Analysis
-
max time kernel
131s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 13:53
Behavioral task
behavioral1
Sample
HEUR-Trojan.MSIL.Quasar.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.MSIL.Quasar.exe
Resource
win10v2004-20240412-en
General
-
Target
HEUR-Trojan.MSIL.Quasar.exe
-
Size
3.4MB
-
MD5
a585d666df5ca83eabcd06a4f0364523
-
SHA1
4f5d8d09aaaf33efda276c3f7ab9883eda146da6
-
SHA256
788c859458ab91850978e27a2591b564e5e3200eede844362bf465944db9d92c
-
SHA512
4cd1aa6c0c15264cf00feed59552e6bd1ce663af54d5fe27ac193d8af77abd23522938166ec0318482dbee6c78a6cc97f1e75a1ea148390da7c2aee6a3bca544
-
SSDEEP
49152:qvFt62XlaSFNWPjljiFa2RoUYIe5UU88DoGdWTHHB72eh2NTF:qv362XlaSFNWPjljiFXRoUYIIUU8E9
Malware Config
Extracted
quasar
1.4.1
Office04
85.219.48.223:6969
dd7993dd-3ead-48cf-ab1a-635718753276
-
encryption_key
DC9E2A3C163F32C37AC47FC14DF7F94F33786801
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
:)
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3200-0-0x0000000000700000-0x0000000000A66000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3200-0-0x0000000000700000-0x0000000000A66000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3200-0-0x0000000000700000-0x0000000000A66000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3200-0-0x0000000000700000-0x0000000000A66000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_GENInfoStealer -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 996 Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
HEUR-Trojan.MSIL.Quasar.exeClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:) = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" HEUR-Trojan.MSIL.Quasar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:) = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 936 schtasks.exe 1468 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEUR-Trojan.MSIL.Quasar.exeClient.exedescription pid process Token: SeDebugPrivilege 3200 HEUR-Trojan.MSIL.Quasar.exe Token: SeDebugPrivilege 996 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 996 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 996 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HEUR-Trojan.MSIL.Quasar.exeClient.exedescription pid process target process PID 3200 wrote to memory of 1468 3200 HEUR-Trojan.MSIL.Quasar.exe schtasks.exe PID 3200 wrote to memory of 1468 3200 HEUR-Trojan.MSIL.Quasar.exe schtasks.exe PID 3200 wrote to memory of 996 3200 HEUR-Trojan.MSIL.Quasar.exe Client.exe PID 3200 wrote to memory of 996 3200 HEUR-Trojan.MSIL.Quasar.exe Client.exe PID 996 wrote to memory of 936 996 Client.exe schtasks.exe PID 996 wrote to memory of 936 996 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Quasar.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Quasar.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn ":)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1468 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn ":)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,7064649017625232947,17746804975634116675,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:81⤵PID:4236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5a585d666df5ca83eabcd06a4f0364523
SHA14f5d8d09aaaf33efda276c3f7ab9883eda146da6
SHA256788c859458ab91850978e27a2591b564e5e3200eede844362bf465944db9d92c
SHA5124cd1aa6c0c15264cf00feed59552e6bd1ce663af54d5fe27ac193d8af77abd23522938166ec0318482dbee6c78a6cc97f1e75a1ea148390da7c2aee6a3bca544