Analysis
-
max time kernel
90s -
max time network
93s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/05/2024, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe
Resource
win10v2004-20240419-en
General
-
Target
6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe
-
Size
3.2MB
-
MD5
6f1434bdc116473171a42f081f86d2e5
-
SHA1
68dc8a913caaddbcd9dd976f478cba38935d1681
-
SHA256
6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e
-
SHA512
f7593f9d5033e816eb00eebd987a261b307443cb534763ab73c25ff640454aed06fb8651eb7a3c9a2b6750ed03891590cfa024425f948e2e87cb9950590fd70e
-
SSDEEP
98304:ahfos5HeMop9TM2EmSgFUMwCY7BtAFBsABH3:cfHHeMop9TM2ceUXN77Ksi3
Malware Config
Extracted
quasar
1.4.1
Office04
93.123.85.108:4782
e14b8f59-979b-4ebf-8602-dd3c4d6c301e
-
encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
-
install_name
Msconfig.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
msconfig.exe
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/3596-6-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2308 Msconfig.exe -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SubDir vbc.exe File created C:\Windows\SysWOW64\SubDir\Msconfig.exe vbc.exe File opened for modification C:\Windows\SysWOW64\SubDir\Msconfig.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2200 set thread context of 3596 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 80 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3796 schtasks.exe 3908 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3596 vbc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2200 wrote to memory of 3596 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 80 PID 2200 wrote to memory of 3596 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 80 PID 2200 wrote to memory of 3596 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 80 PID 2200 wrote to memory of 3596 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 80 PID 2200 wrote to memory of 3596 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 80 PID 2200 wrote to memory of 3596 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 80 PID 2200 wrote to memory of 3596 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 80 PID 2200 wrote to memory of 3596 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 80 PID 2200 wrote to memory of 896 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 81 PID 2200 wrote to memory of 896 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 81 PID 2200 wrote to memory of 896 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 81 PID 2200 wrote to memory of 2036 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 83 PID 2200 wrote to memory of 2036 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 83 PID 2200 wrote to memory of 2036 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 83 PID 2036 wrote to memory of 3796 2036 cmd.exe 85 PID 2036 wrote to memory of 3796 2036 cmd.exe 85 PID 2036 wrote to memory of 3796 2036 cmd.exe 85 PID 2200 wrote to memory of 1044 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 86 PID 2200 wrote to memory of 1044 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 86 PID 2200 wrote to memory of 1044 2200 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe 86 PID 3596 wrote to memory of 3908 3596 vbc.exe 88 PID 3596 wrote to memory of 3908 3596 vbc.exe 88 PID 3596 wrote to memory of 3908 3596 vbc.exe 88 PID 3596 wrote to memory of 2308 3596 vbc.exe 90 PID 3596 wrote to memory of 2308 3596 vbc.exe 90 PID 3596 wrote to memory of 2308 3596 vbc.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe"C:\Users\Admin\AppData\Local\Temp\6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "msconfig.exe" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Msconfig.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3908
-
-
C:\Windows\SysWOW64\SubDir\Msconfig.exe"C:\Windows\system32\SubDir\Msconfig.exe"3⤵
- Executes dropped EXE
PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\MicrosoftTools"2⤵PID:896
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftTools\MicrosoftTools.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftTools\MicrosoftTools.exe'" /f3⤵
- Creates scheduled task(s)
PID:3796
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe" "C:\Users\Admin\AppData\Roaming\MicrosoftTools\MicrosoftTools.exe"2⤵PID:1044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5a731372e6f6978ce25617ae01b143351
SHA1eab9863a3b7fe5ba2c916a5115c4f13d0984ff89
SHA25619a3cfbc90e877df30e938fb55785ac3ba8e2e30a54ffbb5af6e0ec9430f9e4b
SHA5124824c046c2b8370dc290ffbec0c2aa17a4cc22ed2b313e33d72e4aec5d01ab9e6e9676848752d37d95aafa9818f35b233bf70e7a84e0fa0106d22c5f07a38b0d