Analysis
-
max time kernel
65s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2024 21:24
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.81:4782
0a59af96-9d42-44d5-b396-2e1eed2f0ccd
-
encryption_key
D74FD39F07C448A62144F09979721B1B6749C76E
-
install_name
amdlogum.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update.exe
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1884-1-0x00000000003D0000-0x00000000006F4000-memory.dmp family_quasar C:\Windows\System32\Windows\amdlogum.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
amdlogum.exepid process 1320 amdlogum.exe -
Drops file in System32 directory 5 IoCs
Processes:
amdlogum.exeClient-built.exedescription ioc process File opened for modification C:\Windows\system32\Windows amdlogum.exe File created C:\Windows\system32\Windows\amdlogum.exe Client-built.exe File opened for modification C:\Windows\system32\Windows\amdlogum.exe Client-built.exe File opened for modification C:\Windows\system32\Windows Client-built.exe File opened for modification C:\Windows\system32\Windows\amdlogum.exe amdlogum.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3268 schtasks.exe 428 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Client-built.exeamdlogum.exeClient-built.exeClient-built.exedescription pid process Token: SeDebugPrivilege 1884 Client-built.exe Token: SeDebugPrivilege 1320 amdlogum.exe Token: SeDebugPrivilege 2628 Client-built.exe Token: SeDebugPrivilege 4076 Client-built.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
amdlogum.exepid process 1320 amdlogum.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built.exeamdlogum.exedescription pid process target process PID 1884 wrote to memory of 3268 1884 Client-built.exe schtasks.exe PID 1884 wrote to memory of 3268 1884 Client-built.exe schtasks.exe PID 1884 wrote to memory of 1320 1884 Client-built.exe amdlogum.exe PID 1884 wrote to memory of 1320 1884 Client-built.exe amdlogum.exe PID 1320 wrote to memory of 428 1320 amdlogum.exe schtasks.exe PID 1320 wrote to memory of 428 1320 amdlogum.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/uKWr1e1⤵PID:3448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3748,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:11⤵PID:3468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3992,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:11⤵PID:2200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5352,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:81⤵PID:2228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5368,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:81⤵PID:1960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5804,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:11⤵PID:3900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5240,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5844 /prefetch:81⤵PID:4440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5992,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:11⤵PID:4448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6204,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:81⤵PID:456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5856,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:11⤵PID:3160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6744,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:81⤵PID:2880
-
C:\Users\Admin\Downloads\Client-built.exe"C:\Users\Admin\Downloads\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Windows\system32\Windows\amdlogum.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3268 -
C:\Windows\system32\Windows\amdlogum.exe"C:\Windows\system32\Windows\amdlogum.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Windows\system32\Windows\amdlogum.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:428
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4440
-
C:\Users\Admin\Downloads\Client-built.exe"C:\Users\Admin\Downloads\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5528,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:81⤵PID:4204
-
C:\Users\Admin\Downloads\Client-built.exe"C:\Users\Admin\Downloads\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
3.1MB
MD583cac7369d8be73c15a2b91151607c89
SHA150393e07c333f9b9dc5881fddfdd07f546d7a185
SHA256f786bbceb1e6b3c876a691ad37fe4a9b9d064bf5043109df7a3dc1e92b56535f
SHA5128f267383b89be36c718f91a26c0d3a0522de0e0abc0be82794a90e6d278e22cf19978ccf2159af8f4283317c222386717fa10f454cbd421929ad7eefaa97beb4