Analysis
-
max time kernel
32s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 21:57
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
2c1fba8d6624adf6c582fb2d5fb43b28
-
SHA1
bd45ee984e9476d604824f83c6cf6111a9db2467
-
SHA256
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
-
SHA512
cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19
-
SSDEEP
49152:nvVG42pda6D+/PjlLOlg6yQipV6iRJ67bR3LoGdTqTHHB72eh2NT:nvM42pda6D+/PjlLOlZyQipV6iRJ6ND
Malware Config
Extracted
quasar
1.4.1
Office04
funlink.ddns.net:4444
quasarhost1.ddns.net:4444
c363b2f8-fc6a-4abd-a753-cff1aad2a173
-
encryption_key
CE5FBAC1A56C8C780C74FE8E7CD5CBCF8ABD6C8D
-
install_name
updale.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows av startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/764-0-0x0000000001140000-0x0000000001464000-memory.dmp family_quasar C:\Windows\System32\SubDir\updale.exe family_quasar behavioral1/memory/1948-9-0x0000000001120000-0x0000000001444000-memory.dmp family_quasar behavioral1/memory/2452-23-0x00000000013D0000-0x00000000016F4000-memory.dmp family_quasar -
Executes dropped EXE 4 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exepid process 1948 updale.exe 2452 updale.exe 2992 updale.exe 2068 updale.exe -
Drops file in System32 directory 11 IoCs
Processes:
updale.exeupdale.exeClient-built.exeupdale.exeupdale.exedescription ioc process File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File created C:\Windows\system32\SubDir\updale.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\updale.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2372 schtasks.exe 2656 schtasks.exe 2972 schtasks.exe 852 schtasks.exe 480 schtasks.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 2884 PING.EXE 2424 PING.EXE 2480 PING.EXE 2760 PING.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Client-built.exeupdale.exeupdale.exeupdale.exeupdale.exedescription pid process Token: SeDebugPrivilege 764 Client-built.exe Token: SeDebugPrivilege 1948 updale.exe Token: SeDebugPrivilege 2452 updale.exe Token: SeDebugPrivilege 2992 updale.exe Token: SeDebugPrivilege 2068 updale.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exepid process 1948 updale.exe 2452 updale.exe 2992 updale.exe 2068 updale.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exepid process 1948 updale.exe 2452 updale.exe 2992 updale.exe 2068 updale.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
updale.exepid process 1948 updale.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
Client-built.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exedescription pid process target process PID 764 wrote to memory of 2372 764 Client-built.exe schtasks.exe PID 764 wrote to memory of 2372 764 Client-built.exe schtasks.exe PID 764 wrote to memory of 2372 764 Client-built.exe schtasks.exe PID 764 wrote to memory of 1948 764 Client-built.exe updale.exe PID 764 wrote to memory of 1948 764 Client-built.exe updale.exe PID 764 wrote to memory of 1948 764 Client-built.exe updale.exe PID 1948 wrote to memory of 2656 1948 updale.exe schtasks.exe PID 1948 wrote to memory of 2656 1948 updale.exe schtasks.exe PID 1948 wrote to memory of 2656 1948 updale.exe schtasks.exe PID 1948 wrote to memory of 2692 1948 updale.exe cmd.exe PID 1948 wrote to memory of 2692 1948 updale.exe cmd.exe PID 1948 wrote to memory of 2692 1948 updale.exe cmd.exe PID 2692 wrote to memory of 2824 2692 cmd.exe chcp.com PID 2692 wrote to memory of 2824 2692 cmd.exe chcp.com PID 2692 wrote to memory of 2824 2692 cmd.exe chcp.com PID 2692 wrote to memory of 2480 2692 cmd.exe PING.EXE PID 2692 wrote to memory of 2480 2692 cmd.exe PING.EXE PID 2692 wrote to memory of 2480 2692 cmd.exe PING.EXE PID 2692 wrote to memory of 2452 2692 cmd.exe updale.exe PID 2692 wrote to memory of 2452 2692 cmd.exe updale.exe PID 2692 wrote to memory of 2452 2692 cmd.exe updale.exe PID 2452 wrote to memory of 2972 2452 updale.exe schtasks.exe PID 2452 wrote to memory of 2972 2452 updale.exe schtasks.exe PID 2452 wrote to memory of 2972 2452 updale.exe schtasks.exe PID 2452 wrote to memory of 1592 2452 updale.exe cmd.exe PID 2452 wrote to memory of 1592 2452 updale.exe cmd.exe PID 2452 wrote to memory of 1592 2452 updale.exe cmd.exe PID 1592 wrote to memory of 2776 1592 cmd.exe chcp.com PID 1592 wrote to memory of 2776 1592 cmd.exe chcp.com PID 1592 wrote to memory of 2776 1592 