Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 13:58
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20231129-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
feb24955d3504654b50393efdafde20d
-
SHA1
3e43172200820307c71d2885a94d4f40efd5cda7
-
SHA256
6f732f4a61ca68e185972687c1ecd6a2fed2b25bea11dd81bb9c5d8f0e471bce
-
SHA512
1547189a9a14f4fe7313d2bf07218c52b88128ca66d704ce0cb1ad1f529af6c87192c2f2f639f00718ed21cab5b0ebb14416e24c9b77c129ae54026de8f9b1fd
-
SSDEEP
49152:Uv0iiN2tPa2vpJPylxhhC25D/Wv1zZLljFuvJmYoGdk/4THHB72eh2NT:Uv/q2tPa2vpJPylxhhz5D/WNjFAU
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.104:4782
192.168.1.104:50133
127.0.0.1:6000
DESKTOP-9IMIHQU:49736
127.0.0.1:4782
127.0.07.1:50133
192.168.1.104:6000
03bae1e9-f5dc-4e0e-94fb-62a44e846020
-
encryption_key
1BDF94B25EA282E8D3B48C8D6810CDDC133AFA4C
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2340-1-0x0000000000120000-0x0000000000444000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/2904-8-0x00000000012A0000-0x00000000015C4000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
Processes:
Client.exeClient.exeClient.exepid process 2904 Client.exe 1352 Client.exe 1872 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1944 schtasks.exe 1148 schtasks.exe 1692 schtasks.exe 2564 schtasks.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Client-built.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 2340 Client-built.exe Token: SeDebugPrivilege 2904 Client.exe Token: SeDebugPrivilege 1352 Client.exe Token: SeDebugPrivilege 1872 Client.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Client.exeClient.exeClient.exepid process 2904 Client.exe 1352 Client.exe 1872 Client.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
Client-built.exeClient.execmd.exeClient.execmd.exeClient.exedescription pid process target process PID 2340 wrote to memory of 1692 2340 Client-built.exe schtasks.exe PID 2340 wrote to memory of 1692 2340 Client-built.exe schtasks.exe PID 2340 wrote to memory of 1692 2340 Client-built.exe schtasks.exe PID 2340 wrote to memory of 2904 2340 Client-built.exe Client.exe PID 2340 wrote to memory of 2904 2340 Client-built.exe Client.exe PID 2340 wrote to memory of 2904 2340 Client-built.exe Client.exe PID 2904 wrote to memory of 2564 2904 Client.exe schtasks.exe PID 2904 wrote to memory of 2564 2904 Client.exe schtasks.exe PID 2904 wrote to memory of 2564 2904 Client.exe schtasks.exe PID 2904 wrote to memory of 1452 2904 Client.exe cmd.exe PID 2904 wrote to memory of 1452 2904 Client.exe cmd.exe PID 2904 wrote to memory of 1452 2904 Client.exe cmd.exe PID 1452 wrote to memory of 2136 1452 cmd.exe chcp.com PID 1452 wrote to memory of 2136 1452 cmd.exe chcp.com PID 1452 wrote to memory of 2136 1452 cmd.exe chcp.com PID 1452 wrote to memory of 2004 1452 cmd.exe PING.EXE PID 1452 wrote to memory of 2004 1452 cmd.exe PING.EXE PID 1452 wrote to memory of 2004 1452 cmd.exe PING.EXE PID 1452 wrote to memory of 1352 1452 cmd.exe Client.exe PID 1452 wrote to memory of 1352 1452 cmd.exe Client.exe PID 1452 wrote to memory of 1352 1452 cmd.exe Client.exe PID 1352 wrote to memory of 1944 1352 Client.exe schtasks.exe PID 1352 wrote to memory of 1944 1352 Client.exe schtasks.exe PID 1352 wrote to memory of 1944 1352 Client.exe schtasks.exe PID 1352 wrote to memory of 536 1352 Client.exe cmd.exe PID 1352 wrote to memory of 536 1352 Client.exe cmd.exe PID 1352 wrote to memory of 536 1352 Client.exe cmd.exe PID 536 wrote to memory of 2600 536 cmd.exe chcp.com PID 536 wrote to memory of 2600 536 cmd.exe chcp.com PID 536 wrote to memory of 2600 536 cmd.exe chcp.com PID 536 wrote to memory of 1108 536 cmd.exe PING.EXE PID 536 wrote to memory of 1108 536 cmd.exe PING.EXE PID 536 wrote to memory of 1108 536 cmd.exe PING.EXE PID 536 wrote to memory of 1872 536 cmd.exe Client.exe PID 536 wrote to memory of 1872 536 cmd.exe Client.exe PID 536 wrote to memory of 1872 536 cmd.exe Client.exe PID 1872 wrote to memory of 1148 1872 Client.exe schtasks.exe PID 1872 wrote to memory of 1148 1872 Client.exe schtasks.exe PID 1872 wrote to memory of 1148 1872 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aM9045fcLdjb.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oHjzPNObDg3i.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aM9045fcLdjb.batFilesize
207B
MD5947f39b2234f1d801c2f1d30e2a1ed5e
SHA1378748f7503f84d36363fe3c9ca3041d161818ab
SHA256233772c79f8b83a4b90d2d6e51b5d3b1183f38ecdcc7eac9029085ca7542bab5
SHA512267a3a2df2bd015845c8e20b72dd96ceb94d90ce016ef7ea9b24874ae9cee170a252e84e370ccf88a6e8353c5bb1f06ddc091bd4176d8455c24a778e1cf8e600
-
C:\Users\Admin\AppData\Local\Temp\oHjzPNObDg3i.batFilesize
207B
MD5f4e32a20d919296d07420a6c5e32848e
SHA1fc2e9e681fa9c49c3e6c6f8a11ce49346de6128a
SHA25660f31b59df7b1f01c5c7800845e1efaddeb5c1b9b2ab39ac625bceadd3261bf5
SHA512781aae9ab3a42e5b7e7b5c1dd95184d3d5305b85def850ffff7b4f41fb08bb1a9b7fe343f83419c189021bac4079ced2b36109d02bf6bf9804c17d7876d22e8f
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD5feb24955d3504654b50393efdafde20d
SHA13e43172200820307c71d2885a94d4f40efd5cda7
SHA2566f732f4a61ca68e185972687c1ecd6a2fed2b25bea11dd81bb9c5d8f0e471bce
SHA5121547189a9a14f4fe7313d2bf07218c52b88128ca66d704ce0cb1ad1f529af6c87192c2f2f639f00718ed21cab5b0ebb14416e24c9b77c129ae54026de8f9b1fd
-
memory/2340-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmpFilesize
4KB
-
memory/2340-1-0x0000000000120000-0x0000000000444000-memory.dmpFilesize
3.1MB
-
memory/2340-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/2340-10-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/2904-8-0x00000000012A0000-0x00000000015C4000-memory.dmpFilesize
3.1MB
-
memory/2904-9-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/2904-11-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/2904-12-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/2904-22-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB