Analysis
-
max time kernel
15s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 11:09
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
2c1fba8d6624adf6c582fb2d5fb43b28
-
SHA1
bd45ee984e9476d604824f83c6cf6111a9db2467
-
SHA256
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
-
SHA512
cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19
-
SSDEEP
49152:nvVG42pda6D+/PjlLOlg6yQipV6iRJ67bR3LoGdTqTHHB72eh2NT:nvM42pda6D+/PjlLOlZyQipV6iRJ6ND
Malware Config
Extracted
quasar
1.4.1
Office04
funlink.ddns.net:4444
quasarhost1.ddns.net:4444
c363b2f8-fc6a-4abd-a753-cff1aad2a173
-
encryption_key
CE5FBAC1A56C8C780C74FE8E7CD5CBCF8ABD6C8D
-
install_name
updale.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows av startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2240-0-0x0000000000EA0000-0x00000000011C4000-memory.dmp family_quasar C:\Windows\System32\SubDir\updale.exe family_quasar behavioral1/memory/2540-9-0x0000000000E00000-0x0000000001124000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
updale.exepid process 2540 updale.exe -
Drops file in System32 directory 5 IoCs
Processes:
Client-built.exeupdale.exedescription ioc process File created C:\Windows\system32\SubDir\updale.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\updale.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1532 schtasks.exe 2612 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeupdale.exedescription pid process Token: SeDebugPrivilege 2240 Client-built.exe Token: SeDebugPrivilege 2540 updale.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
updale.exepid process 2540 updale.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
updale.exepid process 2540 updale.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
updale.exepid process 2540 updale.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Client-built.exeupdale.execmd.exedescription pid process target process PID 2240 wrote to memory of 1532 2240 Client-built.exe schtasks.exe PID 2240 wrote to memory of 1532 2240 Client-built.exe schtasks.exe PID 2240 wrote to memory of 1532 2240 Client-built.exe schtasks.exe PID 2240 wrote to memory of 2540 2240 Client-built.exe updale.exe PID 2240 wrote to memory of 2540 2240 Client-built.exe updale.exe PID 2240 wrote to memory of 2540 2240 Client-built.exe updale.exe PID 2540 wrote to memory of 2612 2540 updale.exe schtasks.exe PID 2540 wrote to memory of 2612 2540 updale.exe schtasks.exe PID 2540 wrote to memory of 2612 2540 updale.exe schtasks.exe PID 2540 wrote to memory of 2420 2540 updale.exe cmd.exe PID 2540 wrote to memory of 2420 2540 updale.exe cmd.exe PID 2540 wrote to memory of 2420 2540 updale.exe cmd.exe PID 2420 wrote to memory of 2696 2420 cmd.exe chcp.com PID 2420 wrote to memory of 2696 2420 cmd.exe chcp.com PID 2420 wrote to memory of 2696 2420 cmd.exe chcp.com PID 2420 wrote to memory of 2400 2420 cmd.exe PING.EXE PID 2420 wrote to memory of 2400 2420 cmd.exe PING.EXE PID 2420 wrote to memory of 2400 2420 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1532 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2612 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pmknLoE48RGB.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2696
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:2400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD59cce0dca1ef1148360b651f825223599
SHA1014b0417c7daa19d4389080d54fe174340a12784
SHA2560a6ad1828f76c970269eef4db6b9d818986290c8bf8e1a551ea4f0f80bb2b725
SHA512079b6727d575cb411489b15de50fbf551aa948794b517e4d8d6aff95ae57dd54bfefb065ad7a6bfa27a64b7c5fd53531bb57a5a0648afd10d014017f7f387b0d
-
Filesize
3.1MB
MD52c1fba8d6624adf6c582fb2d5fb43b28
SHA1bd45ee984e9476d604824f83c6cf6111a9db2467
SHA256a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
SHA512cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19