Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-05-2024 07:19
Behavioral task
behavioral1
Sample
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exe
Resource
win10v2004-20240426-en
General
-
Target
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exe
-
Size
3.1MB
-
MD5
4a603ec4e3c5a21400eaabac7c6401c6
-
SHA1
23b446721eacd0b6796407ca20bd1e01355ab41f
-
SHA256
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c
-
SHA512
070a5dd14bce16ba58eb65f3b3143fc7890f0e34f2ed7f3a1930e3fa8454ebcf615b43c819f16f4fc494676443bd409a3a57e8fe6e8f39ab02df5ace497eaea0
-
SSDEEP
49152:rvrI22SsaNYfdPBldt698dBcjHLCc1J2LoGdcTHHB72eh2NT:rvU22SsaNYfdPBldt6+dBcjHLCn
Malware Config
Extracted
quasar
1.4.1
Office04
79.132.193.215:4782
f99ccef5-65c4-4972-adf2-fb38921cc9fc
-
encryption_key
1C15E91ACCFAC60B043A1336CF6912EA8572BA83
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4804-1-0x00000000003F0000-0x0000000000714000-memory.dmp family_quasar C:\Windows\System32\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4668 Client.exe -
Drops file in System32 directory 2 IoCs
Processes:
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exedescription ioc process File created C:\Windows\system32\Client.exe 566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exe File opened for modification C:\Windows\system32\Client.exe 566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exeClient.exedescription pid process Token: SeDebugPrivilege 4804 566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exe Token: SeDebugPrivilege 4668 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 4668 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 4668 Client.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exedescription pid process target process PID 4804 wrote to memory of 4668 4804 566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exe Client.exe PID 4804 wrote to memory of 4668 4804 566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exe"C:\Users\Admin\AppData\Local\Temp\566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\Client.exe"C:\Windows\system32\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD54a603ec4e3c5a21400eaabac7c6401c6
SHA123b446721eacd0b6796407ca20bd1e01355ab41f
SHA256566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c
SHA512070a5dd14bce16ba58eb65f3b3143fc7890f0e34f2ed7f3a1930e3fa8454ebcf615b43c819f16f4fc494676443bd409a3a57e8fe6e8f39ab02df5ace497eaea0