Analysis
-
max time kernel
69s -
max time network
65s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06-11-2024 07:01
Static task
static1
General
-
Target
kreo q zi.7z
-
Size
922KB
-
MD5
ec516db688f94e98d5141f4bade557e9
-
SHA1
198ffbae5eed415ac673f5e371774759f1a53de1
-
SHA256
282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
-
SHA512
ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
-
SSDEEP
24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU
Malware Config
Extracted
quasar
1.4.1
Office04
hola435-24858.portmap.host:24858
e51e2b65-e963-4051-9736-67d57ed46798
-
encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x002800000004514d-2.dat family_quasar behavioral1/memory/2416-5-0x0000000000F90000-0x00000000012B4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 7 IoCs
pid Process 2416 kreo q zi.exe 768 Client.exe 2816 Client.exe 2872 Client.exe 4568 Client.exe 984 Client.exe 660 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1660 PING.EXE 1032 PING.EXE 4008 PING.EXE 4548 PING.EXE 644 PING.EXE 4520 PING.EXE -
Runs ping.exe 1 TTPs 6 IoCs
pid Process 4548 PING.EXE 644 PING.EXE 4520 PING.EXE 1660 PING.EXE 1032 PING.EXE 4008 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4828 schtasks.exe 2972 schtasks.exe 4996 schtasks.exe 1272 schtasks.exe 4528 schtasks.exe 1284 schtasks.exe 1924 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2396 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeRestorePrivilege 2396 7zFM.exe Token: 35 2396 7zFM.exe Token: SeSecurityPrivilege 2396 7zFM.exe Token: SeDebugPrivilege 2416 kreo q zi.exe Token: SeDebugPrivilege 768 Client.exe Token: SeDebugPrivilege 2816 Client.exe Token: SeDebugPrivilege 2872 Client.exe Token: SeDebugPrivilege 4568 Client.exe Token: SeDebugPrivilege 984 Client.exe Token: SeDebugPrivilege 660 Client.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2396 7zFM.exe 2396 7zFM.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2416 wrote to memory of 4996 2416 kreo q zi.exe 93 PID 2416 wrote to memory of 4996 2416 kreo q zi.exe 93 PID 2416 wrote to memory of 768 2416 kreo q zi.exe 96 PID 2416 wrote to memory of 768 2416 kreo q zi.exe 96 PID 768 wrote to memory of 1272 768 Client.exe 97 PID 768 wrote to memory of 1272 768 Client.exe 97 PID 768 wrote to memory of 748 768 Client.exe 99 PID 768 wrote to memory of 748 768 Client.exe 99 PID 748 wrote to memory of 2972 748 cmd.exe 101 PID 748 wrote to memory of 2972 748 cmd.exe 101 PID 748 wrote to memory of 4548 748 cmd.exe 102 PID 748 wrote to memory of 4548 748 cmd.exe 102 PID 748 wrote to memory of 2816 748 cmd.exe 104 PID 748 wrote to memory of 2816 748 cmd.exe 104 PID 2816 wrote to memory of 4528 2816 Client.exe 105 PID 2816 wrote to memory of 4528 2816 Client.exe 105 PID 2816 wrote to memory of 4068 2816 Client.exe 107 PID 2816 wrote to memory of 4068 2816 Client.exe 107 PID 4068 wrote to memory of 3380 4068 cmd.exe 109 PID 4068 wrote to memory of 3380 4068 cmd.exe 109 PID 4068 wrote to memory of 644 4068 cmd.exe 110 PID 4068 wrote to memory of 644 4068 cmd.exe 110 PID 4068 wrote to memory of 2872 4068 cmd.exe 112 PID 4068 wrote to memory of 2872 4068 cmd.exe 112 PID 2872 wrote to memory of 1284 2872 Client.exe 113 PID 2872 wrote to memory of 1284 2872 Client.exe 113 PID 2872 wrote to memory of 1304 2872 Client.exe 115 PID 2872 wrote to memory of 1304 2872 Client.exe 115 PID 1304 wrote to memory of 2580 1304 cmd.exe 117 PID 1304 wrote to memory of 2580 1304 cmd.exe 117 PID 1304 wrote to memory of 4520 1304 cmd.exe 118 PID 1304 wrote to memory of 4520 1304 cmd.exe 118 PID 1304 wrote to memory of 4568 1304 cmd.exe 119 PID 1304 wrote to memory of 4568 1304 cmd.exe 119 PID 4568 wrote to memory of 1924 4568 Client.exe 120 PID 4568 wrote to memory of 1924 4568 Client.exe 120 PID 4568 wrote to memory of 3556 4568 Client.exe 122 PID 4568 wrote to memory of 3556 4568 Client.exe 122 PID 3556 wrote to memory of 3372 3556 cmd.exe 124 PID 3556 wrote to memory of 3372 3556 cmd.exe 124 PID 3556 wrote to memory of 1660 3556 cmd.exe 125 PID 3556 wrote to memory of 1660 3556 cmd.exe 125 PID 3556 wrote to memory of 984 3556 cmd.exe 126 PID 3556 wrote to memory of 984 3556 cmd.exe 126 PID 984 wrote to memory of 4828 984 Client.exe 127 PID 984 wrote to memory of 4828 984 Client.exe 127 PID 984 wrote to memory