Analysis
-
max time kernel
21s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20240729-en -
resource tags
arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 17:03
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240708-en
Errors
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
9a4f3b0223e0bcb90d5a08afdae6a169
-
SHA1
b8ea3a64121a47f7a7abc73fc9a39d912b31a724
-
SHA256
031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104
-
SHA512
38ab6b70078807bc8c56f5c004ae4ef4a40690ec26bc896213a158765530caec5812b556a5555037ac986175fb1d4d588f1a982dd5e383a8c5734783507f6601
-
SSDEEP
49152:SvHI22SsaNYfdPBldt698dBcjHJwRJ6cbR3LoGdFgTHHB72eh2NT:Svo22SsaNYfdPBldt6+dBcjHJwRJ6m
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.70:4782
34828de8-c350-4dd4-85c9-16051c0443f7
-
encryption_key
2F1B645695C7578786A6BD1B6CD3966DFF24BC11
-
install_name
sigmaexecutor.exe.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WIndows Updater
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1456-1-0x00000000008E0000-0x0000000000C04000-memory.dmp family_quasar C:\Windows\System32\SubDir\sigmaexecutor.exe.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
sigmaexecutor.exe.exepid process 4644 sigmaexecutor.exe.exe -
Drops file in System32 directory 5 IoCs
Processes:
Client-built.exesigmaexecutor.exe.exedescription ioc process File created C:\Windows\system32\SubDir\sigmaexecutor.exe.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\sigmaexecutor.exe.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir\sigmaexecutor.exe.exe sigmaexecutor.exe.exe File opened for modification C:\Windows\system32\SubDir sigmaexecutor.exe.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3232 schtasks.exe 1864 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msedge.exepid process 740 msedge.exe 740 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exesigmaexecutor.exe.exedescription pid process Token: SeDebugPrivilege 1456 Client-built.exe Token: SeDebugPrivilege 4644 sigmaexecutor.exe.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
msedge.exepid process 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
msedge.exepid process 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sigmaexecutor.exe.exepid process 4644 sigmaexecutor.exe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exesigmaexecutor.exe.exemsedge.exedescription pid process target process PID 1456 wrote to memory of 3232 1456 Client-built.exe schtasks.exe PID 1456 wrote to memory of 3232 1456 Client-built.exe schtasks.exe PID 1456 wrote to memory of 4644 1456 Client-built.exe sigmaexecutor.exe.exe PID 1456 wrote to memory of 4644 1456 Client-built.exe sigmaexecutor.exe.exe PID 4644 wrote to memory of 1864 4644 sigmaexecutor.exe.exe schtasks.exe PID 4644 wrote to memory of 1864 4644 sigmaexecutor.exe.exe schtasks.exe PID 2336 wrote to memory of 3692 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 3692 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 2308 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 740 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 740 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe PID 2336 wrote to memory of 1472 2336 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3232 -
C:\Windows\system32\SubDir\sigmaexecutor.exe.exe"C:\Windows\system32\SubDir\sigmaexecutor.exe.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa2fcd46f8,0x7ffa2fcd4708,0x7ffa2fcd47182⤵PID:3692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:2308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:82⤵PID:1472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:5036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:1916
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3776
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5368c244e384ff4d49f8c2e7b8bea96d2
SHA169ce5a9daeaf1e26bba509f9569dc68b9a455c51
SHA2566f8cb8fe96a0e80be05e02f0f504e40d20e7f5db23fd0edee0e56bcffa1059a3
SHA512ac460f1b35bcdefa89104e26379fc5639499607be6559353665a73ee8dd41822699d767532d48cffc67c755b75042294c29e93062d4eab22ca6bcbe054108a5c
-
Filesize
152B
MD58004d5759305b326cebfa4d67dee5f25
SHA136b9a94959977f79dd0a14380ba0516d09f8fcaa
SHA25621f35e2ac53a817389d7027e99018450993fc66e37f916e454bff9eed95562d7
SHA5127afba827395c1a5438091bd2762a097f6ea098fcbf3db99f90f9bc442afee7a7841a6e0e83f9cbf017cda0e52d35da93f8efd60cec73638baea5eaf1c85b7089
-
Filesize
6KB
MD50b5a94f313066de7077509e93ed07175
SHA112d2f3ee8c607727a0982114d44e5f1f31e612f8
SHA256ca5b2990ce4b3d0197749a403ce87588ec3d66dd83c64fa014546b374223b037
SHA5126a708e3f641e0e4642e425b2e4003904b2580813ecb00883903fe17388af12ed34f86082fa304cc5857a469c3ac16f8b3e1cbf7e2cea7d7d31b20ef1cfe67d80
-
Filesize
3.1MB
MD59a4f3b0223e0bcb90d5a08afdae6a169
SHA1b8ea3a64121a47f7a7abc73fc9a39d912b31a724
SHA256031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104
SHA51238ab6b70078807bc8c56f5c004ae4ef4a40690ec26bc896213a158765530caec5812b556a5555037ac986175fb1d4d588f1a982dd5e383a8c5734783507f6601
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e