Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 23:43
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20231129-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
c7d2cead872af6fb32edddcf71b5111b
-
SHA1
7bbdc422948e09751d8fd35d384bc2ed8f6d9eff
-
SHA256
97b3602ac7222d914c4a8fb116e76582f695c377b6bf5d524489a2dc3ea90d8b
-
SHA512
822b76495194780a9aa8f6352cb0d1b718c9e2a2c6f9d0f74cde6bc139c7d2959f82f95d2c89b36e7b2890fd3b7fd05a4d139238d1aad9cb6cfc4cbd84ebf015
-
SSDEEP
49152:dv9zn3r24paQe+GPhlz1Tt6U7PkD6sg3yR2YRAkCKLoGJYjTHHB72eh2NT:dvFr24paQe+GPhlz1TwU7PkDng3yn
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.1:4782
88.98.207.207:4782
192.168.1.211:4782
192.168.0.132:4782
2a01:4b00:b31a:3e00:d4a4:5f88:ab8:cc7d:4782
fd00::1617:c634:9b0b:2a22:4782
2a01:4b00:b31a:3e00:c7a:623f:eb1:3db6:4782
fd00::c7a:623f:eb1:3db6:4782
fe80::19ef:ec1a:f41f:39a5%5:4782
6d19d2f9-1235-4b10-a1dd-486dc3edd052
-
encryption_key
12AE26995FE0F312DC3ADA3C8CD142053AD088CA
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2340-1-0x00000000001E0000-0x0000000000504000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/1616-9-0x0000000001290000-0x00000000015B4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1616 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2788 schtasks.exe 2348 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeClient.exedescription pid process Token: SeDebugPrivilege 2340 Client-built.exe Token: SeDebugPrivilege 1616 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1616 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Client-built.exeClient.exedescription pid process target process PID 2340 wrote to memory of 2348 2340 Client-built.exe schtasks.exe PID 2340 wrote to memory of 2348 2340 Client-built.exe schtasks.exe PID 2340 wrote to memory of 2348 2340 Client-built.exe schtasks.exe PID 2340 wrote to memory of 1616 2340 Client-built.exe Client.exe PID 2340 wrote to memory of 1616 2340 Client-built.exe Client.exe PID 2340 wrote to memory of 1616 2340 Client-built.exe Client.exe PID 1616 wrote to memory of 2788 1616 Client.exe schtasks.exe PID 1616 wrote to memory of 2788 1616 Client.exe schtasks.exe PID 1616 wrote to memory of 2788 1616 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD5c7d2cead872af6fb32edddcf71b5111b
SHA17bbdc422948e09751d8fd35d384bc2ed8f6d9eff
SHA25697b3602ac7222d914c4a8fb116e76582f695c377b6bf5d524489a2dc3ea90d8b
SHA512822b76495194780a9aa8f6352cb0d1b718c9e2a2c6f9d0f74cde6bc139c7d2959f82f95d2c89b36e7b2890fd3b7fd05a4d139238d1aad9cb6cfc4cbd84ebf015
-
memory/1616-8-0x000007FEF5B80000-0x000007FEF656C000-memory.dmpFilesize
9.9MB
-
memory/1616-9-0x0000000001290000-0x00000000015B4000-memory.dmpFilesize
3.1MB
-
memory/1616-11-0x000007FEF5B80000-0x000007FEF656C000-memory.dmpFilesize
9.9MB
-
memory/1616-12-0x000007FEF5B80000-0x000007FEF656C000-memory.dmpFilesize
9.9MB
-
memory/2340-0-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmpFilesize
4KB
-
memory/2340-1-0x00000000001E0000-0x0000000000504000-memory.dmpFilesize
3.1MB
-
memory/2340-2-0x000007FEF5B80000-0x000007FEF656C000-memory.dmpFilesize
9.9MB
-
memory/2340-10-0x000007FEF5B80000-0x000007FEF656C000-memory.dmpFilesize
9.9MB