Analysis
-
max time kernel
90s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-04-2024 18:55
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240412-en
General
-
Target
Client-built.exe
-
Size
348KB
-
MD5
46c2a971cec1f82ea7a338ab4a368f37
-
SHA1
69b181896b53a27554a6535f61e1b1e785750f98
-
SHA256
04b8bb3fc2b3311f5027fa536ec480a3211cbc4673efde460f59daf44a7a1f55
-
SHA512
627ea3b4f030dc62fa13b8902dbc6d6e286e8ba93b08ae584f37d8dcc9933dfbe84dd27241510dd821bd58bb8f8621399cb85c4e35b35d7424c1e7be141fd80f
-
SSDEEP
6144:MMNHXf500MOxK7ACSBybr7bbVJG6rCaI4CH0KM+:Zd50awACBlo6rPXCHs+
Malware Config
Extracted
quasar
1.3.0.0
Office04
Lunasplanet-29399.portmap.host:29399
QSR_MUTEX_3gXoc7Rbb6gDK9k7Ha
-
encryption_key
huAtWMa1sVtLD6rMH8Yv
-
install_name
SubClient.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SubClient.exe
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/4648-0-0x0000000000A90000-0x0000000000AEE000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\SubClient.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
SubClient.exepid process 2584 SubClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4660 schtasks.exe 3268 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeSubClient.exedescription pid process Token: SeDebugPrivilege 4648 Client-built.exe Token: SeDebugPrivilege 2584 SubClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SubClient.exepid process 2584 SubClient.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Client-built.exeSubClient.exedescription pid process target process PID 4648 wrote to memory of 4660 4648 Client-built.exe schtasks.exe PID 4648 wrote to memory of 4660 4648 Client-built.exe schtasks.exe PID 4648 wrote to memory of 4660 4648 Client-built.exe schtasks.exe PID 4648 wrote to memory of 2584 4648 Client-built.exe SubClient.exe PID 4648 wrote to memory of 2584 4648 Client-built.exe SubClient.exe PID 4648 wrote to memory of 2584 4648 Client-built.exe SubClient.exe PID 2584 wrote to memory of 3268 2584 SubClient.exe schtasks.exe PID 2584 wrote to memory of 3268 2584 SubClient.exe schtasks.exe PID 2584 wrote to memory of 3268 2584 SubClient.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SubClient.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4660 -
C:\Users\Admin\AppData\Roaming\SubDir\SubClient.exe"C:\Users\Admin\AppData\Roaming\SubDir\SubClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SubClient.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SubClient.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD546c2a971cec1f82ea7a338ab4a368f37
SHA169b181896b53a27554a6535f61e1b1e785750f98
SHA25604b8bb3fc2b3311f5027fa536ec480a3211cbc4673efde460f59daf44a7a1f55
SHA512627ea3b4f030dc62fa13b8902dbc6d6e286e8ba93b08ae584f37d8dcc9933dfbe84dd27241510dd821bd58bb8f8621399cb85c4e35b35d7424c1e7be141fd80f