Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 19:39
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
6ed079e125e5cb44b9a356d7841b2552
-
SHA1
064a8b8f919bd991cb522b64ea8961b54a06eec1
-
SHA256
e3061316ff7828b9471979d0e50b64d9050c8c42de21fa4a4a2bb6d51c753a83
-
SHA512
f71124e41db02717981fea66a378368d11fe9606fdc343371a92d0748f4211dcc9ba5435ca5dba4cacbd31e39f1937cf0698334284b2535169d8fc2aed0e171d
-
SSDEEP
49152:KvOI22SsaNYfdPBldt698dBcjHwrxNESEsk/i2LoGd/THHB72eh2NT:Kvj22SsaNYfdPBldt6+dBcjHgxX4
Malware Config
Extracted
quasar
1.4.1
Office04
142.161.90.171:5000
a7509023-1226-4493-880a-2f99c5fd7acf
-
encryption_key
42264509D6E4D45CA690ED3425881B1D02A87342
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/460-1-0x00000000005E0000-0x0000000000904000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1984 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeClient.exedescription pid process Token: SeDebugPrivilege 460 Client-built.exe Token: SeDebugPrivilege 1984 Client.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Client.exepid process 1984 Client.exe 1984 Client.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Client.exepid process 1984 Client.exe 1984 Client.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Client-built.exedescription pid process target process PID 460 wrote to memory of 1984 460 Client-built.exe Client.exe PID 460 wrote to memory of 1984 460 Client-built.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD56ed079e125e5cb44b9a356d7841b2552
SHA1064a8b8f919bd991cb522b64ea8961b54a06eec1
SHA256e3061316ff7828b9471979d0e50b64d9050c8c42de21fa4a4a2bb6d51c753a83
SHA512f71124e41db02717981fea66a378368d11fe9606fdc343371a92d0748f4211dcc9ba5435ca5dba4cacbd31e39f1937cf0698334284b2535169d8fc2aed0e171d
-
memory/460-0-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmpFilesize
8KB
-
memory/460-1-0x00000000005E0000-0x0000000000904000-memory.dmpFilesize
3.1MB
-
memory/460-2-0x00007FF8598C0000-0x00007FF85A381000-memory.dmpFilesize
10.8MB
-
memory/460-8-0x00007FF8598C0000-0x00007FF85A381000-memory.dmpFilesize
10.8MB
-
memory/1984-10-0x00007FF8598C0000-0x00007FF85A381000-memory.dmpFilesize
10.8MB
-
memory/1984-9-0x00007FF8598C0000-0x00007FF85A381000-memory.dmpFilesize
10.8MB
-
memory/1984-11-0x000000001C6A0000-0x000000001C6F0000-memory.dmpFilesize
320KB
-
memory/1984-12-0x000000001C7B0000-0x000000001C862000-memory.dmpFilesize
712KB
-
memory/1984-16-0x000000001C750000-0x000000001C78C000-memory.dmpFilesize
240KB
-
memory/1984-15-0x000000001C6F0000-0x000000001C702000-memory.dmpFilesize
72KB
-
memory/1984-17-0x000000001D2B0000-0x000000001D3B2000-memory.dmpFilesize
1.0MB
-
memory/1984-19-0x00007FF8598C0000-0x00007FF85A381000-memory.dmpFilesize
10.8MB
-
memory/1984-20-0x00007FF8598C0000-0x00007FF85A381000-memory.dmpFilesize
10.8MB