Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 01:57
Behavioral task
behavioral1
Sample
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe
Resource
win7-20240221-en
General
-
Target
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe
-
Size
3.1MB
-
MD5
3396e77d0d043554c7f857a1249c75fe
-
SHA1
d3de2678e85f4ad63e5254782a58a85035aafecc
-
SHA256
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
-
SHA512
3128c03a0465d03127cf6df186533993e2337dce8ca821d8dbcaecd08c7ff7a6d2646de150b7afbe20641e4eb08104342813dfd2fe50346c8b47d40deedc67a4
-
SSDEEP
49152:WvnG42pda6D+/PjlLOlg6yQipV7tjMpETOk/FLoGd7RTHHB72eh2NT:WvG42pda6D+/PjlLOlZyQipVhj9
Malware Config
Extracted
quasar
1.4.1
Office04
10.10.8.36:4782
0.tcp.eu.ngrok.io:19992
tcp://5.tcp.eu.ngrok.io:10477
570f8f63-dc8c-471b-b7f5-710ac819d722
-
encryption_key
BB0B2DE4F1126E98797D1ABADF2CCEC47E72B5FD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
150
-
startup_key
Platonus
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4168-0-0x00000000008C0000-0x0000000000BE4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4168-0-0x00000000008C0000-0x0000000000BE4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4168-0-0x00000000008C0000-0x0000000000BE4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4168-0-0x00000000008C0000-0x0000000000BE4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_GENInfoStealer -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 5 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exepid process 216 Client.exe 2656 Client.exe 2040 Client.exe 3116 Client.exe 3920 Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4884 schtasks.exe 3388 schtasks.exe 3836 schtasks.exe 3192 schtasks.exe 1760 schtasks.exe 4964 schtasks.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 4524 PING.EXE 3372 PING.EXE 436 PING.EXE 1972 PING.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 4168 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe Token: SeDebugPrivilege 216 Client.exe Token: SeDebugPrivilege 2656 Client.exe Token: SeDebugPrivilege 2040 Client.exe Token: SeDebugPrivilege 3116 Client.exe Token: SeDebugPrivilege 3920 Client.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exepid process 216 Client.exe 2656 Client.exe 2040 Client.exe 3116 Client.exe 3920 Client.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exepid process 216 Client.exe 2656 Client.exe 2040 Client.exe 3116 Client.exe 3920 Client.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exepid process 216 Client.exe 2656 Client.exe 2040 Client.exe 3116 Client.exe 3920 Client.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.exedescription pid process target process PID 4168 wrote to memory of 1760 4168 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe schtasks.exe PID 4168 wrote to memory of 1760 4168 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe schtasks.exe PID 4168 wrote to memory of 216 4168 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe Client.exe PID 4168 wrote to memory of 216 4168 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe Client.exe PID 216 wrote to memory of 4964 216 Client.exe schtasks.exe PID 216 wrote to memory of 4964 216 Client.exe schtasks.exe PID 216 wrote to memory of 1932 216 Client.exe cmd.exe PID 216 wrote to memory of 1932 216 Client.exe cmd.exe PID 1932 wrote to memory of 1200 1932 cmd.exe chcp.com PID 1932 wrote to memory of 1200 1932 cmd.exe chcp.com PID 1932 wrote to memory of 436 1932 cmd.exe PING.EXE PID 1932 wrote to memory of 436 1932 cmd.exe PING.EXE PID 1932 wrote to memory of 2656 1932 cmd.exe Client.exe PID 1932 wrote to memory of 2656 1932 cmd.exe Client.exe PID 2656 wrote to memory of 4884 2656 Client.exe schtasks.exe PID 2656 wrote to memory of 4884 2656 Client.exe schtasks.exe PID 2656 wrote to memory of 3444 2656 Client.exe cmd.exe PID 2656 wrote to memory of 3444 2656 Client.exe cmd.exe PID 3444 wrote to memory of 3864 3444 cmd.exe chcp.com PID 3444 wrote to memory of 3864 3444 cmd.exe chcp.com PID 3444 wrote to memory of 1972 3444 