Analysis
-
max time kernel
129s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 22:28
Behavioral task
behavioral1
Sample
745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe
Resource
win7-20240221-en
General
-
Target
745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe
-
Size
3.1MB
-
MD5
ed8542b4688d70d42d77fad98e5969b0
-
SHA1
808666505eeca15e9a7a15b95ff439497a9f1dcf
-
SHA256
745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002
-
SHA512
72fc0930a4e51eb7a7b76bac97c64c9bb8e8fe30a406b294a824ecc721677c212d409368a6bca595b0ee82449d80cf7c09f4a063bbe7ee47ebcba30c5c3b6a45
-
SSDEEP
49152:KvyI22SsaNYfdPBldt698dBcjH672lSt3oGdITHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjH62lS9
Malware Config
Extracted
quasar
1.4.1
Office04
10.127.0.54:4782
76898c6c-aad7-493e-ad05-6bb072bc1ab9
-
encryption_key
E0AA33A7353AC58B6995079C718A83EE5609573D
-
install_name
Twrek.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2336-0-0x00000000013B0000-0x00000000016D4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Twrek.exe family_quasar behavioral1/memory/2132-9-0x00000000001A0000-0x00000000004C4000-memory.dmp family_quasar -
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2336-0-0x00000000013B0000-0x00000000016D4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\SubDir\Twrek.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2132-9-0x00000000001A0000-0x00000000004C4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2336-0-0x00000000013B0000-0x00000000016D4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Users\Admin\AppData\Roaming\SubDir\Twrek.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2132-9-0x00000000001A0000-0x00000000004C4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2336-0-0x00000000013B0000-0x00000000016D4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer C:\Users\Admin\AppData\Roaming\SubDir\Twrek.exe INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2132-9-0x00000000001A0000-0x00000000004C4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer -
Executes dropped EXE 1 IoCs
Processes:
Twrek.exepid process 2132 Twrek.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2736 schtasks.exe 2528 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exeTwrek.exedescription pid process Token: SeDebugPrivilege 2336 745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe Token: SeDebugPrivilege 2132 Twrek.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Twrek.exepid process 2132 Twrek.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exeTwrek.exedescription pid process target process PID 2336 wrote to memory of 2736 2336 745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe schtasks.exe PID 2336 wrote to memory of 2736 2336 745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe schtasks.exe PID 2336 wrote to memory of 2736 2336 745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe schtasks.exe PID 2336 wrote to memory of 2132 2336 745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe Twrek.exe PID 2336 wrote to memory of 2132 2336 745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe Twrek.exe PID 2336 wrote to memory of 2132 2336 745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe Twrek.exe PID 2132 wrote to memory of 2528 2132 Twrek.exe schtasks.exe PID 2132 wrote to memory of 2528 2132 Twrek.exe schtasks.exe PID 2132 wrote to memory of 2528 2132 Twrek.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe"C:\Users\Admin\AppData\Local\Temp\745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Twrek.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2736 -
C:\Users\Admin\AppData\Roaming\SubDir\Twrek.exe"C:\Users\Admin\AppData\Roaming\SubDir\Twrek.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Twrek.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5ed8542b4688d70d42d77fad98e5969b0
SHA1808666505eeca15e9a7a15b95ff439497a9f1dcf
SHA256745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002
SHA51272fc0930a4e51eb7a7b76bac97c64c9bb8e8fe30a406b294a824ecc721677c212d409368a6bca595b0ee82449d80cf7c09f4a063bbe7ee47ebcba30c5c3b6a45