Analysis
-
max time kernel
125s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 18:12
Behavioral task
behavioral1
Sample
Nuke Loader.exe
Resource
win7-20240704-en
General
-
Target
Nuke Loader.exe
-
Size
3.1MB
-
MD5
ed675e5b50992702716b65c5b15bd2ee
-
SHA1
2463edfe3d1667933aa2676876f4ac766450ff90
-
SHA256
c4b6a54ec0f46c8c0df7d9f5f010c10c66ec23378b4548727fbfa2b3080ebf56
-
SHA512
7747767ebb54a2973bde62e41e823588b9bde30d3d6e7648827b224d085daaff10a65a6b71a97c58d4c53f37e1a111587fe5834ac8168779bcdb4e4e266ef44b
-
SSDEEP
49152:3vnI22SsaNYfdPBldt698dBcjHdDRJ6tbR3LoGdkTHHB72eh2NT:3vI22SsaNYfdPBldt6+dBcjHdDRJ6/
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.51:4782
b83cbaf1-3ce5-43f8-a42a-f845d8ef5467
-
encryption_key
7F14878C24A186BCD9E69BFA124C76DC41F0C9A7
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3840-1-0x0000000000940000-0x0000000000C64000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 5400 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 368 schtasks.exe 5620 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Nuke Loader.exeClient.exedescription pid process Token: SeDebugPrivilege 3840 Nuke Loader.exe Token: SeDebugPrivilege 5400 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 5400 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 5400 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 5400 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Nuke Loader.exeClient.exedescription pid process target process PID 3840 wrote to memory of 368 3840 Nuke Loader.exe schtasks.exe PID 3840 wrote to memory of 368 3840 Nuke Loader.exe schtasks.exe PID 3840 wrote to memory of 5400 3840 Nuke Loader.exe Client.exe PID 3840 wrote to memory of 5400 3840 Nuke Loader.exe Client.exe PID 5400 wrote to memory of 5620 5400 Client.exe schtasks.exe PID 5400 wrote to memory of 5620 5400 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nuke Loader.exe"C:\Users\Admin\AppData\Local\Temp\Nuke Loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:368 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5400 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:5620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5ed675e5b50992702716b65c5b15bd2ee
SHA12463edfe3d1667933aa2676876f4ac766450ff90
SHA256c4b6a54ec0f46c8c0df7d9f5f010c10c66ec23378b4548727fbfa2b3080ebf56
SHA5127747767ebb54a2973bde62e41e823588b9bde30d3d6e7648827b224d085daaff10a65a6b71a97c58d4c53f37e1a111587fe5834ac8168779bcdb4e4e266ef44b