Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 16:12
Behavioral task
behavioral1
Sample
Bootstrapper.exe
Resource
win7-20240705-en
General
-
Target
Bootstrapper.exe
-
Size
3.1MB
-
MD5
14b871855a9046ef9aedeec80f9c2d86
-
SHA1
32c0ad34f524748b76c090fc881b75b928341e7e
-
SHA256
b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940
-
SHA512
7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96
-
SSDEEP
49152:3v7lL26AaNeWgPhlmVqvMQ7XSKlfyCC4KgoGdulF8THHB72eh2NT:3vhL26AaNeWgPhlmVqkQ7XSKlfyg
Malware Config
Extracted
quasar
1.4.1
Office04
wefdwef-34180.portmap.host:34180
c4be1726-3f86-4f80-bc7c-0779b06ffeeb
-
encryption_key
97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7
-
install_name
Bootstrapper.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Spotify
-
subdirectory
system32
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4352-1-0x0000000000710000-0x0000000000A34000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Bootstrapper.exepid process 3632 Bootstrapper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1804 schtasks.exe 2120 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bootstrapper.exeBootstrapper.exedescription pid process Token: SeDebugPrivilege 4352 Bootstrapper.exe Token: SeDebugPrivilege 3632 Bootstrapper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Bootstrapper.exepid process 3632 Bootstrapper.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Bootstrapper.exepid process 3632 Bootstrapper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Bootstrapper.exepid process 3632 Bootstrapper.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Bootstrapper.exeBootstrapper.exedescription pid process target process PID 4352 wrote to memory of 1804 4352 Bootstrapper.exe schtasks.exe PID 4352 wrote to memory of 1804 4352 Bootstrapper.exe schtasks.exe PID 4352 wrote to memory of 3632 4352 Bootstrapper.exe Bootstrapper.exe PID 4352 wrote to memory of 3632 4352 Bootstrapper.exe Bootstrapper.exe PID 3632 wrote to memory of 2120 3632 Bootstrapper.exe schtasks.exe PID 3632 wrote to memory of 2120 3632 Bootstrapper.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1804 -
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
3.1MB
MD514b871855a9046ef9aedeec80f9c2d86
SHA132c0ad34f524748b76c090fc881b75b928341e7e
SHA256b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940
SHA5127ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96