Analysis
-
max time kernel
93s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 23:09
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10-20240404-en
General
-
Target
Client-built.exe
-
Size
405KB
-
MD5
0c84b58a5322284269f3b86e648e1fc8
-
SHA1
6776c3963a64a3ace4caaff164669364356f72aa
-
SHA256
47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
-
SHA512
02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7
-
SSDEEP
6144:yphjZx5jbx+DgrQo2fVH/i96bpjWprW5hthvo5lDzWEi5HFkgDVc:kjrZbaVfi6SGfel/WnHxDVc
Malware Config
Extracted
quasar
3.1.5
School
runderscore00-37568.portmap.host:37568
QSR_MUTEX_BNyj3AdZ8NIXACv5S5
-
encryption_key
G3FFg7Ec2ieFqaQw5SZ2
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3508-1-0x0000000000670000-0x00000000006DC000-memory.dmp family_quasar behavioral2/files/0x000b00000002336c-11.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4480 Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 368 schtasks.exe 3428 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3508 Client-built.exe Token: SeDebugPrivilege 4480 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4480 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3508 wrote to memory of 368 3508 Client-built.exe 85 PID 3508 wrote to memory of 368 3508 Client-built.exe 85 PID 3508 wrote to memory of 368 3508 Client-built.exe 85 PID 3508 wrote to memory of 4480 3508 Client-built.exe 87 PID 3508 wrote to memory of 4480 3508 Client-built.exe 87 PID 3508 wrote to memory of 4480 3508 Client-built.exe 87 PID 4480 wrote to memory of 3428 4480 Client.exe 88 PID 4480 wrote to memory of 3428 4480 Client.exe 88 PID 4480 wrote to memory of 3428 4480 Client.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:368
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3428
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD50c84b58a5322284269f3b86e648e1fc8
SHA16776c3963a64a3ace4caaff164669364356f72aa
SHA25647f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA51202bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7