Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 18:55
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240412-en
General
-
Target
Client-built.exe
-
Size
348KB
-
MD5
46c2a971cec1f82ea7a338ab4a368f37
-
SHA1
69b181896b53a27554a6535f61e1b1e785750f98
-
SHA256
04b8bb3fc2b3311f5027fa536ec480a3211cbc4673efde460f59daf44a7a1f55
-
SHA512
627ea3b4f030dc62fa13b8902dbc6d6e286e8ba93b08ae584f37d8dcc9933dfbe84dd27241510dd821bd58bb8f8621399cb85c4e35b35d7424c1e7be141fd80f
-
SSDEEP
6144:MMNHXf500MOxK7ACSBybr7bbVJG6rCaI4CH0KM+:Zd50awACBlo6rPXCHs+
Malware Config
Extracted
quasar
1.3.0.0
Office04
Lunasplanet-29399.portmap.host:29399
QSR_MUTEX_3gXoc7Rbb6gDK9k7Ha
-
encryption_key
huAtWMa1sVtLD6rMH8Yv
-
install_name
SubClient.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SubClient.exe
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/212-1-0x0000000000AB0000-0x0000000000B0E000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\SubClient.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
SubClient.exepid process 2300 SubClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3284 schtasks.exe 4568 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeSubClient.exedescription pid process Token: SeDebugPrivilege 212 Client-built.exe Token: SeDebugPrivilege 2300 SubClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SubClient.exepid process 2300 SubClient.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Client-built.exeSubClient.exedescription pid process target process PID 212 wrote to memory of 3284 212 Client-built.exe schtasks.exe PID 212 wrote to memory of 3284 212 Client-built.exe schtasks.exe PID 212 wrote to memory of 3284 212 Client-built.exe schtasks.exe PID 212 wrote to memory of 2300 212 Client-built.exe SubClient.exe PID 212 wrote to memory of 2300 212 Client-built.exe SubClient.exe PID 212 wrote to memory of 2300 212 Client-built.exe SubClient.exe PID 2300 wrote to memory of 4568 2300 SubClient.exe schtasks.exe PID 2300 wrote to memory of 4568 2300 SubClient.exe schtasks.exe PID 2300 wrote to memory of 4568 2300 SubClient.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SubClient.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3284 -
C:\Users\Admin\AppData\Roaming\SubDir\SubClient.exe"C:\Users\Admin\AppData\Roaming\SubDir\SubClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SubClient.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SubClient.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD546c2a971cec1f82ea7a338ab4a368f37
SHA169b181896b53a27554a6535f61e1b1e785750f98
SHA25604b8bb3fc2b3311f5027fa536ec480a3211cbc4673efde460f59daf44a7a1f55
SHA512627ea3b4f030dc62fa13b8902dbc6d6e286e8ba93b08ae584f37d8dcc9933dfbe84dd27241510dd821bd58bb8f8621399cb85c4e35b35d7424c1e7be141fd80f