Analysis
-
max time kernel
1794s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-05-2024 01:23
General
-
Target
client.exe
-
Size
3.1MB
-
MD5
3923567323be44b3a3955f8b69585396
-
SHA1
c2db51125c1d664ac02e9ea28fbe4fb6fc47e59a
-
SHA256
f6fe8fbbafb40ded2572c45d74740d6aa5a7bd6149e2ec2ddedf9030b7411228
-
SHA512
5d410bfeb594674195c46dbd228c4967e5df07bd3b6fe3d16a8be48690d58354d4448e35b9fc7a99bca720ed104d6e24be8fd8d8abc31392ccd55a556da14dca
-
SSDEEP
49152:KvBt62XlaSFNWPjljiFa2RoUYIx8pnrTFvJKuoGdNTHHB72eh2NT:Kvr62XlaSFNWPjljiFXRoUYI6Tl
Malware Config
Extracted
quasar
1.4.1
watchdog
142.115.43.143:8080
1c1f3ace-a14c-4361-99eb-65aedb6d50fd
-
encryption_key
3FAEE4D5FC9BC245D4CA5F4165EAFD34E8D5FE16
-
install_name
watchdog.exe
-
log_directory
logs
-
reconnect_delay
3000
-
startup_key
watchdog
-
subdirectory
drivers
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3312-1-0x0000000000910000-0x0000000000C34000-memory.dmp family_quasar C:\Windows\System32\drivers\watchdog.exe family_quasar -
Drops file in Drivers directory 3 IoCs
Processes:
client.exewatchdog.exedescription ioc process File created C:\Windows\system32\drivers\watchdog.exe client.exe File opened for modification C:\Windows\system32\drivers\watchdog.exe client.exe File opened for modification C:\Windows\system32\drivers\watchdog.exe watchdog.exe -
Executes dropped EXE 1 IoCs
Processes:
watchdog.exepid process 3268 watchdog.exe -
Drops file in System32 directory 2 IoCs
Processes:
client.exewatchdog.exedescription ioc process File opened for modification C:\Windows\system32\drivers client.exe File opened for modification C:\Windows\system32\drivers watchdog.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3356 schtasks.exe 2220 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
client.exewatchdog.exedescription pid process Token: SeDebugPrivilege 3312 client.exe Token: SeDebugPrivilege 3268 watchdog.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
watchdog.exepid process 3268 watchdog.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
client.exewatchdog.exedescription pid process target process PID 3312 wrote to memory of 3356 3312 client.exe schtasks.exe PID 3312 wrote to memory of 3356 3312 client.exe schtasks.exe PID 3312 wrote to memory of 3268 3312 client.exe watchdog.exe PID 3312 wrote to memory of 3268 3312 client.exe watchdog.exe PID 3268 wrote to memory of 2220 3268 watchdog.exe schtasks.exe PID 3268 wrote to memory of 2220 3268 watchdog.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "watchdog" /sc ONLOGON /tr "C:\Windows\system32\drivers\watchdog.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3356 -
C:\Windows\system32\drivers\watchdog.exe"C:\Windows\system32\drivers\watchdog.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "watchdog" /sc ONLOGON /tr "C:\Windows\system32\drivers\watchdog.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD53923567323be44b3a3955f8b69585396
SHA1c2db51125c1d664ac02e9ea28fbe4fb6fc47e59a
SHA256f6fe8fbbafb40ded2572c45d74740d6aa5a7bd6149e2ec2ddedf9030b7411228
SHA5125d410bfeb594674195c46dbd228c4967e5df07bd3b6fe3d16a8be48690d58354d4448e35b9fc7a99bca720ed104d6e24be8fd8d8abc31392ccd55a556da14dca