Analysis
-
max time kernel
273s -
max time network
265s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-04-2024 21:34
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
4d037c46eaf6b2e5ae5db85ef045c0d1
-
SHA1
7bc3b6647192157a2cc4894f4c58365d9932a2cf
-
SHA256
c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821
-
SHA512
163d60321af8d3da76d10ea550b4c792dd0b6a18abe603ab049043246b2136fb2543f8089e3e5d3fbd6e6bfcf1786f4f7b8a96cb28e353cefbe1a2553e753ab3
-
SSDEEP
49152:8vGlL26AaNeWgPhlmVqvMQ7XSKGSRJ6pbR3LoGd+THHB72eh2NTf:8vGL26AaNeWgPhlmVqkQ7XSKGSRJ6rP
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.154:4782
ba502bba-c1c8-4a0b-95e6-4b1a3d5f551e
-
encryption_key
7195172212FD0C3E2300AE89FC3318C365A0CFF8
-
install_name
window security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
window security
-
subdirectory
C:\Windows\System32
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2652-0-0x0000000000A50000-0x0000000000D78000-memory.dmp family_quasar C:\Windows\System32\window security.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
window security.exepid process 3968 window security.exe -
Drops file in System32 directory 3 IoCs
Processes:
Client-built.exewindow security.exedescription ioc process File opened for modification C:\Windows\System32\window security.exe Client-built.exe File opened for modification C:\Windows\System32\window security.exe window security.exe File created C:\Windows\System32\window security.exe Client-built.exe -
Drops file in Windows directory 2 IoCs
Processes:
Client-built.exewindow security.exedescription ioc process File opened for modification C:\Windows\System32 Client-built.exe File opened for modification C:\Windows\System32 window security.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4888 schtasks.exe 3516 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exewindow security.exedescription pid process Token: SeDebugPrivilege 2652 Client-built.exe Token: SeDebugPrivilege 3968 window security.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
window security.exepid process 3968 window security.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built.exewindow security.exedescription pid process target process PID 2652 wrote to memory of 4888 2652 Client-built.exe schtasks.exe PID 2652 wrote to memory of 4888 2652 Client-built.exe schtasks.exe PID 2652 wrote to memory of 3968 2652 Client-built.exe window security.exe PID 2652 wrote to memory of 3968 2652 Client-built.exe window security.exe PID 3968 wrote to memory of 3516 3968 window security.exe schtasks.exe PID 3968 wrote to memory of 3516 3968 window security.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4888 -
C:\Windows\System32\window security.exe"C:\Windows\System32\window security.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\System32\schtasks.exe"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD54d037c46eaf6b2e5ae5db85ef045c0d1
SHA17bc3b6647192157a2cc4894f4c58365d9932a2cf
SHA256c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821
SHA512163d60321af8d3da76d10ea550b4c792dd0b6a18abe603ab049043246b2136fb2543f8089e3e5d3fbd6e6bfcf1786f4f7b8a96cb28e353cefbe1a2553e753ab3