Analysis
-
max time kernel
37s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 17:49
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
Errors
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
145193333e64b74823c421d26f035480
-
SHA1
f9919b3e81793fc5ccfb48dff30606c08523361c
-
SHA256
d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
-
SHA512
353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a
-
SSDEEP
49152:KvjI22SsaNYfdPBldt698dBcjH361lpoGdVnTHHB72eh2NT:Kvc22SsaNYfdPBldt6+dBcjH361/F
Malware Config
Extracted
quasar
1.4.1
Office04
2.tcp.eu.ngrok.io:16096
755f883f-4d58-4349-bc9e-f21c4e163b6f
-
encryption_key
EE65D8F2E429F4900E3A17963595716D863A2455
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2656-0-0x0000000000690000-0x00000000009B4000-memory.dmp family_quasar C:\Windows\System32\SubDir\Client.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 3752 Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
Client-built.exedescription ioc process File created C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2756 schtasks.exe 984 schtasks.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "54" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Client.exepid process 3752 Client.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Client-built.exeClient.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2656 Client-built.exe Token: SeDebugPrivilege 3752 Client.exe Token: SeShutdownPrivilege 3260 shutdown.exe Token: SeRemoteShutdownPrivilege 3260 shutdown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Client.exeLogonUI.exepid process 3752 Client.exe 4548 LogonUI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Client-built.exeClient.exedescription pid process target process PID 2656 wrote to memory of 2756 2656 Client-built.exe schtasks.exe PID 2656 wrote to memory of 2756 2656 Client-built.exe schtasks.exe PID 2656 wrote to memory of 3752 2656 Client-built.exe Client.exe PID 2656 wrote to memory of 3752 2656 Client-built.exe Client.exe PID 3752 wrote to memory of 984 3752 Client.exe schtasks.exe PID 3752 wrote to memory of 984 3752 Client.exe schtasks.exe PID 3752 wrote to memory of 3260 3752 Client.exe shutdown.exe PID 3752 wrote to memory of 3260 3752 Client.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2756 -
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:984 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bd055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5145193333e64b74823c421d26f035480
SHA1f9919b3e81793fc5ccfb48dff30606c08523361c
SHA256d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
SHA512353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a