Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 14:59
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240708-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
ada5a9cddc59be72633eba26835e7a3e
-
SHA1
de422e113b92b1d9c6baf46b159e387c5ec5517a
-
SHA256
2dbd31f6ed2f964d191b7077c2acecc931648cc2f1a2a43f57b0cbb35d1b72c7
-
SHA512
c5fa3e3dd1946995c85fda7fe520b5eb34ef575e0b59fea2e01e51237fe3805a29f9d0eab2701aef9368d68e3d04a70e6f5a985d5d52d9cc1d3bcfe887b1763a
-
SSDEEP
49152:bvbI22SsaNYfdPBldt698dBcjHm0xNESEck/iWLoGdZTHHB72eh2NT:bvk22SsaNYfdPBldt6+dBcjHNxjY
Malware Config
Extracted
quasar
1.4.1
Office04
195.88.218.76:4782
4b117633-2647-473d-81f9-9d4abde111bc
-
encryption_key
E86E3B923722E3F8294BD35A968E5EA213AFA362
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3132-1-0x0000000000FF0000-0x0000000001314000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client-built.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client-built.exedescription pid process Token: SeDebugPrivilege 3132 Client-built.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Client-built.exepid process 3132 Client-built.exe 3132 Client-built.exe 3132 Client-built.exe 3132 Client-built.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Client-built.exepid process 3132 Client-built.exe 3132 Client-built.exe 3132 Client-built.exe 3132 Client-built.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built.execmd.exedescription pid process target process PID 3132 wrote to memory of 2680 3132 Client-built.exe cmd.exe PID 3132 wrote to memory of 2680 3132 Client-built.exe cmd.exe PID 2680 wrote to memory of 4392 2680 cmd.exe chcp.com PID 2680 wrote to memory of 4392 2680 cmd.exe chcp.com PID 2680 wrote to memory of 2708 2680 cmd.exe PING.EXE PID 2680 wrote to memory of 2708 2680 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1hjgNavw45ZJ.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4392
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD50eefeb9434c36f223b930bd6b88badbe
SHA17967bbc76298218580d7bff5bdebe67124006767
SHA2562ddf665991f7f742384c54d79e525e7006e388328cbacb2dcbffb0d8f09ee5c0
SHA5121cd6249d2785d56d4f62b3b8d8a7021bf2362e00df6019e95514660800c8979f5307b8b5a0a8444961b995325828aaea86a6ef435de5e0a77cc3746e215010de