of 4448 984 Client.exe 129 PID 984 wrote to memory of 4448 984 Client.exe 129 PID 4448 wrote to memory of 1436 4448 cmd.exe 131 PID 4448 wrote to memory of 1436 4448 cmd.exe 131 PID 4448 wrote to memory of 1032 4448 cmd.exe 132 PID 4448 wrote to memory of 1032 4448 cmd.exe 132 PID 4448 wrote to memory of 660 4448 cmd.exe 133 PID 4448 wrote to memory of 660 4448 cmd.exe 133 PID 660 wrote to memory of 2972 660 Client.exe 134 PID 660 wrote to memory of 2972 660 Client.exe 134 PID 660 wrote to memory of 2200 660 Client.exe 136 PID 660 wrote to memory of 2200 660 Client.exe 136 PID 2200 wrote to memory of 900 2200 cmd.exe 138 PID 2200 wrote to memory of 900 2200 cmd.exe 138 PID 2200 wrote to memory of 4008 2200 cmd.exe 139 PID 2200 wrote to memory of 4008 2200 cmd.exe 139 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2396
-
C:\Users\Admin\Desktop\kreo q zi.exe"C:\Users\Admin\Desktop\kreo q zi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4996
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEnjNUjgGWOd.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2972
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4548
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4v4corS3ZZ0V.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3380
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:644
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7tPANshK7DHi.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2580
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4520
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w5PGS5nk1Ugc.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3372
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1660
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hk6Ko4y8l1Bg.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1436
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1032
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lxK56ht0FpbH.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4008
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57787ce173dfface746f5a9cf5477883d
SHA14587d870e914785b3a8fb017fec0c0f1c7ec0004
SHA256c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1
SHA5123a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff
-
Filesize
207B
MD5f75eed355febcc6978b9ad5f8f124532
SHA166ba9f3017b7defbac19e17cfdcd8783c9987e57
SHA2567384b070ab6bbfa309b86eb15c21da60eaf25ac896dca54d883e7bd28061bc1f
SHA512e38893e9d75a6b4d3b9cde7b5779432d66a3e60e275b92529986a3401722f0da06e7443804550e86f9559bda5b283df453176cf53fced0cefcb919875e7e4530
-
Filesize
207B
MD564eb49823736a5deefd4d00872895d03
SHA16493039c061d0b5a0d0a132d6981798c33753a87
SHA2567cc7b837da3d8ebf2079d01e802cccc64623b9794e40f0750c6c44ab52c8dfe5
SHA512af1dac06dd7b2c740bb68251723052bd1f3e8613e32fb55c3f3c0697cd0d4a15f1544c768dc3c93dac0e1cf3183a92a0d01b609e0d8478b6b8ad727523fa1f47
-
Filesize
207B
MD566b0654eb66d236396754fb82ea8b850
SHA16015965f6b2ab0bace187645d3085d0d88a5bea5
SHA256a1a1afbdb8f2ae040b5a9f6af57dab1de3d2ce9ffaf46ad921bb2ea2beabd485
SHA51260e65f73bf48f94e39b32c5070567a9b495d46f70cf06feb1cd68ee59aad4dd2e8b895263aa97f237ca85713c3efce010fbdba37ee913f198b15c87e8208eff1
-
Filesize
207B
MD5c7934ed10c79075422897faaad26d004
SHA127d989ed971c6a0309697cf717fe9f3ca3d9f3b0
SHA2569699f9e2c20d0efcb36e7f9e09504a677989ec457d9a70582f782dac9b36b1af
SHA5121e34aace52fa024c56d08f87000eaaaf22b67237ef9af7380c402257f56d144fd1dd5dad4710042cda5d321a1295520d3ef8c679a30ae740cc8fd049b5e6af90
-
Filesize
207B
MD58142b16e4f8d97c6fbcd3a2299f9f838
SHA107dee0d73f4573a51b004a96ebd702a3a5f2b7e1
SHA256ed295650ed0d0f9e1263484de84ea8741011f558632c9452084fea5ba309ddf2
SHA5121762c0bc746910f9b4137edf6004808e33713e277adf5be228cfb70a3e5528ef7654c68ed6ad64f600c1c85c1b8943f61c31c733dc445081152da821f9230e3d
-
Filesize
207B
MD53f5f4caf4d3fe45704c6d3eb7314d7e3
SHA11801013de6050d1e6dcbedddfb1c7adb5f32e947
SHA25635100b4ba4e4b40f886eb2168e1100c9deadcfe68936b9ceee636e9e4a767fc6
SHA512047d07e2e8dbc78fb561421a01fc6af9e11c3f08599a68fe86392a93f29f61a61543ec4f17562eb2f64d1c2833e69123909af4ffc52fbd8bfe164b008b98c55e
-
Filesize
3.1MB
MD528ac02fc40c8f1c2a8989ee3c09a1372
SHA1b182758b62a1482142c0fce4be78c786e08b7025
SHA2560fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b
SHA5122cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767