Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-04-2024 13:50
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240412-en
General
-
Target
Client.exe
-
Size
3.1MB
-
MD5
1109da1db2b4175b38ae1bc7c881db9a
-
SHA1
02b92b5e6aa54ae040bc5cd5e845287be01c9562
-
SHA256
0aadcb147077d657fd68e222689a25d93c40144d54922c83b4171a5e801235c5
-
SHA512
44cc1ee0e92159f4d41b4b1c9ae52a7b208b7888c5864795f1e815725d26677e2c7f4fce6410a8cfa8e07c8ee19c3f07f4110c64f1eca62d2f6bbf4cdda8f952
-
SSDEEP
49152:rvbI22SsaNYfdPBldt698dBcjHRTaxzBxL9aGdg6STHHB72eh2NT:rvk22SsaNYfdPBldt6+dBcjHRTaxh
Malware Config
Extracted
quasar
1.4.1
Office04
140.238.91.110:34309
d748a36c-8402-4813-815d-0daea2ec5f51
-
encryption_key
312796590553474EC6AA07D7A09E6A1B8FA1043A
-
install_name
dllhostx64.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
Windows Boot Menu
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/4388-0-0x0000000000AB0000-0x0000000000DD4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
dllhostx64.exepid process 4300 dllhostx64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 656 schtasks.exe 4296 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client.exedllhostx64.exedescription pid process Token: SeDebugPrivilege 4388 Client.exe Token: SeDebugPrivilege 4300 dllhostx64.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
dllhostx64.exepid process 4300 dllhostx64.exe 4300 dllhostx64.exe 4300 dllhostx64.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
dllhostx64.exepid process 4300 dllhostx64.exe 4300 dllhostx64.exe 4300 dllhostx64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dllhostx64.exepid process 4300 dllhostx64.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Client.exedllhostx64.execmd.exedescription pid process target process PID 4388 wrote to memory of 4296 4388 Client.exe schtasks.exe PID 4388 wrote to memory of 4296 4388 Client.exe schtasks.exe PID 4388 wrote to memory of 4300 4388 Client.exe dllhostx64.exe PID 4388 wrote to memory of 4300 4388 Client.exe dllhostx64.exe PID 4300 wrote to memory of 656 4300 dllhostx64.exe schtasks.exe PID 4300 wrote to memory of 656 4300 dllhostx64.exe schtasks.exe PID 4300 wrote to memory of 2840 4300 dllhostx64.exe schtasks.exe PID 4300 wrote to memory of 2840 4300 dllhostx64.exe schtasks.exe PID 4300 wrote to memory of 3932 4300 dllhostx64.exe cmd.exe PID 4300 wrote to memory of 3932 4300 dllhostx64.exe cmd.exe PID 3932 wrote to memory of 1152 3932 cmd.exe chcp.com PID 3932 wrote to memory of 1152 3932 cmd.exe chcp.com PID 3932 wrote to memory of 3220 3932 cmd.exe PING.EXE PID 3932 wrote to memory of 3220 3932 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4296 -
C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe"C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:656 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "Windows Boot Menu" /f3⤵PID:2840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UofcyMV9JYEc.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1152
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:3220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD58f3ec340fecd690814b6525be23f661e
SHA1825c874188b531c34ce9c684dbc72f45c6a8e20f
SHA256e67ed1a9cf1190a40b356307d9da05de7503a6bfa562f29b1f0711a2dd5f784a
SHA5127cb7f175ccd13857d249ea2f566ca07c44cbc29ee6de45952bad96e13081e6b873ec5bb7ecbc3fb68254755af73d12d880a1a5fb1c9d1c1a790fdc825993cb3b
-
Filesize
3.1MB
MD51109da1db2b4175b38ae1bc7c881db9a
SHA102b92b5e6aa54ae040bc5cd5e845287be01c9562
SHA2560aadcb147077d657fd68e222689a25d93c40144d54922c83b4171a5e801235c5
SHA51244cc1ee0e92159f4d41b4b1c9ae52a7b208b7888c5864795f1e815725d26677e2c7f4fce6410a8cfa8e07c8ee19c3f07f4110c64f1eca62d2f6bbf4cdda8f952