Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 14:24
General
-
Target
aa.exe
-
Size
3.1MB
-
MD5
3e8cdd629813c4e75a1b2e6d6c46d39f
-
SHA1
98a6b4bcfe37ffc5a8a2884d8b0b1f9b0e5f1444
-
SHA256
d12e1428a758363be465222740a635e1cce61d4dda7373cfdce035f3051aeccd
-
SHA512
42491a72c8a60c566b73a15afe67e667242991124fff3420f66d7e8444dc995893fa79a1f32f91d29611410be4c0c651e701e815b01f3d5fbc72ac3e0c048466
-
SSDEEP
49152:CvUt62XlaSFNWPjljiFa2RoUYIbNRJ6qbR3LoGdpTHHB72eh2NT:CvI62XlaSFNWPjljiFXRoUYIbNRJ6E
Malware Config
Extracted
quasar
1.4.1
Office04
193.161.193.99:1194
37c3d2aa-6a36-4ee8-a4be-f1c3187fbd03
-
encryption_key
E9EE5B51F341491A9CE8837BE89BB18191B86C1E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
python
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1420-0-0x0000000000EC0000-0x00000000011E4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4400 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5092 schtasks.exe 468 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aa.exeClient.exedescription pid process Token: SeDebugPrivilege 1420 aa.exe Token: SeDebugPrivilege 4400 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 4400 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 4400 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 4400 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aa.exeClient.exedescription pid process target process PID 1420 wrote to memory of 5092 1420 aa.exe schtasks.exe PID 1420 wrote to memory of 5092 1420 aa.exe schtasks.exe PID 1420 wrote to memory of 4400 1420 aa.exe Client.exe PID 1420 wrote to memory of 4400 1420 aa.exe Client.exe PID 4400 wrote to memory of 468 4400 Client.exe schtasks.exe PID 4400 wrote to memory of 468 4400 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "python" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:5092 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "python" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD53e8cdd629813c4e75a1b2e6d6c46d39f
SHA198a6b4bcfe37ffc5a8a2884d8b0b1f9b0e5f1444
SHA256d12e1428a758363be465222740a635e1cce61d4dda7373cfdce035f3051aeccd
SHA51242491a72c8a60c566b73a15afe67e667242991124fff3420f66d7e8444dc995893fa79a1f32f91d29611410be4c0c651e701e815b01f3d5fbc72ac3e0c048466