Analysis
-
max time kernel
1794s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 05:21
General
-
Target
menu test.exe
-
Size
3.1MB
-
MD5
c86abc64d7110ba0022929f533144f6a
-
SHA1
d0119c0348c382b68a328e16a65466373009bf98
-
SHA256
2f2ae02f061bc49648fb8d0941b94dc50e22d7701c126eb68c4575e37d5f4f60
-
SHA512
9c1a94f219d87ad42573eefee151425d41b4ed3f56e18cdeaad0887f6f03c18a121774f987f1dfe11cdcb67e016e91ac4c86d3355d044309bdcbc29c747f107d
-
SSDEEP
49152:rvnI22SsaNYfdPBldt698dBcjHVwN3iarbLoGd7Sq2THHB72eh2NT:rvI22SsaNYfdPBldt6+dBcjHQ37
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.150:4782
68496e1e-8d91-40cc-9959-07b293449482
-
encryption_key
040C5761F98D19CC4976A471E95FC1AA1E6FFC89
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Steam Corperation
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4652-1-0x0000000000BA0000-0x0000000000EC4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 5092 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 856 schtasks.exe 2412 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
menu test.exeClient.exedescription pid process Token: SeDebugPrivilege 4652 menu test.exe Token: SeDebugPrivilege 5092 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 5092 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 5092 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 5092 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
menu test.exeClient.exedescription pid process target process PID 4652 wrote to memory of 856 4652 menu test.exe schtasks.exe PID 4652 wrote to memory of 856 4652 menu test.exe schtasks.exe PID 4652 wrote to memory of 5092 4652 menu test.exe Client.exe PID 4652 wrote to memory of 5092 4652 menu test.exe Client.exe PID 5092 wrote to memory of 2412 5092 Client.exe schtasks.exe PID 5092 wrote to memory of 2412 5092 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\menu test.exe"C:\Users\Admin\AppData\Local\Temp\menu test.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Steam Corperation" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:856 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Steam Corperation" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5c86abc64d7110ba0022929f533144f6a
SHA1d0119c0348c382b68a328e16a65466373009bf98
SHA2562f2ae02f061bc49648fb8d0941b94dc50e22d7701c126eb68c4575e37d5f4f60
SHA5129c1a94f219d87ad42573eefee151425d41b4ed3f56e18cdeaad0887f6f03c18a121774f987f1dfe11cdcb67e016e91ac4c86d3355d044309bdcbc29c747f107d