Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 01:57
Behavioral task
behavioral1
Sample
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe
Resource
win7-20240221-en
General
-
Target
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe
-
Size
3.1MB
-
MD5
3396e77d0d043554c7f857a1249c75fe
-
SHA1
d3de2678e85f4ad63e5254782a58a85035aafecc
-
SHA256
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
-
SHA512
3128c03a0465d03127cf6df186533993e2337dce8ca821d8dbcaecd08c7ff7a6d2646de150b7afbe20641e4eb08104342813dfd2fe50346c8b47d40deedc67a4
-
SSDEEP
49152:WvnG42pda6D+/PjlLOlg6yQipV7tjMpETOk/FLoGd7RTHHB72eh2NT:WvG42pda6D+/PjlLOlZyQipVhj9
Malware Config
Extracted
quasar
1.4.1
Office04
10.10.8.36:4782
0.tcp.eu.ngrok.io:19992
tcp://5.tcp.eu.ngrok.io:10477
570f8f63-dc8c-471b-b7f5-710ac819d722
-
encryption_key
BB0B2DE4F1126E98797D1ABADF2CCEC47E72B5FD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
150
-
startup_key
Platonus
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-0-0x00000000001A0000-0x00000000004C4000-memory.dmp family_quasar -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-0-0x00000000001A0000-0x00000000004C4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-0-0x00000000001A0000-0x00000000004C4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-0-0x00000000001A0000-0x00000000004C4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exedescription pid process Token: SeDebugPrivilege 1936 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exedescription pid process target process PID 1936 wrote to memory of 2520 1936 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe schtasks.exe PID 1936 wrote to memory of 2520 1936 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe schtasks.exe PID 1936 wrote to memory of 2520 1936 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe"C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2520