Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 04:23
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240704-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
4290449c878559b7cb44282906d40519
-
SHA1
e5c1fd8659eab79d82ff98d71ec59712f175dbff
-
SHA256
01b172d69a0ce6bdf3f29f89b58e18474d07d7c57f22ac4633fdb2cfa794cb6c
-
SHA512
5001ed29fb746c1691bcd784b6ad88ae1a4e26fa614d62225330a1ae4fe5409be4637233ceb3e7615a4aee1977f3e82e94cf659f3f5f9c544db06e5d0c6e6efd
-
SSDEEP
49152:NHobtR1o2PmNXo7WCr5Kg++OatXrYdLTHHB72eh2NT:NHmRvmNXo7WCr5Kg++OK
Malware Config
Extracted
quasar
1.4.1
Office04
147.185.221.20:18563
147.185.221.20:9835
c2e1b18a-ce93-436d-ad8b-21bf89015e19
-
encryption_key
9E968F05BD874BA1BE086FD1774A027473823F49
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4912-1-0x0000000000510000-0x0000000000834000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client-built.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Client-built.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 4912 Client-built.exe Token: 33 644 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 644 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Client-built.exepid process 4912 Client-built.exe 4912 Client-built.exe 4912 Client-built.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Client-built.exepid process 4912 Client-built.exe 4912 Client-built.exe 4912 Client-built.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built.execmd.exedescription pid process target process PID 4912 wrote to memory of 1060 4912 Client-built.exe cmd.exe PID 4912 wrote to memory of 1060 4912 Client-built.exe cmd.exe PID 1060 wrote to memory of 964 1060 cmd.exe chcp.com PID 1060 wrote to memory of 964 1060 cmd.exe chcp.com PID 1060 wrote to memory of 3124 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 3124 1060 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuBhliT3xyl5.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:964
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3124
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x45c 0x48c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD5180e19ffa6762e8abd5db275adedb487
SHA15d5b8245ba751b2e4b2f9b0b80ecfae4d34a63d4
SHA25634e014299a2f6344c12c2e8232e3bc5de7879f5f8afd2ed6f0b584cfc3a6c0fa
SHA5122669d317223e2205121ae94af3cc0f05da0a56e24d83fa50ed3ba139e7eb08bcd781916b6128e638f21b25dbfd28ad0258b48bc8a67f4588f3a5f25703df28dc