Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 23:29
Behavioral task
behavioral1
Sample
b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exe
Resource
win7-20240708-en
General
-
Target
b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exe
-
Size
3.1MB
-
MD5
7c57eda4bef5b6a6f5ca084dde31deb7
-
SHA1
8ed5f1f48691e8d3d5e910b1fd46d0ce0d30eb1e
-
SHA256
b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62
-
SHA512
22d5be1c470f673b7a89ccb972c9b907eb76a070246d071550d891d52d2e4eba2a14df6924b98e1d866ad216e02e3a7cc368f545a578dfe6eaffec461abefe5d
-
SSDEEP
49152:ivjI22SsaNYfdPBldt698dBcjHHAek9hBvJGLoGdkTHHB72eh2NT:ivc22SsaNYfdPBldt6+dBcjH2h8
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.28:4782
180b92ba-98f1-484b-b54f-264758c8d7f4
-
encryption_key
E2AD968D101B25448614267CCA174D53CE1050BA
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
BootstrapperV1.11
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1212-1-0x0000000000C30000-0x0000000000F54000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4224 Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2308 schtasks.exe 2372 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exeClient.exedescription pid process Token: SeDebugPrivilege 1212 b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exe Token: SeDebugPrivilege 4224 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 4224 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exeClient.exedescription pid process target process PID 1212 wrote to memory of 2308 1212 b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exe schtasks.exe PID 1212 wrote to memory of 2308 1212 b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exe schtasks.exe PID 1212 wrote to memory of 4224 1212 b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exe Client.exe PID 1212 wrote to memory of 4224 1212 b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exe Client.exe PID 4224 wrote to memory of 2372 4224 Client.exe schtasks.exe PID 4224 wrote to memory of 2372 4224 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exe"C:\Users\Admin\AppData\Local\Temp\b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "BootstrapperV1.11" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2308 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "BootstrapperV1.11" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD57c57eda4bef5b6a6f5ca084dde31deb7
SHA18ed5f1f48691e8d3d5e910b1fd46d0ce0d30eb1e
SHA256b8d24236cb542dd0358707623e485d1f8f5b917103f88e7de9d81356a8bd0a62
SHA51222d5be1c470f673b7a89ccb972c9b907eb76a070246d071550d891d52d2e4eba2a14df6924b98e1d866ad216e02e3a7cc368f545a578dfe6eaffec461abefe5d