Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
31-07-2024 23:05
General
-
Target
Solara.exe
-
Size
3.1MB
-
MD5
18f4ed548b5f7d78671bb4ab4bc3affb
-
SHA1
62fc7cdc7d84cc52147f7782f5dd28616bee09fd
-
SHA256
bc1bee5bf891b3cb91c8e74927634250aaa9f2fed3bb3c965e6106f34e5cc54b
-
SHA512
b5ed744f47b97ec7a0bc224f50035da9e9424a8f1820763ff650e384c0acc251ac28b50f5bc0fa5b787b9795709a37ca082d5dc649cade7990a1ca6fe8e6f153
-
SSDEEP
49152:qvkt62XlaSFNWPjljiFa2RoUYIAzD7MI2K7oGdfdgTHHB72eh2NT:qv462XlaSFNWPjljiFXRoUYIAzD7N
Malware Config
Extracted
quasar
1.4.1
Office04
10.2.0.2:4782
cc6f57e2-b224-4b7b-bfae-0b1e6f95f22f
-
encryption_key
48E15FD52A3A24CE1F767DA2AD76CB0B862CC879
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1008-1-0x0000000000470000-0x0000000000794000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 3712 Client.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
taskmgr.exepid process 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Solara.exeClient.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1008 Solara.exe Token: SeDebugPrivilege 3712 Client.exe Token: SeDebugPrivilege 1788 taskmgr.exe Token: SeSystemProfilePrivilege 1788 taskmgr.exe Token: SeCreateGlobalPrivilege 1788 taskmgr.exe Token: 33 1788 taskmgr.exe Token: SeIncBasePriorityPrivilege 1788 taskmgr.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
taskmgr.exepid process 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe -
Suspicious use of SendNotifyMessage 46 IoCs
Processes:
taskmgr.exepid process 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe 1788 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 3712 Client.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Solara.exedescription pid process target process PID 1008 wrote to memory of 3712 1008 Solara.exe Client.exe PID 1008 wrote to memory of 3712 1008 Solara.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3712
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD518f4ed548b5f7d78671bb4ab4bc3affb
SHA162fc7cdc7d84cc52147f7782f5dd28616bee09fd
SHA256bc1bee5bf891b3cb91c8e74927634250aaa9f2fed3bb3c965e6106f34e5cc54b
SHA512b5ed744f47b97ec7a0bc224f50035da9e9424a8f1820763ff650e384c0acc251ac28b50f5bc0fa5b787b9795709a37ca082d5dc649cade7990a1ca6fe8e6f153