Analysis
-
max time kernel
34s -
max time network
41s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05-11-2024 00:52
Static task
static1
General
-
Target
kreo q zi.7z
-
Size
922KB
-
MD5
ec516db688f94e98d5141f4bade557e9
-
SHA1
198ffbae5eed415ac673f5e371774759f1a53de1
-
SHA256
282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
-
SHA512
ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
-
SSDEEP
24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU
Malware Config
Extracted
quasar
1.4.1
Office04
hola435-24858.portmap.host:24858
e51e2b65-e963-4051-9736-67d57ed46798
-
encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0029000000045030-2.dat family_quasar behavioral1/memory/2656-5-0x0000000000850000-0x0000000000B74000-memory.dmp family_quasar -
Executes dropped EXE 4 IoCs
Processes:
kreo q zi.exekreo q zi.exeClient.exeClient.exepid Process 2656 kreo q zi.exe 2592 kreo q zi.exe 892 Client.exe 2920 Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid Process 2452 schtasks.exe 4628 schtasks.exe 1700 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 2336 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
7zFM.exekreo q zi.exekreo q zi.exeClient.exeClient.exedescription pid Process Token: SeRestorePrivilege 2336 7zFM.exe Token: 35 2336 7zFM.exe Token: SeSecurityPrivilege 2336 7zFM.exe Token: SeDebugPrivilege 2656 kreo q zi.exe Token: SeDebugPrivilege 2592 kreo q zi.exe Token: SeDebugPrivilege 892 Client.exe Token: SeDebugPrivilege 2920 Client.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid Process 2336 7zFM.exe 2336 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid Process 2920 Client.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
kreo q zi.exekreo q zi.exeClient.exedescription pid Process procid_target PID 2656 wrote to memory of 2452 2656 kreo q zi.exe 92 PID 2656 wrote to memory of 2452 2656 kreo q zi.exe 92 PID 2592 wrote to memory of 4628 2592 kreo q zi.exe 94 PID 2592 wrote to memory of 4628 2592 kreo q zi.exe 94 PID 2656 wrote to memory of 892 2656 kreo q zi.exe 96 PID 2656 wrote to memory of 892 2656 kreo q zi.exe 96 PID 2592 wrote to memory of 2920 2592 kreo q zi.exe 97 PID 2592 wrote to memory of 2920 2592 kreo q zi.exe 97 PID 2920 wrote to memory of 1700 2920 Client.exe 98 PID 2920 wrote to memory of 1700 2920 Client.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2336
-
C:\Users\Admin\Desktop\kreo q zi.exe"C:\Users\Admin\Desktop\kreo q zi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2452
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Users\Admin\Desktop\kreo q zi.exe"C:\Users\Admin\Desktop\kreo q zi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4628
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b08c36ce99a5ed11891ef6fc6d8647e9
SHA1db95af417857221948eb1882e60f98ab2914bf1d
SHA256cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674
SHA51207e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea
-
Filesize
3.1MB
MD528ac02fc40c8f1c2a8989ee3c09a1372
SHA1b182758b62a1482142c0fce4be78c786e08b7025
SHA2560fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b
SHA5122cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767