Analysis

  • max time kernel
    21s
  • max time network
    23s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240729-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 17:03

Errors

Reason
Machine shutdown

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    9a4f3b0223e0bcb90d5a08afdae6a169

  • SHA1

    b8ea3a64121a47f7a7abc73fc9a39d912b31a724

  • SHA256

    031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104

  • SHA512

    38ab6b70078807bc8c56f5c004ae4ef4a40690ec26bc896213a158765530caec5812b556a5555037ac986175fb1d4d588f1a982dd5e383a8c5734783507f6601

  • SSDEEP

    49152:SvHI22SsaNYfdPBldt698dBcjHJwRJ6cbR3LoGdFgTHHB72eh2NT:Svo22SsaNYfdPBldt6+dBcjHJwRJ6m

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.70:4782

Mutex

34828de8-c350-4dd4-85c9-16051c0443f7

Attributes
  • encryption_key

    2F1B645695C7578786A6BD1B6CD3966DFF24BC11

  • install_name

    sigmaexecutor.exe.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WIndows Updater

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3232
    • C:\Windows\system32\SubDir\sigmaexecutor.exe.exe
      "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1864
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:212
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa2fcd46f8,0x7ffa2fcd4708,0x7ffa2fcd4718
        2⤵
          PID:3692
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
          2⤵
            PID:2308
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:740
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
            2⤵
              PID:1472
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
              2⤵
                PID:5036
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2544102736690516289,4900338515652639670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                2⤵
                  PID:1916
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:3776
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:2376

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                    Filesize

                    152B

                    MD5

                    368c244e384ff4d49f8c2e7b8bea96d2

                    SHA1

                    69ce5a9daeaf1e26bba509f9569dc68b9a455c51

                    SHA256

                    6f8cb8fe96a0e80be05e02f0f504e40d20e7f5db23fd0edee0e56bcffa1059a3

                    SHA512

                    ac460f1b35bcdefa89104e26379fc5639499607be6559353665a73ee8dd41822699d767532d48cffc67c755b75042294c29e93062d4eab22ca6bcbe054108a5c

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                    Filesize

                    152B

                    MD5

                    8004d5759305b326cebfa4d67dee5f25

                    SHA1

                    36b9a94959977f79dd0a14380ba0516d09f8fcaa

                    SHA256

                    21f35e2ac53a817389d7027e99018450993fc66e37f916e454bff9eed95562d7

                    SHA512

                    7afba827395c1a5438091bd2762a097f6ea098fcbf3db99f90f9bc442afee7a7841a6e0e83f9cbf017cda0e52d35da93f8efd60cec73638baea5eaf1c85b7089

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                    Filesize

                    6KB

                    MD5

                    0b5a94f313066de7077509e93ed07175

                    SHA1

                    12d2f3ee8c607727a0982114d44e5f1f31e612f8

                    SHA256

                    ca5b2990ce4b3d0197749a403ce87588ec3d66dd83c64fa014546b374223b037

                    SHA512

                    6a708e3f641e0e4642e425b2e4003904b2580813ecb00883903fe17388af12ed34f86082fa304cc5857a469c3ac16f8b3e1cbf7e2cea7d7d31b20ef1cfe67d80

                  • C:\Windows\System32\SubDir\sigmaexecutor.exe.exe

                    Filesize

                    3.1MB

                    MD5

                    9a4f3b0223e0bcb90d5a08afdae6a169

                    SHA1

                    b8ea3a64121a47f7a7abc73fc9a39d912b31a724

                    SHA256

                    031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104

                    SHA512

                    38ab6b70078807bc8c56f5c004ae4ef4a40690ec26bc896213a158765530caec5812b556a5555037ac986175fb1d4d588f1a982dd5e383a8c5734783507f6601

                  • \??\pipe\LOCAL\crashpad_2336_BAWLTKVLCZUWBCAM

                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  • memory/1456-9-0x00007FFA33770000-0x00007FFA34231000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1456-0-0x00007FFA33773000-0x00007FFA33775000-memory.dmp

                    Filesize

                    8KB

                  • memory/1456-2-0x00007FFA33770000-0x00007FFA34231000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1456-1-0x00000000008E0000-0x0000000000C04000-memory.dmp

                    Filesize

                    3.1MB

                  • memory/4644-10-0x00007FFA33770000-0x00007FFA34231000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4644-11-0x00007FFA33770000-0x00007FFA34231000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4644-12-0x000000001B980000-0x000000001B9D0000-memory.dmp

                    Filesize

                    320KB

                  • memory/4644-13-0x000000001BA90000-0x000000001BB42000-memory.dmp

                    Filesize

                    712KB