Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-04-2024 13:50
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240412-en
General
-
Target
Client.exe
-
Size
3.1MB
-
MD5
1109da1db2b4175b38ae1bc7c881db9a
-
SHA1
02b92b5e6aa54ae040bc5cd5e845287be01c9562
-
SHA256
0aadcb147077d657fd68e222689a25d93c40144d54922c83b4171a5e801235c5
-
SHA512
44cc1ee0e92159f4d41b4b1c9ae52a7b208b7888c5864795f1e815725d26677e2c7f4fce6410a8cfa8e07c8ee19c3f07f4110c64f1eca62d2f6bbf4cdda8f952
-
SSDEEP
49152:rvbI22SsaNYfdPBldt698dBcjHRTaxzBxL9aGdg6STHHB72eh2NT:rvk22SsaNYfdPBldt6+dBcjHRTaxh
Malware Config
Extracted
quasar
1.4.1
Office04
140.238.91.110:34309
d748a36c-8402-4813-815d-0daea2ec5f51
-
encryption_key
312796590553474EC6AA07D7A09E6A1B8FA1043A
-
install_name
dllhostx64.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
Windows Boot Menu
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4296-0-0x00000000007C0000-0x0000000000AE4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
dllhostx64.exepid process 1656 dllhostx64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1256 schtasks.exe 3452 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client.exedllhostx64.exedescription pid process Token: SeDebugPrivilege 4296 Client.exe Token: SeDebugPrivilege 1656 dllhostx64.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
dllhostx64.exepid process 1656 dllhostx64.exe 1656 dllhostx64.exe 1656 dllhostx64.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
dllhostx64.exepid process 1656 dllhostx64.exe 1656 dllhostx64.exe 1656 dllhostx64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dllhostx64.exepid process 1656 dllhostx64.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Client.exedllhostx64.execmd.exedescription pid process target process PID 4296 wrote to memory of 1256 4296 Client.exe schtasks.exe PID 4296 wrote to memory of 1256 4296 Client.exe schtasks.exe PID 4296 wrote to memory of 1656 4296 Client.exe dllhostx64.exe PID 4296 wrote to memory of 1656 4296 Client.exe dllhostx64.exe PID 1656 wrote to memory of 3452 1656 dllhostx64.exe schtasks.exe PID 1656 wrote to memory of 3452 1656 dllhostx64.exe schtasks.exe PID 1656 wrote to memory of 2840 1656 dllhostx64.exe schtasks.exe PID 1656 wrote to memory of 2840 1656 dllhostx64.exe schtasks.exe PID 1656 wrote to memory of 5080 1656 dllhostx64.exe cmd.exe PID 1656 wrote to memory of 5080 1656 dllhostx64.exe cmd.exe PID 5080 wrote to memory of 4704 5080 cmd.exe chcp.com PID 5080 wrote to memory of 4704 5080 cmd.exe chcp.com PID 5080 wrote to memory of 4736 5080 cmd.exe PING.EXE PID 5080 wrote to memory of 4736 5080 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1256 -
C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe"C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3452 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "Windows Boot Menu" /f3⤵PID:2840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8gXGxH3HWzdY.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4704
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:4736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5f940aa548b2e28d4f5bc893f5f44e6a1
SHA179dfdf13de4b2d0164f7b6bc133e878ea0ddf470
SHA2560a907e37abffb8dc1bc467fe49303d6b9fabaefcce258cf5b737160ed7b2ff78
SHA51208ff236c12a02f5dc2f4aa61af5bdd5df0c558924e6952eaae5ae943a4548680ef1b87cf53ce3761aa892abe66f9228b6cf8b775cb86533b3ffcd51b6ce3f488
-
Filesize
3.1MB
MD51109da1db2b4175b38ae1bc7c881db9a
SHA102b92b5e6aa54ae040bc5cd5e845287be01c9562
SHA2560aadcb147077d657fd68e222689a25d93c40144d54922c83b4171a5e801235c5
SHA51244cc1ee0e92159f4d41b4b1c9ae52a7b208b7888c5864795f1e815725d26677e2c7f4fce6410a8cfa8e07c8ee19c3f07f4110c64f1eca62d2f6bbf4cdda8f952