Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 19:08
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
6008a46eb8c69c7d6f65886d3e67c93d
-
SHA1
eaea51712b1462431f0afa92f18484cd2e5fc94c
-
SHA256
3dfe010c8df45dbddb6707085c2d3c686288312bae8015a3a639a505cd6d7ba6
-
SHA512
37f8840dc4790394a7aa02c2ecdd5caa097d653133850d3cae89b50020f861ec9866b840d3d8696cd6b1be6797e67de533579f86c037f0bdc588c53da8d7f5d9
-
SSDEEP
49152:PvnI22SsaNYfdPBldt698dBcjH18cmbmz1qoGddOTHHB72eh2NT:PvI22SsaNYfdPBldt6+dBcjHucmrt
Malware Config
Extracted
quasar
1.4.1
zzzz
8.tcp.ngrok.io:13597
116e2822-047d-4b5c-ad10-563148a1a28e
-
encryption_key
C366BC97216329D1909524412E3ECB1EBC575D07
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4604-1-0x0000000000180000-0x00000000004A4000-memory.dmp family_quasar -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client-built.exedescription pid process Token: SeDebugPrivilege 4604 Client-built.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client-built.exepid process 4604 Client-built.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built.execmd.exedescription pid process target process PID 4604 wrote to memory of 880 4604 Client-built.exe cmd.exe PID 4604 wrote to memory of 880 4604 Client-built.exe cmd.exe PID 880 wrote to memory of 3700 880 cmd.exe chcp.com PID 880 wrote to memory of 3700 880 cmd.exe chcp.com PID 880 wrote to memory of 3848 880 cmd.exe PING.EXE PID 880 wrote to memory of 3848 880 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ORoukgUd9aj4.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3700
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:3848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD55e37f1653168f5691d4ec309ca5eafb3
SHA13d923f63c3f2154143a77cc9395fe9ca0e400632
SHA2568a546d9af6411de48b28e75bed475a064436ccd0e53875ca29b70d6e780fd5b2
SHA5129444c826e251c36199bb22f347c287f37bd9904f42ad0c7d6e5dedc590c4438229fd24f8960088049d9c7daa6e66a91a3b47ac93d2167ca1ab625efade316f1c