Analysis
-
max time kernel
19s -
max time network
20s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12-04-2024 15:22
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
383aa601a1a3e6722935b017a215f4b8
-
SHA1
3855b5d5ba3ba2f161bd6d60caac5415e93bd482
-
SHA256
6d03d6c26940eb9f2f6eaaa1d0a49d3f24a2941ec85bc7f12d3fb72162d780c8
-
SHA512
ceff9701a5cbc5bc6d61d5ebf0764b54aa056bdb311789f4dec7065a0910050932024498d0ee3a0a7f6b3cce2e5b77ff89d132120a4581536aa33822684f10eb
-
SSDEEP
49152:3vnI22SsaNYfdPBldt698dBcjHuPdKbRznLoGdYXzTHHB72eh2NT:3vI22SsaNYfdPBldt6+dBcjHuPd+LoX
Malware Config
Extracted
quasar
1.4.1
Office04
us1.localto.net:38905
abf2fea6-bc08-449e-9ce0-142ecb0a54c5
-
encryption_key
93B883D530A44E5A4457CCB3F463B613FCE53505
-
install_name
Google.exe.exe
-
log_directory
Log
-
reconnect_delay
3000
-
startup_key
AntimaIware Core Service
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3120-0-0x0000000000BD0000-0x0000000000EF4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Google.exe.exepid process 2764 Google.exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2780 schtasks.exe 2880 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeGoogle.exe.exedescription pid process Token: SeDebugPrivilege 3120 Client-built.exe Token: SeDebugPrivilege 2764 Google.exe.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Google.exe.exepid process 2764 Google.exe.exe 2764 Google.exe.exe 2764 Google.exe.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Google.exe.exepid process 2764 Google.exe.exe 2764 Google.exe.exe 2764 Google.exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Google.exe.exepid process 2764 Google.exe.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Client-built.exeGoogle.exe.execmd.exedescription pid process target process PID 3120 wrote to memory of 2880 3120 Client-built.exe schtasks.exe PID 3120 wrote to memory of 2880 3120 Client-built.exe schtasks.exe PID 3120 wrote to memory of 2764 3120 Client-built.exe Google.exe.exe PID 3120 wrote to memory of 2764 3120 Client-built.exe Google.exe.exe PID 2764 wrote to memory of 2780 2764 Google.exe.exe schtasks.exe PID 2764 wrote to memory of 2780 2764 Google.exe.exe schtasks.exe PID 2764 wrote to memory of 832 2764 Google.exe.exe schtasks.exe PID 2764 wrote to memory of 832 2764 Google.exe.exe schtasks.exe PID 2764 wrote to memory of 2620 2764 Google.exe.exe cmd.exe PID 2764 wrote to memory of 2620 2764 Google.exe.exe cmd.exe PID 2620 wrote to memory of 4588 2620 cmd.exe chcp.com PID 2620 wrote to memory of 4588 2620 cmd.exe chcp.com PID 2620 wrote to memory of 4544 2620 cmd.exe PING.EXE PID 2620 wrote to memory of 4544 2620 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2880 -
C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe"C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2780 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "AntimaIware Core Service" /f3⤵PID:832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0cVCuv9jI9s7.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4588
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:4544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD563d1fe662d6bfa45eb2a9a93d4d35b8b
SHA16693da4443f98ee47530b58c5e3a130beedf1971
SHA256231316589487353199f0a88a4387aede7cd578921916c8f8d9627490140334bd
SHA512e917ed85c3e789258a4bc140174e89045d9c056cf31b9b1cc0cb499f96bbdf4db008757a7c560a7a26695dfa5df423655fcb6aba32274aa2a64426a3845e36df
-
Filesize
3.1MB
MD5383aa601a1a3e6722935b017a215f4b8
SHA13855b5d5ba3ba2f161bd6d60caac5415e93bd482
SHA2566d03d6c26940eb9f2f6eaaa1d0a49d3f24a2941ec85bc7f12d3fb72162d780c8
SHA512ceff9701a5cbc5bc6d61d5ebf0764b54aa056bdb311789f4dec7065a0910050932024498d0ee3a0a7f6b3cce2e5b77ff89d132120a4581536aa33822684f10eb