Analysis
-
max time kernel
90s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-04-2024 00:29
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
fbf8bf1a542094f980a0ebadf0cd0331
-
SHA1
d92f0eb94e1d7bccf4e3512ed61d769720d425d7
-
SHA256
fa281523c8726d55023091c15321edca91ad7e480d0b0bb1f381e94861a84383
-
SHA512
7107265fc94a19abaf05b09c28c4c3482add48d863f30b3d3b9bda096968f9923e8a28ef8f63b7f709e6d0ef45a564fb841ebd59df421f1cb0b13f7ff3179290
-
SSDEEP
49152:Wvkt62XlaSFNWPjljiFa2RoUYIYCF1JaLoGdTTHHB72eh2NT:Wv462XlaSFNWPjljiFXRoUYIYC2
Malware Config
Extracted
quasar
1.4.1
SLAVE
uk2.localto.net:39077
cc0a2b76-665e-4e16-b318-5ee02270fbcd
-
encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
-
install_name
UpdateHost.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
WOS64
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3088-0-0x0000000000D20000-0x0000000001044000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
UpdateHost.exepid process 420 UpdateHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4988 schtasks.exe 4168 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeUpdateHost.exedescription pid process Token: SeDebugPrivilege 3088 Client-built.exe Token: SeDebugPrivilege 420 UpdateHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
UpdateHost.exepid process 420 UpdateHost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Client-built.exeUpdateHost.execmd.exedescription pid process target process PID 3088 wrote to memory of 4988 3088 Client-built.exe schtasks.exe PID 3088 wrote to memory of 4988 3088 Client-built.exe schtasks.exe PID 3088 wrote to memory of 420 3088 Client-built.exe UpdateHost.exe PID 3088 wrote to memory of 420 3088 Client-built.exe UpdateHost.exe PID 420 wrote to memory of 4168 420 UpdateHost.exe schtasks.exe PID 420 wrote to memory of 4168 420 UpdateHost.exe schtasks.exe PID 420 wrote to memory of 1936 420 UpdateHost.exe schtasks.exe PID 420 wrote to memory of 1936 420 UpdateHost.exe schtasks.exe PID 420 wrote to memory of 1908 420 UpdateHost.exe cmd.exe PID 420 wrote to memory of 1908 420 UpdateHost.exe cmd.exe PID 1908 wrote to memory of 5116 1908 cmd.exe chcp.com PID 1908 wrote to memory of 5116 1908 cmd.exe chcp.com PID 1908 wrote to memory of 1848 1908 cmd.exe PING.EXE PID 1908 wrote to memory of 1848 1908 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "WOS64" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Eg5cdkBpNxfl.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Eg5cdkBpNxfl.batFilesize
216B
MD55c7dc76e5a90fe57b343fa02acba4194
SHA1ace0f25c2959720450c4c9283cd89cc96832b3d9
SHA256cd7deca4a2aa10934727e0e7bdc567034a96abf61f619da234fbeeace1cc9e2d
SHA51281b32d33a2b8a1db67c395025aff8ae5aa552410494f5adef2dd3061e82f7ea292ce69ab45d9b2371b8e91be38c87a6cb2adb82e3029048d12a421ed9220611b
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exeFilesize
3.1MB
MD5fbf8bf1a542094f980a0ebadf0cd0331
SHA1d92f0eb94e1d7bccf4e3512ed61d769720d425d7
SHA256fa281523c8726d55023091c15321edca91ad7e480d0b0bb1f381e94861a84383
SHA5127107265fc94a19abaf05b09c28c4c3482add48d863f30b3d3b9bda096968f9923e8a28ef8f63b7f709e6d0ef45a564fb841ebd59df421f1cb0b13f7ff3179290
-
memory/420-11-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/420-9-0x00007FFD23C90000-0x00007FFD24752000-memory.dmpFilesize
10.8MB
-
memory/420-12-0x000000001BAD0000-0x000000001BB20000-memory.dmpFilesize
320KB
-
memory/420-13-0x000000001BBE0000-0x000000001BC92000-memory.dmpFilesize
712KB
-
memory/420-16-0x000000001BB40000-0x000000001BB52000-memory.dmpFilesize
72KB
-
memory/420-17-0x000000001BBA0000-0x000000001BBDC000-memory.dmpFilesize
240KB
-
memory/420-18-0x00007FFD23C90000-0x00007FFD24752000-memory.dmpFilesize
10.8MB
-
memory/420-19-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/420-24-0x00007FFD23C90000-0x00007FFD24752000-memory.dmpFilesize
10.8MB
-
memory/3088-2-0x000000001BBC0000-0x000000001BBD0000-memory.dmpFilesize
64KB
-
memory/3088-10-0x00007FFD23C90000-0x00007FFD24752000-memory.dmpFilesize
10.8MB
-
memory/3088-0-0x0000000000D20000-0x0000000001044000-memory.dmpFilesize
3.1MB
-
memory/3088-1-0x00007FFD23C90000-0x00007FFD24752000-memory.dmpFilesize
10.8MB