Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 23:53
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240729-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
b45a77a2cdaca1dbaf0ebeec34178a95
-
SHA1
4b43a29635df7b060ec3c7696c45446bf37c8150
-
SHA256
76ba8ec8222df3a96263d57d284c0acd8f62a604e2a46e86e8a5b46d6018607c
-
SHA512
cdfbe90b1ad02b69a5bfcb577d1cd8c12d055df2e370716d0faccf65364edecf5c8103f55355daa11a8d845a24d453b78c6e49f06242043ffa1a0a9d8e7d052d
-
SSDEEP
49152:Dv+lL26AaNeWgPhlmVqvMQ7XSKeCxNESErk/i8LoGdlETHHB72eh2NT:DvuL26AaNeWgPhlmVqkQ7XSKrxaC
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.28:4782
180b92ba-98f1-484b-b54f-264758c8d7f4
-
encryption_key
E2AD968D101B25448614267CCA174D53CE1050BA
-
install_name
BootstrapperV1.11.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
BootstrapperV1.11
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2336-1-0x00000000002A0000-0x00000000005C4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\BootstrapperV1.11.exe family_quasar behavioral1/memory/3056-7-0x0000000000110000-0x0000000000434000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
BootstrapperV1.11.exepid process 3056 BootstrapperV1.11.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2376 schtasks.exe 2316 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeBootstrapperV1.11.exedescription pid process Token: SeDebugPrivilege 2336 Client-built.exe Token: SeDebugPrivilege 3056 BootstrapperV1.11.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BootstrapperV1.11.exepid process 3056 BootstrapperV1.11.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Client-built.exeBootstrapperV1.11.exedescription pid process target process PID 2336 wrote to memory of 2376 2336 Client-built.exe schtasks.exe PID 2336 wrote to memory of 2376 2336 Client-built.exe schtasks.exe PID 2336 wrote to memory of 2376 2336 Client-built.exe schtasks.exe PID 2336 wrote to memory of 3056 2336 Client-built.exe BootstrapperV1.11.exe PID 2336 wrote to memory of 3056 2336 Client-built.exe BootstrapperV1.11.exe PID 2336 wrote to memory of 3056 2336 Client-built.exe BootstrapperV1.11.exe PID 3056 wrote to memory of 2316 3056 BootstrapperV1.11.exe schtasks.exe PID 3056 wrote to memory of 2316 3056 BootstrapperV1.11.exe schtasks.exe PID 3056 wrote to memory of 2316 3056 BootstrapperV1.11.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "BootstrapperV1.11" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\BootstrapperV1.11.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2376 -
C:\Users\Admin\AppData\Roaming\SubDir\BootstrapperV1.11.exe"C:\Users\Admin\AppData\Roaming\SubDir\BootstrapperV1.11.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "BootstrapperV1.11" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\BootstrapperV1.11.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5b45a77a2cdaca1dbaf0ebeec34178a95
SHA14b43a29635df7b060ec3c7696c45446bf37c8150
SHA25676ba8ec8222df3a96263d57d284c0acd8f62a604e2a46e86e8a5b46d6018607c
SHA512cdfbe90b1ad02b69a5bfcb577d1cd8c12d055df2e370716d0faccf65364edecf5c8103f55355daa11a8d845a24d453b78c6e49f06242043ffa1a0a9d8e7d052d