Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 01:51
Behavioral task
behavioral1
Sample
Client-built2.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Client-built2.exe
Resource
win10v2004-20240426-en
General
-
Target
Client-built2.exe
-
Size
3.1MB
-
MD5
822eed302ff25105073dfb79ea894215
-
SHA1
2e5153d66fdc1837b387bf33a2292f6f2ec474d5
-
SHA256
397bd422af47cc0511d28b77593f1d768864ff7f76765fc778d9dc3115dc0f98
-
SHA512
fc89bc8d9ed1a7bdb4163222d59ec345a0e039c4fc0475467e91211e9a15bd5aa6436bf36062e1487fd6d3bad06b1aebea8e41360f559348c3c4cafcbfa16e2a
-
SSDEEP
49152:KvyI22SsaNYfdPBldt698dBcjHk5xNESE5k/i0LoGdLTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHaxE6
Malware Config
Extracted
quasar
1.4.1
dusan
192.168.178.20:4782
ded81f24-0e54-4985-a1fb-e180db45c27d
-
encryption_key
A81486939BB2FAD2A02EAF76B26242A2A9C6D91B
-
install_name
katani.exe
-
log_directory
Log
-
reconnect_delay
3000
-
startup_key
hacked by katani :)
-
subdirectory
download
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4920-1-0x0000000000D80000-0x00000000010A4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\download\katani.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
katani.exepid process 2480 katani.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Client-built2.exekatani.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hacked by katani :) = "\"C:\\Users\\Admin\\AppData\\Roaming\\download\\katani.exe\"" Client-built2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hacked by katani :) = "\"C:\\Users\\Admin\\AppData\\Roaming\\download\\katani.exe\"" katani.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1032 schtasks.exe 3948 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built2.exekatani.exedescription pid process Token: SeDebugPrivilege 4920 Client-built2.exe Token: SeDebugPrivilege 2480 katani.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
katani.exepid process 2480 katani.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built2.exekatani.exedescription pid process target process PID 4920 wrote to memory of 1032 4920 Client-built2.exe schtasks.exe PID 4920 wrote to memory of 1032 4920 Client-built2.exe schtasks.exe PID 4920 wrote to memory of 2480 4920 Client-built2.exe katani.exe PID 4920 wrote to memory of 2480 4920 Client-built2.exe katani.exe PID 2480 wrote to memory of 3948 2480 katani.exe schtasks.exe PID 2480 wrote to memory of 3948 2480 katani.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built2.exe"C:\Users\Admin\AppData\Local\Temp\Client-built2.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "hacked by katani :)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\download\katani.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1032 -
C:\Users\Admin\AppData\Roaming\download\katani.exe"C:\Users\Admin\AppData\Roaming\download\katani.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "hacked by katani :)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\download\katani.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\download\katani.exeFilesize
3.1MB
MD5822eed302ff25105073dfb79ea894215
SHA12e5153d66fdc1837b387bf33a2292f6f2ec474d5
SHA256397bd422af47cc0511d28b77593f1d768864ff7f76765fc778d9dc3115dc0f98
SHA512fc89bc8d9ed1a7bdb4163222d59ec345a0e039c4fc0475467e91211e9a15bd5aa6436bf36062e1487fd6d3bad06b1aebea8e41360f559348c3c4cafcbfa16e2a
-
memory/2480-10-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmpFilesize
10.8MB
-
memory/2480-11-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmpFilesize
10.8MB
-
memory/2480-12-0x000000001B8B0000-0x000000001B900000-memory.dmpFilesize
320KB
-
memory/2480-13-0x000000001B9C0000-0x000000001BA72000-memory.dmpFilesize
712KB
-
memory/2480-14-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmpFilesize
10.8MB
-
memory/4920-0-0x00007FFAA29F3000-0x00007FFAA29F5000-memory.dmpFilesize
8KB
-
memory/4920-1-0x0000000000D80000-0x00000000010A4000-memory.dmpFilesize
3.1MB
-
memory/4920-2-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmpFilesize
10.8MB
-
memory/4920-9-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmpFilesize
10.8MB