Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 15:45
Behavioral task
behavioral1
Sample
no virus.exe
Resource
win7-20240903-en
General
-
Target
no virus.exe
-
Size
3.1MB
-
MD5
9facfa150b35a5985f9507eb0b68f29f
-
SHA1
366084ec72c2dca7434de64aecece402f3d49e06
-
SHA256
2ed2177995cad18218b61c46c64ba0575dc54e87c7385ea9bb70d9ca44f18a73
-
SHA512
e52bdcda29737634a853ccf08d41d927d82ae51299aa235b62ab868bf93c4f6b5f2cdd1400f68d3bf3a5d1d7131732569ddedb33f5d5ed0e7bf67833c01a53a9
-
SSDEEP
49152:XvQlL26AaNeWgPhlmVqvMQ7XSKD+RJ6ebR3LoGd41THHB72eh2NT:Xv4L26AaNeWgPhlmVqkQ7XSKD+RJ6Y
Malware Config
Extracted
quasar
1.4.1
Office04
255.255.255.0:4782
192.168.56.1:4782
5d8ed293-df10-4841-a52b-8692fbf47f38
-
encryption_key
11B8D109A02D98C9240E47185440CD1BFD88612D
-
install_name
monkey.exe
-
log_directory
Logs
-
reconnect_delay
2882
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2232-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp family_quasar behavioral1/files/0x00340000000191f6-5.dat family_quasar behavioral1/memory/2724-8-0x0000000001190000-0x00000000014B4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2724 monkey.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2232 no virus.exe Token: SeDebugPrivilege 2724 monkey.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2724 monkey.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2724 monkey.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2724 2232 no virus.exe 30 PID 2232 wrote to memory of 2724 2232 no virus.exe 30 PID 2232 wrote to memory of 2724 2232 no virus.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\no virus.exe"C:\Users\Admin\AppData\Local\Temp\no virus.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Roaming\SubDir\monkey.exe"C:\Users\Admin\AppData\Roaming\SubDir\monkey.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59facfa150b35a5985f9507eb0b68f29f
SHA1366084ec72c2dca7434de64aecece402f3d49e06
SHA2562ed2177995cad18218b61c46c64ba0575dc54e87c7385ea9bb70d9ca44f18a73
SHA512e52bdcda29737634a853ccf08d41d927d82ae51299aa235b62ab868bf93c4f6b5f2cdd1400f68d3bf3a5d1d7131732569ddedb33f5d5ed0e7bf67833c01a53a9