Analysis
-
max time kernel
51s -
max time network
54s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05-11-2024 06:50
Static task
static1
General
-
Target
kreo q zi.7z
-
Size
922KB
-
MD5
ec516db688f94e98d5141f4bade557e9
-
SHA1
198ffbae5eed415ac673f5e371774759f1a53de1
-
SHA256
282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
-
SHA512
ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
-
SSDEEP
24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU
Malware Config
Extracted
quasar
1.4.1
Office04
hola435-24858.portmap.host:24858
e51e2b65-e963-4051-9736-67d57ed46798
-
encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x00280000000450c0-2.dat family_quasar behavioral1/memory/4812-5-0x00000000004F0000-0x0000000000814000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
kreo q zi.exeClient.exepid Process 4812 kreo q zi.exe 2428 Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2056 schtasks.exe 2216 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 3704 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zFM.exekreo q zi.exeClient.exedescription pid Process Token: SeRestorePrivilege 3704 7zFM.exe Token: 35 3704 7zFM.exe Token: SeSecurityPrivilege 3704 7zFM.exe Token: SeDebugPrivilege 4812 kreo q zi.exe Token: SeDebugPrivilege 2428 Client.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
7zFM.exepid Process 3704 7zFM.exe 3704 7zFM.exe 3704 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid Process 2428 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
kreo q zi.exeClient.exedescription pid Process procid_target PID 4812 wrote to memory of 2056 4812 kreo q zi.exe 91 PID 4812 wrote to memory of 2056 4812 kreo q zi.exe 91 PID 4812 wrote to memory of 2428 4812 kreo q zi.exe 93 PID 4812 wrote to memory of 2428 4812 kreo q zi.exe 93 PID 2428 wrote to memory of 2216 2428 Client.exe 95 PID 2428 wrote to memory of 2216 2428 Client.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3704
-
C:\Users\Admin\Desktop\kreo q zi.exe"C:\Users\Admin\Desktop\kreo q zi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2056
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD528ac02fc40c8f1c2a8989ee3c09a1372
SHA1b182758b62a1482142c0fce4be78c786e08b7025
SHA2560fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b
SHA5122cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767