Analysis
-
max time kernel
329s -
max time network
331s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 17:26
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240705-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
8b390eb4d2dc32a82c6b8047504fa532
-
SHA1
5c6d6b99771b1301002a2a89e8567c8e5d8149d4
-
SHA256
aeeedbe5a56241a34a9761b5517a8648cadee5d583b2fe77d7beb1f030b0c9c3
-
SHA512
3586923bedc527240bcb6b23d5a55bd55922dc4a2d3a6f7b68bda00d34abb3d473c34ef161199e2515bb8e82536ffc666b91f35f96101395ab6620b20ab13a27
-
SSDEEP
49152:pHobtR1o2PmNXo7WCr5sN4Rw8IgXrYdSBewTHHB72eh2NT:pHmRvmNXo7WCr5lw8tVB
Malware Config
Extracted
quasar
1.4.1
Office04
147.185.221.20:18563
147.185.221.20:9835
c2e1b18a-ce93-436d-ad8b-21bf89015e19
-
encryption_key
9E968F05BD874BA1BE086FD1774A027473823F49
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4276-1-0x0000000000BB0000-0x0000000000ED4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client-built.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client-built.exedescription pid process Token: SeDebugPrivilege 4276 Client-built.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Client-built.exepid process 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
Client-built.exepid process 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe 4276 Client-built.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built.execmd.exedescription pid process target process PID 4276 wrote to memory of 620 4276 Client-built.exe cmd.exe PID 4276 wrote to memory of 620 4276 Client-built.exe cmd.exe PID 620 wrote to memory of 2892 620 cmd.exe chcp.com PID 620 wrote to memory of 2892 620 cmd.exe chcp.com PID 620 wrote to memory of 1760 620 cmd.exe PING.EXE PID 620 wrote to memory of 1760 620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ofwAbWfkKGAU.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2892
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD5cb3a40f30bc0a8677abbdb3d6a4f9d50
SHA11f2df8bfae3612f962f250fe9a6ebbab1725f975
SHA256677707cc52528faf159d3b77b11046b3f85edb83f6cdca28133bfe917ad3a0b6
SHA51239d84f8795f0465dcaabe83b5eb3e526b0f03bf419a9648f4bea394172e30bc91889fb2c1fd24c04f810783300f868157c2734999c11bbab7c5bddd2328cb6da