Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
821bbfc8f0a946efd3d8c9b8aa6d68ee.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
821bbfc8f0a946efd3d8c9b8aa6d68ee.exe
Resource
win10v2004-20240426-en
General
-
Target
821bbfc8f0a946efd3d8c9b8aa6d68ee.exe
-
Size
6.0MB
-
MD5
821bbfc8f0a946efd3d8c9b8aa6d68ee
-
SHA1
5bf3f157d56a61fb4ebb92a35664aafcceb2b943
-
SHA256
7b5cb683875a42757083a2e02fb6cc54d1f472569fc3d570992a18ac019f722e
-
SHA512
c1ab71e6be5d67fa6fcae1b58c1f8528ebbda63cd790640fae6ebc1229b5cb85583abad16839d72e100dd393045a3ec322a81107a25ce38a3da319389915094d
-
SSDEEP
98304:vBsvwVReAo6kSF8yYZl1gpJhFEo2ylLj0bsk4BAH6+6TEE:vBaanoJ5ZleLhKKbtY6bEE
Malware Config
Extracted
quasar
1.4.1
05KAN24
4Mekey.myftp.biz:4782
79b4968e-3635-4865-94f2-359cde910023
-
encryption_key
5A1721840C7FCFA52998D9F98F97F4B8137E6734
-
install_name
Windows Server.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
Windows Update
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2940-1-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar behavioral1/memory/2940-3-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar behavioral1/memory/2940-5-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
821bbfc8f0a946efd3d8c9b8aa6d68ee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\821bbfc8f0a946efd3d8c9b8aa6d68ee = "C:\\Users\\Admin\\821bbfc8f0a946efd3d8c9b8aa6d68ee.exe" 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
821bbfc8f0a946efd3d8c9b8aa6d68ee.exedescription pid process target process PID 2692 set thread context of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jsc.exedescription pid process Token: SeDebugPrivilege 2940 jsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jsc.exepid process 2940 jsc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
821bbfc8f0a946efd3d8c9b8aa6d68ee.exedescription pid process target process PID 2692 wrote to memory of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe PID 2692 wrote to memory of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe PID 2692 wrote to memory of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe PID 2692 wrote to memory of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe PID 2692 wrote to memory of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe PID 2692 wrote to memory of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe PID 2692 wrote to memory of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe PID 2692 wrote to memory of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe PID 2692 wrote to memory of 2940 2692 821bbfc8f0a946efd3d8c9b8aa6d68ee.exe jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\821bbfc8f0a946efd3d8c9b8aa6d68ee.exe"C:\Users\Admin\AppData\Local\Temp\821bbfc8f0a946efd3d8c9b8aa6d68ee.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2940-1-0x0000000000400000-0x0000000000724000-memory.dmpFilesize
3.1MB
-
memory/2940-3-0x0000000000400000-0x0000000000724000-memory.dmpFilesize
3.1MB
-
memory/2940-5-0x0000000000400000-0x0000000000724000-memory.dmpFilesize
3.1MB
-
memory/2940-6-0x0000000074C0E000-0x0000000074C0F000-memory.dmpFilesize
4KB
-
memory/2940-7-0x0000000074C00000-0x00000000752EE000-memory.dmpFilesize
6.9MB
-
memory/2940-8-0x0000000074C0E000-0x0000000074C0F000-memory.dmpFilesize
4KB
-
memory/2940-9-0x0000000074C00000-0x00000000752EE000-memory.dmpFilesize
6.9MB