Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 17:39
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
2aebe66b019df4695fe7218875c93856
-
SHA1
646890986ef0bba4eed6b659d56704d09e414562
-
SHA256
ea3003e00c6e653fad8844d4677ceef7b7b6e499939ed765a49df3898ddf3c45
-
SHA512
7391db69d5cc021dee50b2af12d11b30a4225f46b4469d10eff4e659c71c298233dea01e1e626d35d49b9490ef3dcaa1570b4448859d9d04ac0270b71c84bddc
-
SSDEEP
49152:WvbI22SsaNYfdPBldt698dBcjHHyxNESEXk/ijLoGdAwXTHHB72eh2NT:Wvk22SsaNYfdPBldt6+dBcjHSxavD
Malware Config
Extracted
quasar
1.4.1
Office04
x.tcp.ngrok.io:16096
755f883f-4d58-4349-bc9e-f21c4e163b6f
-
encryption_key
EE65D8F2E429F4900E3A17963595716D863A2455
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3572-0-0x0000000000B40000-0x0000000000E64000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2912 Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 83 x.tcp.ngrok.io 15 x.tcp.ngrok.io 60 x.tcp.ngrok.io 64 x.tcp.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3956 schtasks.exe 2076 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeClient.exedescription pid process Token: SeDebugPrivilege 3572 Client-built.exe Token: SeDebugPrivilege 2912 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 2912 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 2912 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2912 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built.exeClient.exedescription pid process target process PID 3572 wrote to memory of 2076 3572 Client-built.exe schtasks.exe PID 3572 wrote to memory of 2076 3572 Client-built.exe schtasks.exe PID 3572 wrote to memory of 2912 3572 Client-built.exe Client.exe PID 3572 wrote to memory of 2912 3572 Client-built.exe Client.exe PID 2912 wrote to memory of 3956 2912 Client.exe schtasks.exe PID 2912 wrote to memory of 3956 2912 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2076 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD52aebe66b019df4695fe7218875c93856
SHA1646890986ef0bba4eed6b659d56704d09e414562
SHA256ea3003e00c6e653fad8844d4677ceef7b7b6e499939ed765a49df3898ddf3c45
SHA5127391db69d5cc021dee50b2af12d11b30a4225f46b4469d10eff4e659c71c298233dea01e1e626d35d49b9490ef3dcaa1570b4448859d9d04ac0270b71c84bddc