Analysis
-
max time kernel
93s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 13:50
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240412-en
General
-
Target
Client.exe
-
Size
3.1MB
-
MD5
1109da1db2b4175b38ae1bc7c881db9a
-
SHA1
02b92b5e6aa54ae040bc5cd5e845287be01c9562
-
SHA256
0aadcb147077d657fd68e222689a25d93c40144d54922c83b4171a5e801235c5
-
SHA512
44cc1ee0e92159f4d41b4b1c9ae52a7b208b7888c5864795f1e815725d26677e2c7f4fce6410a8cfa8e07c8ee19c3f07f4110c64f1eca62d2f6bbf4cdda8f952
-
SSDEEP
49152:rvbI22SsaNYfdPBldt698dBcjHRTaxzBxL9aGdg6STHHB72eh2NT:rvk22SsaNYfdPBldt6+dBcjHRTaxh
Malware Config
Extracted
quasar
1.4.1
Office04
140.238.91.110:34309
d748a36c-8402-4813-815d-0daea2ec5f51
-
encryption_key
312796590553474EC6AA07D7A09E6A1B8FA1043A
-
install_name
dllhostx64.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
Windows Boot Menu
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2316-0-0x0000000000E90000-0x00000000011B4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dllhostx64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation dllhostx64.exe -
Executes dropped EXE 1 IoCs
Processes:
dllhostx64.exepid process 4536 dllhostx64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4852 schtasks.exe 436 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client.exedllhostx64.exedescription pid process Token: SeDebugPrivilege 2316 Client.exe Token: SeDebugPrivilege 4536 dllhostx64.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
dllhostx64.exepid process 4536 dllhostx64.exe 4536 dllhostx64.exe 4536 dllhostx64.exe 4536 dllhostx64.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
dllhostx64.exepid process 4536 dllhostx64.exe 4536 dllhostx64.exe 4536 dllhostx64.exe 4536 dllhostx64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dllhostx64.exepid process 4536 dllhostx64.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Client.exedllhostx64.execmd.exedescription pid process target process PID 2316 wrote to memory of 4852 2316 Client.exe schtasks.exe PID 2316 wrote to memory of 4852 2316 Client.exe schtasks.exe PID 2316 wrote to memory of 4536 2316 Client.exe dllhostx64.exe PID 2316 wrote to memory of 4536 2316 Client.exe dllhostx64.exe PID 4536 wrote to memory of 436 4536 dllhostx64.exe schtasks.exe PID 4536 wrote to memory of 436 4536 dllhostx64.exe schtasks.exe PID 4536 wrote to memory of 4272 4536 dllhostx64.exe schtasks.exe PID 4536 wrote to memory of 4272 4536 dllhostx64.exe schtasks.exe PID 4536 wrote to memory of 5004 4536 dllhostx64.exe cmd.exe PID 4536 wrote to memory of 5004 4536 dllhostx64.exe cmd.exe PID 5004 wrote to memory of 3264 5004 cmd.exe chcp.com PID 5004 wrote to memory of 3264 5004 cmd.exe chcp.com PID 5004 wrote to memory of 1112 5004 cmd.exe PING.EXE PID 5004 wrote to memory of 1112 5004 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4852 -
C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe"C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "Windows Boot Menu" /f3⤵PID:4272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQetchivhJ7H.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3264
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD58d802fa906b51673297f3731a5c3c156
SHA15697abe42f0f5c4993a2bba594e2ab28212478b3
SHA2567e2a870bd957452a5b0112ac55753baaacfde3891a6efe3ea905809152b13522
SHA5122572994767e5dc4061b15d2f67f47cf154e76324df657572ee4b6cff43eb274672012dd0ee0d3337271774e39f87f726a3905a2880019e959cd571e5af384d7b
-
Filesize
3.1MB
MD51109da1db2b4175b38ae1bc7c881db9a
SHA102b92b5e6aa54ae040bc5cd5e845287be01c9562
SHA2560aadcb147077d657fd68e222689a25d93c40144d54922c83b4171a5e801235c5
SHA51244cc1ee0e92159f4d41b4b1c9ae52a7b208b7888c5864795f1e815725d26677e2c7f4fce6410a8cfa8e07c8ee19c3f07f4110c64f1eca62d2f6bbf4cdda8f952