cmd.exe PING.EXE PID 3444 wrote to memory of 1972 3444 cmd.exe PING.EXE PID 3444 wrote to memory of 2040 3444 cmd.exe Client.exe PID 3444 wrote to memory of 2040 3444 cmd.exe Client.exe PID 2040 wrote to memory of 3388 2040 Client.exe schtasks.exe PID 2040 wrote to memory of 3388 2040 Client.exe schtasks.exe PID 2040 wrote to memory of 3376 2040 Client.exe cmd.exe PID 2040 wrote to memory of 3376 2040 Client.exe cmd.exe PID 3376 wrote to memory of 988 3376 cmd.exe chcp.com PID 3376 wrote to memory of 988 3376 cmd.exe chcp.com PID 3376 wrote to memory of 4524 3376 cmd.exe PING.EXE PID 3376 wrote to memory of 4524 3376 cmd.exe PING.EXE PID 3376 wrote to memory of 3116 3376 cmd.exe Client.exe PID 3376 wrote to memory of 3116 3376 cmd.exe Client.exe PID 3116 wrote to memory of 3836 3116 Client.exe schtasks.exe PID 3116 wrote to memory of 3836 3116 Client.exe schtasks.exe PID 3116 wrote to memory of 4880 3116 Client.exe cmd.exe PID 3116 wrote to memory of 4880 3116 Client.exe cmd.exe PID 4880 wrote to memory of 4652 4880 cmd.exe chcp.com PID 4880 wrote to memory of 4652 4880 cmd.exe chcp.com PID 4880 wrote to memory of 3372 4880 cmd.exe PING.EXE PID 4880 wrote to memory of 3372 4880 cmd.exe PING.EXE PID 4880 wrote to memory of 3920 4880 cmd.exe Client.exe PID 4880 wrote to memory of 3920 4880 cmd.exe Client.exe PID 3920 wrote to memory of 3192 3920 Client.exe schtasks.exe PID 3920 wrote to memory of 3192 3920 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe"C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1760 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P29wcDMzS7DL.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1200
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:436 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:4884 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMD3IV4Ps0W2.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3864
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:1972 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:3388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hRX0ROMF8Zwb.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:988
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:4524 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:3836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ujlL4gxfCVPw.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4652
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:3372 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:3192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD50314432a628bbd8d833674f5526dc427
SHA1c2ce0b0d4b6cdeb35cededbfbe73d873a774403e
SHA2564125434c5b7fd433c387025ac3ca85bcedd32b587895013aae8dc8cf8f68048d
SHA512142a47003c1580631785b6e00da0230beb0db0dd6202b062b6edfa3cf10b6b79c9782cb144c402c211726ba627b89bc5468a05ee3e45384e8ae5710ab930e224
-
Filesize
207B
MD5e5d018107b44b3197157b04916915391
SHA133da08313fe9221e24eb812c6b5ed7dfa5f4ff5b
SHA256b09c96eaadcf20ce9590d403e9e63c753e4007e24df6bd843c58723e41bd9cd4
SHA512ee4af0dbe6c60933bfe84737f9361e9a7c5635f36f2a07e340afc39aa500ecf36554569de2d20073a7709d95cd4686d595ecdb7859eb8332a0aff04cd47cf173
-
Filesize
207B
MD51c085d0b55fc1f77f875141850a73123
SHA13f6ed98606ebae3dd5ce0d9de8fbd76a5f8a2826
SHA2569d2f5f0791a6f05cee240a6ed1b4e24ccb051256eea9911c6552452142bb4f82
SHA5122e7f0430b55cb9e650c2b1fba5eb8945a38987557cdc5adf139b00bbe9e3081e5931181110bf6d15b61c5a46aabc4c1f11e4aacd75b7b5a163510618f3f67d6d
-
Filesize
207B
MD50704a04d52602dd7ed66fde1ea8fda8b
SHA1e67d0339c75e3d774bcdc8403236e980e25e326c
SHA256223335bb67662945fecd70de2ccf2061a723e51e5a2aab0e270e114716dcf55a
SHA512e192188a05a8caf69eef810a9c2c53bf7272289a083aaa65191e93557e5d52b2f6503abf7b2599f7db47cb947f6c47b820dab4322b35dc8f74cbf95f3268789c
-
Filesize
3.1MB
MD53396e77d0d043554c7f857a1249c75fe
SHA1d3de2678e85f4ad63e5254782a58a85035aafecc
SHA256d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
SHA5123128c03a0465d03127cf6df186533993e2337dce8ca821d8dbcaecd08c7ff7a6d2646de150b7afbe20641e4eb08104342813dfd2fe50346c8b47d40deedc67a4