4773a42975bf37be658204d25de3384775
SHA5120dd04dbf96c541ce336d9000462ff719166e1188c38d2992dd9ff02b47f191d3d4389e914e3eb2477e9513fde068470925761aec2a24fab2bd880f004bd74092
-
C:\Users\Admin\AppData\Local\Temp\r6q5aHjkOvlD.batFilesize
208B
MD5a6a959f46ac98f39b32a3a4566784dbe
SHA1261aa8267466913a458ba187088a5d2b73bc736c
SHA256c5add205ce6e0c09a491d1b0cf447003d0f7c3f13d24919d5e25850b4c0a9b45
SHA512c36072c8aa7e55d16dab5dc720017cfe8f56145f740e26f02a4be8634447c1c2e0ed42bb75e10574e3c8e6c31bf8f8196705e1eb4951e6375f09fdac1c7aada8
-
C:\Users\Admin\AppData\Roaming\Windows\Client.exeFilesize
3.1MB
MD55b2ccc8a8d94dde2f51b8311e2548255
SHA122edf1e9abd6902e1c9b424a548b6d52df20ae22
SHA256df11dd094952f12ea053085c7a7801326a58dc2ce42570b35b2fec98a7801808
SHA51278c8c5d54be2926744351846723903da6e51d517b70f1aac7312a6f29ce64663eb39db905a343a5ddef235c26d093c3e97bbd21abc27ebdf1bc4de257bb4a861
-
memory/2660-29-0x00007FF842010000-0x00007FF842AD1000-memory.dmpFilesize
10.8MB
-
memory/2660-35-0x00007FF842010000-0x00007FF842AD1000-memory.dmpFilesize
10.8MB
-
memory/2660-30-0x000000001B5D0000-0x000000001B5E0000-memory.dmpFilesize
64KB
-
memory/3128-21-0x00007FF842010000-0x00007FF842AD1000-memory.dmpFilesize
10.8MB
-
memory/3128-26-0x00007FF842010000-0x00007FF842AD1000-memory.dmpFilesize
10.8MB
-
memory/3128-22-0x0000000002680000-0x0000000002690000-memory.dmpFilesize
64KB
-
memory/4572-10-0x00007FF841DC0000-0x00007FF842881000-memory.dmpFilesize
10.8MB
-
memory/4572-2-0x0000000002CD0000-0x0000000002CE0000-memory.dmpFilesize
64KB
-
memory/4572-0-0x0000000000670000-0x0000000000994000-memory.dmpFilesize
3.1MB
-
memory/4572-1-0x00007FF841DC0000-0x00007FF842881000-memory.dmpFilesize
10.8MB
-
memory/4852-9-0x00007FF841DC0000-0x00007FF842881000-memory.dmpFilesize
10.8MB
-
memory/4852-11-0x000000001BB20000-0x000000001BB70000-memory.dmpFilesize
320KB
-
memory/4852-17-0x00007FF841DC0000-0x00007FF842881000-memory.dmpFilesize
10.8MB
-
memory/4852-12-0x000000001BC30000-0x000000001BCE2000-memory.dmpFilesize
712KB
-
memory/5088-37-0x00007FF8421D0000-0x00007FF842C91000-memory.dmpFilesize
10.8MB
-
memory/5088-38-0x000000001B530000-0x000000001B540000-memory.dmpFilesize
64KB