Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 08:15
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240221-en
General
-
Target
Client.exe
-
Size
3.1MB
-
MD5
06c48b0057d41710e891201feb25782a
-
SHA1
1910dedf7da045aa142c2606ee4aa55729241178
-
SHA256
5a0c1f8c117e97ea489329daaf64834554dcabd0263480675c6277b17f70f4f4
-
SHA512
818a46ce9fabaa244d74cffe435ea2e2740bf1e20da49402b3bb1147b994f979cf89e06ee0d3302a8c4fa33d4cfc2dc7f9eeb612125478cef4da9e4899ea9bed
-
SSDEEP
49152:fvnI22SsaNYfdPBldt698dBcjHPCZ1JTLoGdgDfTHHB72eh2NT:fvI22SsaNYfdPBldt6+dBcjHPC5w
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.178.113:4782
3caeec85-698d-4fb5-8dcc-d8a134c7032a
-
encryption_key
84878E668DB7327880C001BFC6CE91226EBE60EF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5052-0-0x0000000000E40000-0x0000000001164000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 3032 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3496 schtasks.exe 4764 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client.exeClient.exedescription pid process Token: SeDebugPrivilege 5052 Client.exe Token: SeDebugPrivilege 3032 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 3032 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 3032 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 3032 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client.exeClient.exedescription pid process target process PID 5052 wrote to memory of 3496 5052 Client.exe schtasks.exe PID 5052 wrote to memory of 3496 5052 Client.exe schtasks.exe PID 5052 wrote to memory of 3032 5052 Client.exe Client.exe PID 5052 wrote to memory of 3032 5052 Client.exe Client.exe PID 3032 wrote to memory of 4764 3032 Client.exe schtasks.exe PID 3032 wrote to memory of 4764 3032 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3496 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
3.1MB
MD506c48b0057d41710e891201feb25782a
SHA11910dedf7da045aa142c2606ee4aa55729241178
SHA2565a0c1f8c117e97ea489329daaf64834554dcabd0263480675c6277b17f70f4f4
SHA512818a46ce9fabaa244d74cffe435ea2e2740bf1e20da49402b3bb1147b994f979cf89e06ee0d3302a8c4fa33d4cfc2dc7f9eeb612125478cef4da9e4899ea9bed