Analysis
-
max time kernel
38s -
max time network
42s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-04-2024 01:06
General
-
Target
Gtag_spoofer-main/Gtagspoofer_1.4.7.exe
-
Size
3.1MB
-
MD5
5110076773db1352ac91ef673fef465f
-
SHA1
415ee6c130d71942a7197642d1a4ae7efb637ea8
-
SHA256
8575df8567eb8fbb7b07954de694590e07757edf2bfcf3b623b1df9790ce698d
-
SHA512
a9c081c768e3c72c8a8bfda715575e50a2a087e4dc1ec4e104bc761549af3c2fb5a3e9097c03bacec4940e6d7de65aa5a75dfc17ed784d4453f9de69e7ff2877
-
SSDEEP
49152:rvyI22SsaNYfdPBldt698dBcjHS8x6EMk2k/JKPoGdDTHHB72eh2NT:rvf22SsaNYfdPBldt6+dBcjHS8xxi
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.0.53:4782
e1883fb9-6361-4406-b1f7-f82f80cbbe14
-
encryption_key
863766762E363E1F1B41973F98B5594794BAAEC6
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3880-0-0x0000000000EF0000-0x0000000001214000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2000 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3972 schtasks.exe 2608 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Gtagspoofer_1.4.7.exeClient.exedescription pid process Token: SeDebugPrivilege 3880 Gtagspoofer_1.4.7.exe Token: SeDebugPrivilege 2000 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2000 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Gtagspoofer_1.4.7.exeClient.exedescription pid process target process PID 3880 wrote to memory of 3972 3880 Gtagspoofer_1.4.7.exe schtasks.exe PID 3880 wrote to memory of 3972 3880 Gtagspoofer_1.4.7.exe schtasks.exe PID 3880 wrote to memory of 2000 3880 Gtagspoofer_1.4.7.exe Client.exe PID 3880 wrote to memory of 2000 3880 Gtagspoofer_1.4.7.exe Client.exe PID 2000 wrote to memory of 2608 2000 Client.exe schtasks.exe PID 2000 wrote to memory of 2608 2000 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gtag_spoofer-main\Gtagspoofer_1.4.7.exe"C:\Users\Admin\AppData\Local\Temp\Gtag_spoofer-main\Gtagspoofer_1.4.7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3972 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55110076773db1352ac91ef673fef465f
SHA1415ee6c130d71942a7197642d1a4ae7efb637ea8
SHA2568575df8567eb8fbb7b07954de694590e07757edf2bfcf3b623b1df9790ce698d
SHA512a9c081c768e3c72c8a8bfda715575e50a2a087e4dc1ec4e104bc761549af3c2fb5a3e9097c03bacec4940e6d7de65aa5a75dfc17ed784d4453f9de69e7ff2877