Analysis
-
max time kernel
90s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 19:13
General
-
Target
TestforKio.exe
-
Size
3.1MB
-
MD5
47058cd2874396c053c1b9d90b987b99
-
SHA1
9bbfa6ee0adfc5df280740906df97b4f45b611fa
-
SHA256
e775b42335e7764a5bf9e695f68272c68fc68de16d20bd3b11af95632edcfc5b
-
SHA512
cc3e5bfa9453880d34d33fa448fd06c2cf50608ad9dbfef59d7cbf46f76bdebc739973155fc3e365a008cd40022a1c1587b04342a95e38203625a24709ac545a
-
SSDEEP
49152:fvnI22SsaNYfdPBldt698dBcjHNxDE/Ayk/JxvoGdJTHHB72eh2NT:fvI22SsaNYfdPBldt6+dBcjHNxzV
Malware Config
Extracted
quasar
1.4.1
zzzz
8.tcp.ngrok.io:18001
116e2822-047d-4b5c-ad10-563148a1a28e
-
encryption_key
C366BC97216329D1909524412E3ECB1EBC575D07
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2888-1-0x0000000000350000-0x0000000000674000-memory.dmp family_quasar -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TestforKio.exedescription pid process Token: SeDebugPrivilege 2888 TestforKio.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TestforKio.exepid process 2888 TestforKio.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
TestforKio.execmd.exedescription pid process target process PID 2888 wrote to memory of 456 2888 TestforKio.exe cmd.exe PID 2888 wrote to memory of 456 2888 TestforKio.exe cmd.exe PID 456 wrote to memory of 4748 456 cmd.exe chcp.com PID 456 wrote to memory of 4748 456 cmd.exe chcp.com PID 456 wrote to memory of 2400 456 cmd.exe PING.EXE PID 456 wrote to memory of 2400 456 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\TestforKio.exe"C:\Users\Admin\AppData\Local\Temp\TestforKio.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9RmSfPkLQZwh.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4748
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD524321d9b49b2ec4fd081311d089e7bbf
SHA17dddb53cde368c35da47a261e28ffd91b4886954
SHA256ece59d3f00b238ef13f359f16c874f0c6b5acaf3d3b3b26f364a77c08ad0befc
SHA512981f810080f8bbd7f5450b6a1960e58572935e53222a1603f8f56e56350a78f04d557cdad86658042868133590bf1fee2a62e3688a0e74006198b4d9f5c57d44