Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 11:06
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20240221-en
General
-
Target
test.exe
-
Size
3.1MB
-
MD5
700acd73a0f2f3e9372fe0e60f95576f
-
SHA1
efc3b03207b3e5a999d772fd7c11fb5b69977ebc
-
SHA256
10dfcd3ab03dcecb05d6f4b28dbd7a4070341783b8f5453b9af3bc6b9b77a104
-
SHA512
a390e1b463d658beb17d9bc21e9e77f00e1dbe6dd0fc134ba682343d3a90c5a6535999aebafd1e2bad5bc319fa92072bb5efabff49878bd06d1cfee030a9db75
-
SSDEEP
49152:3vGlL26AaNeWgPhlmVqvMQ7XSKpJxNESE7k/iTLoGdoPTHHB72eh2NT:3vGL26AaNeWgPhlmVqkQ7XSKHx+f4
Malware Config
Extracted
quasar
1.4.1
Office04
bin-inspections.gl.at.ply.gg:64055
536deaa9-57d2-448a-ae01-b604426d7fa6
-
encryption_key
DBB529B3F56F6D23695F8D7AC9BA28484A0D6D0F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2628-1-0x0000000000570000-0x0000000000894000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
test.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
test.exedescription pid process Token: SeDebugPrivilege 2628 test.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
test.exepid process 2628 test.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
test.execmd.exedescription pid process target process PID 2628 wrote to memory of 4200 2628 test.exe cmd.exe PID 2628 wrote to memory of 4200 2628 test.exe cmd.exe PID 4200 wrote to memory of 3028 4200 cmd.exe chcp.com PID 4200 wrote to memory of 3028 4200 cmd.exe chcp.com PID 4200 wrote to memory of 1652 4200 cmd.exe PING.EXE PID 4200 wrote to memory of 1652 4200 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61ITeFprNIya.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\61ITeFprNIya.batFilesize
205B
MD5e37553d34e252575ce315a51a1ed227b
SHA1ec5a4a74f0e322fb5ee669cd35815b58d5e1d470
SHA2560f330a36353b15e40514123a237ec35146b02e6e62cc4a7c95dc49d05b42f1d0
SHA5126ae7380c57d01fef9881b7c70587c17e0f96bb597df6e84954a30478229582f789e195066db3ad571ac7e52f0f62b629acded22efad856b2ded6a48e7aedea9b
-
memory/2628-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmpFilesize
8KB
-
memory/2628-1-0x0000000000570000-0x0000000000894000-memory.dmpFilesize
3.1MB
-
memory/2628-2-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/2628-3-0x000000001B920000-0x000000001B970000-memory.dmpFilesize
320KB
-
memory/2628-4-0x000000001BA30000-0x000000001BAE2000-memory.dmpFilesize
712KB
-
memory/2628-7-0x000000001B9D0000-0x000000001B9E2000-memory.dmpFilesize
72KB
-
memory/2628-8-0x000000001C330000-0x000000001C36C000-memory.dmpFilesize
240KB
-
memory/2628-9-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmpFilesize
8KB
-
memory/2628-10-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/2628-15-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB