Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 21:11
General
-
Target
MainBuild.exe
-
Size
3.1MB
-
MD5
3bbe6fc1601a30703de700e53c6f072f
-
SHA1
e59be8b17dde867d5dd52d563f6c115149f4473a
-
SHA256
96e859dad002f1e69e810c5f6ac60926f71a5ec03b4a7bde6cb9935f2927fbc3
-
SHA512
197a18f9d5d01cee50c160450b23e60b3a770e4140462b032efe44cfd9e9b2a6fa513ada7bef341624e20fd6760ca1e492de4fd2b359da660735dafc518c3ce0
-
SSDEEP
49152:Gvkt62XlaSFNWPjljiFa2RoUYIYxrEDkGk/JxfoGdOTHHB72eh2NT:Gv462XlaSFNWPjljiFXRoUYIYx31
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.56.1:4782
25d56285-d107-418c-8a2b-195563744f12
-
encryption_key
612E594137626EF1C1C6346882A826EBAFFC773E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System 32
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3156-0-0x00000000006B0000-0x00000000009D4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Client.exeClient.exepid process 2848 Client.exe 4608 Client.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4700 schtasks.exe 944 schtasks.exe -
Modifies registry class 5 IoCs
Processes:
taskmgr.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 4904 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MainBuild.exeClient.exetaskmgr.exeClient.exedescription pid process Token: SeDebugPrivilege 3156 MainBuild.exe Token: SeDebugPrivilege 2848 Client.exe Token: SeDebugPrivilege 4904 taskmgr.exe Token: SeSystemProfilePrivilege 4904 taskmgr.exe Token: SeCreateGlobalPrivilege 4904 taskmgr.exe Token: SeDebugPrivilege 4608 Client.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe 4904 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2848 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
MainBuild.exeClient.exedescription pid process target process PID 3156 wrote to memory of 4700 3156 MainBuild.exe schtasks.exe PID 3156 wrote to memory of 4700 3156 MainBuild.exe schtasks.exe PID 3156 wrote to memory of 2848 3156 MainBuild.exe Client.exe PID 3156 wrote to memory of 2848 3156 MainBuild.exe Client.exe PID 2848 wrote to memory of 944 2848 Client.exe schtasks.exe PID 2848 wrote to memory of 944 2848 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MainBuild.exe"C:\Users\Admin\AppData\Local\Temp\MainBuild.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4700 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4248
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD53bbe6fc1601a30703de700e53c6f072f
SHA1e59be8b17dde867d5dd52d563f6c115149f4473a
SHA25696e859dad002f1e69e810c5f6ac60926f71a5ec03b4a7bde6cb9935f2927fbc3
SHA512197a18f9d5d01cee50c160450b23e60b3a770e4140462b032efe44cfd9e9b2a6fa513ada7bef341624e20fd6760ca1e492de4fd2b359da660735dafc518c3ce0