cmd.exe chcp.com PID 1592 wrote to memory of 2760 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 2760 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 2760 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 2992 1592 cmd.exe updale.exe PID 1592 wrote to memory of 2992 1592 cmd.exe updale.exe PID 1592 wrote to memory of 2992 1592 cmd.exe updale.exe PID 2992 wrote to memory of 852 2992 updale.exe schtasks.exe PID 2992 wrote to memory of 852 2992 updale.exe schtasks.exe PID 2992 wrote to memory of 852 2992 updale.exe schtasks.exe PID 2992 wrote to memory of 1920 2992 updale.exe cmd.exe PID 2992 wrote to memory of 1920 2992 updale.exe cmd.exe PID 2992 wrote to memory of 1920 2992 updale.exe cmd.exe PID 1920 wrote to memory of 2872 1920 cmd.exe chcp.com PID 1920 wrote to memory of 2872 1920 cmd.exe chcp.com PID 1920 wrote to memory of 2872 1920 cmd.exe chcp.com PID 1920 wrote to memory of 2884 1920 cmd.exe PING.EXE PID 1920 wrote to memory of 2884 1920 cmd.exe PING.EXE PID 1920 wrote to memory of 2884 1920 cmd.exe PING.EXE PID 1920 wrote to memory of 2068 1920 cmd.exe updale.exe PID 1920 wrote to memory of 2068 1920 cmd.exe updale.exe PID 1920 wrote to memory of 2068 1920 cmd.exe updale.exe PID 2068 wrote to memory of 480 2068 updale.exe schtasks.exe PID 2068 wrote to memory of 480 2068 updale.exe schtasks.exe PID 2068 wrote to memory of 480 2068 updale.exe schtasks.exe PID 2068 wrote to memory of 1752 2068 updale.exe cmd.exe PID 2068 wrote to memory of 1752 2068 updale.exe cmd.exe PID 2068 wrote to memory of 1752 2068 updale.exe cmd.exe PID 1752 wrote to memory of 1104 1752 cmd.exe chcp.com PID 1752 wrote to memory of 1104 1752 cmd.exe chcp.com PID 1752 wrote to memory of 1104 1752 cmd.exe chcp.com PID 1752 wrote to memory of 2424 1752 cmd.exe PING.EXE PID 1752 wrote to memory of 2424 1752 cmd.exe PING.EXE PID 1752 wrote to memory of 2424 1752 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2372 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2656 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gr2I1MOKHAkw.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2824
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:2480 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:2972 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FFtqHX0hE9Kn.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2776
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:2760 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:852 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jR2ZObGD7JDf.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2872
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:2884 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:480 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Fn5vsx1QIngE.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1104
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:2424
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD5370de616496f2ce55fe25cc0ec576a3b
SHA1418a2d1f85a8c2b2a40e04eaab5ceccdac8b1215
SHA2566759873dd19605915c91f604abdc375f1f82a02616d24ef061fd1b82e3db2273
SHA512e577ad8ce9c080768b1685268530d383f00a56d52b847544b553919e0b50166d6309ee6bbb955892064f43c50b9df01328313e2d84d7b79fd52f635e79a03758
-
Filesize
196B
MD58d5e164e2bc664938a4b6328f584f804
SHA138dd10f2de3a825b6f3543e68783b786323db4af
SHA256ac1ea5cc8dfc8806181b3c9b44888fa660b592b75cb26fb4ee9a749daa933b15
SHA512afa8f166b5bd1095f54ba84bbe0e87bc66b651b2ddcf6a9059eb331eccf2b6ad1745e794cf8fcc09e4b0b4c2e4268bcb1c05fcbe9132f30c3e242bf5a04c6f2e
-
Filesize
196B
MD5590d82d8e8a4f503e49fadea281133c6
SHA1c0190faffb6983c8f801748d5adbb70d2ad56616
SHA2564423a5abd96f27128398dd320ca43c9ce8ce69c461d07e4efd1d7b8f410f57a2
SHA512bcc76d9980b3e8cd49e5f8984b65848b75e16977281ef8427e76dc9b65df81f24442848b96a1c91ec4dcae2c5e241573eb6f4c504f71ec8b08fa0af4edebdcd5
-
Filesize
196B
MD5c14ac3ea67dd5970c2221cd5d5ce5803
SHA19e29cde296d25436f1127ec66d8b5cba1955f93c
SHA256ebeca62a9ca902e0cf69fecc604134d511910aaf4ed471fe78aeb87831fb0cd8
SHA512d624e0c5e7385d6155cd028d4cdea4f38b817adf88a6df95d2387a603dc3eb9ef47a5eba7590bb7ba7117116eb6e0103f83a2092bc9952eda084373fc7e7bfdf
-
Filesize
3.1MB
MD52c1fba8d6624adf6c582fb2d5fb43b28
SHA1bd45ee984e9476d604824f83c6cf6111a9db2467
SHA256a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
SHA512cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e