Analysis
-
max time kernel
79s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 17:49
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
145193333e64b74823c421d26f035480
-
SHA1
f9919b3e81793fc5ccfb48dff30606c08523361c
-
SHA256
d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
-
SHA512
353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a
-
SSDEEP
49152:KvjI22SsaNYfdPBldt698dBcjH361lpoGdVnTHHB72eh2NT:Kvc22SsaNYfdPBldt6+dBcjH361/F
Malware Config
Extracted
quasar
1.4.1
Office04
2.tcp.eu.ngrok.io:16096
755f883f-4d58-4349-bc9e-f21c4e163b6f
-
encryption_key
EE65D8F2E429F4900E3A17963595716D863A2455
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2176-0-0x00000000013B0000-0x00000000016D4000-memory.dmp family_quasar C:\Windows\System32\SubDir\Client.exe family_quasar behavioral1/memory/2612-7-0x0000000000870000-0x0000000000B94000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2612 Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
Client-built.exedescription ioc process File created C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client-built.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2960 schtasks.exe 2600 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeClient.exedescription pid process Token: SeDebugPrivilege 2176 Client-built.exe Token: SeDebugPrivilege 2612 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2612 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Client-built.exeClient.exedescription pid process target process PID 2176 wrote to memory of 2960 2176 Client-built.exe schtasks.exe PID 2176 wrote to memory of 2960 2176 Client-built.exe schtasks.exe PID 2176 wrote to memory of 2960 2176 Client-built.exe schtasks.exe PID 2176 wrote to memory of 2612 2176 Client-built.exe Client.exe PID 2176 wrote to memory of 2612 2176 Client-built.exe Client.exe PID 2176 wrote to memory of 2612 2176 Client-built.exe Client.exe PID 2612 wrote to memory of 2600 2612 Client.exe schtasks.exe PID 2612 wrote to memory of 2600 2612 Client.exe schtasks.exe PID 2612 wrote to memory of 2600 2612 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2960 -
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5145193333e64b74823c421d26f035480
SHA1f9919b3e81793fc5ccfb48dff30606c08523361c
SHA256d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
SHA512353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a