Analysis
-
max time kernel
282s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 14:18
General
-
Target
aa.exe
-
Size
3.1MB
-
MD5
a1b18584a5906f5be41db7dd83325caa
-
SHA1
749e349a70fb0a2778900fceb15ff7f3ed033196
-
SHA256
ef2c6cf5a0ba1b81ab22164b7820f49761de4f6feb8fa4e5c64a1bfad369cc74
-
SHA512
037e7b94ccea547a113304aa73fb940401c18a8e1d3df5681a191b0f9292769419f48bf8fe1f6f69534f320f34fabac638735d2e3ea2ff12039518193dca4ede
-
SSDEEP
49152:Wv7I22SsaNYfdPBldt698dBcjHqHfkfXvjjLoGlvTHHB72eh2NT:WvE22SsaNYfdPBldt6+dBcjHLfj
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.254.152:4782
180.190.63.111:8080
37c3d2aa-6a36-4ee8-a4be-f1c3187fbd03
-
encryption_key
E9EE5B51F341491A9CE8837BE89BB18191B86C1E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
python
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3364-0-0x0000000000200000-0x0000000000524000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 3596 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2320 schtasks.exe 1112 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
aa.exeClient.exeaa.exedescription pid process Token: SeDebugPrivilege 3364 aa.exe Token: SeDebugPrivilege 3596 Client.exe Token: SeDebugPrivilege 3528 aa.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 3596 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 3596 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 3596 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aa.exeClient.exedescription pid process target process PID 3364 wrote to memory of 2320 3364 aa.exe schtasks.exe PID 3364 wrote to memory of 2320 3364 aa.exe schtasks.exe PID 3364 wrote to memory of 3596 3364 aa.exe Client.exe PID 3364 wrote to memory of 3596 3364 aa.exe Client.exe PID 3596 wrote to memory of 1112 3596 Client.exe schtasks.exe PID 3596 wrote to memory of 1112 3596 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "python" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2320 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "python" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1112
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
3.1MB
MD5a1b18584a5906f5be41db7dd83325caa
SHA1749e349a70fb0a2778900fceb15ff7f3ed033196
SHA256ef2c6cf5a0ba1b81ab22164b7820f49761de4f6feb8fa4e5c64a1bfad369cc74
SHA512037e7b94ccea547a113304aa73fb940401c18a8e1d3df5681a191b0f9292769419f48bf8fe1f6f69534f320f34fabac638735d2e3ea2ff12039518193dca4ede