Analysis
-
max time kernel
71s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 18:12
Behavioral task
behavioral1
Sample
Nuke Loader.exe
Resource
win7-20240704-en
General
-
Target
Nuke Loader.exe
-
Size
3.1MB
-
MD5
ed675e5b50992702716b65c5b15bd2ee
-
SHA1
2463edfe3d1667933aa2676876f4ac766450ff90
-
SHA256
c4b6a54ec0f46c8c0df7d9f5f010c10c66ec23378b4548727fbfa2b3080ebf56
-
SHA512
7747767ebb54a2973bde62e41e823588b9bde30d3d6e7648827b224d085daaff10a65a6b71a97c58d4c53f37e1a111587fe5834ac8168779bcdb4e4e266ef44b
-
SSDEEP
49152:3vnI22SsaNYfdPBldt698dBcjHdDRJ6tbR3LoGdkTHHB72eh2NT:3vI22SsaNYfdPBldt6+dBcjHdDRJ6/
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.51:4782
b83cbaf1-3ce5-43f8-a42a-f845d8ef5467
-
encryption_key
7F14878C24A186BCD9E69BFA124C76DC41F0C9A7
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-1-0x0000000000E60000-0x0000000001184000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/2724-10-0x0000000001350000-0x0000000001674000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2724 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2704 schtasks.exe 2688 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid process 1736 chrome.exe 1736 chrome.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Nuke Loader.exeClient.exechrome.exedescription pid process Token: SeDebugPrivilege 2564 Nuke Loader.exe Token: SeDebugPrivilege 2724 Client.exe Token: SeShutdownPrivilege 1736 chrome.exe Token: SeShutdownPrivilege 1736 chrome.exe Token: SeShutdownPrivilege 1736 chrome.exe Token: SeShutdownPrivilege 1736 chrome.exe Token: SeShutdownPrivilege 1736 chrome.exe Token: SeShutdownPrivilege 1736 chrome.exe Token: SeShutdownPrivilege 1736 chrome.exe Token: SeShutdownPrivilege 1736 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
Client.exechrome.exepid process 2724 Client.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe -
Suspicious use of SendNotifyMessage 33 IoCs
Processes:
Client.exechrome.exepid process 2724 Client.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe 1736 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2724 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Nuke Loader.exeClient.exechrome.exedescription pid process target process PID 2564 wrote to memory of 2704 2564 Nuke Loader.exe schtasks.exe PID 2564 wrote to memory of 2704 2564 Nuke Loader.exe schtasks.exe PID 2564 wrote to memory of 2704 2564 Nuke Loader.exe schtasks.exe PID 2564 wrote to memory of 2724 2564 Nuke Loader.exe Client.exe PID 2564 wrote to memory of 2724 2564 Nuke Loader.exe Client.exe PID 2564 wrote to memory of 2724 2564 Nuke Loader.exe Client.exe PID 2724 wrote to memory of 2688 2724 Client.exe schtasks.exe PID 2724 wrote to memory of 2688 2724 Client.exe schtasks.exe PID 2724 wrote to memory of 2688 2724 Client.exe schtasks.exe PID 1736 wrote to memory of 1968 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 1968 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 1968 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2268 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2204 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2204 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2204 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe PID 1736 wrote to memory of 2200 1736 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nuke Loader.exe"C:\Users\Admin\AppData\Local\Temp\Nuke Loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2704 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2644
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:708
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feee999758,0x7feee999768,0x7feee9997782⤵PID:1968
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1332,i,1337797323151470819,13546893513996321108,131072 /prefetch:22⤵PID:2268
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1332,i,1337797323151470819,13546893513996321108,131072 /prefetch:82⤵PID:2204
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1332,i,1337797323151470819,13546893513996321108,131072 /prefetch:82⤵PID:2200
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2136 --field-trial-handle=1332,i,1337797323151470819,13546893513996321108,131072 /prefetch:12⤵PID:2256
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1612 --field-trial-handle=1332,i,1337797323151470819,13546893513996321108,131072 /prefetch:12⤵PID:2272
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1520 --field-trial-handle=1332,i,1337797323151470819,13546893513996321108,131072 /prefetch:22⤵PID:1028
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1492 --field-trial-handle=1332,i,1337797323151470819,13546893513996321108,131072 /prefetch:12⤵PID:1604
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1332,i,1337797323151470819,13546893513996321108,131072 /prefetch:82⤵PID:2728
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
311KB
MD598e462c967b1e5295fd32e42fa6457ff
SHA11e137af69bc1e6d0f17dfac14d33966900bf0949
SHA25610cbf5862dcba9ca2801a6482ee10c91eaf978d8b641af79faf5dbdeee9106e1
SHA512324da6fbfd308a3e4969e510e5c6eca83759856e5147c419059396519842eece3d03e7729df61bcbc2185270ebdca7372197d873ff523793c38cdd644d0198a8
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD52957382db9e3cad6d2864d79449ddc48
SHA1686021b91209e2a4fbd1ec8ff8255b1e1e309014
SHA2569971f3a01b2e42edf76578b6ac1e1293f516da6602ee6f1bcccafa745135c932
SHA5120f23abd2bf36a62076b321d1f665dd2356eeb78cb32f54cc76ed0caa5e16a8d22726fe7915258ed41ae1f2321560e3cbea00b5175080d20de6e554d7893a3e46
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
311KB
MD580f2084cd75bbc8a08ae1e479f3d1a25
SHA121b4ef3dc2e43f481e72a648b1cc35736d3dca32
SHA256058020eb938a80639078ba07fd772836a839f9de29cf5db37134f65d0ef4327d
SHA512aa4cecb2346fb344e5f6fabcc98e59df7b51219bcfdeac18a3eede47d55a092b8d5eadb80d225815ba52dd40ccd2953ea570b658103ee39c024bbefcc90ff2df
-
Filesize
3.1MB
MD5ed675e5b50992702716b65c5b15bd2ee
SHA12463edfe3d1667933aa2676876f4ac766450ff90
SHA256c4b6a54ec0f46c8c0df7d9f5f010c10c66ec23378b4548727fbfa2b3080ebf56
SHA5127747767ebb54a2973bde62e41e823588b9bde30d3d6e7648827b224d085daaff10a65a6b71a97c58d4c53f37e1a111587fe5834ac8168779bcdb4e4e266ef44b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e