Analysis
-
max time kernel
133s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 07:16
Static task
static1
Behavioral task
behavioral1
Sample
Order88983273293729387293828PDF.exe
Resource
win7-20241010-en
General
-
Target
Order88983273293729387293828PDF.exe
-
Size
1.4MB
-
MD5
abbfb2b5ebf6a24eef7269bde8e80640
-
SHA1
99be0b33db303c353262f43d7c2e43a03b5e7b65
-
SHA256
56bd84e77da1de080c2d5c42b6f101574e7146b200026ea9468703d742edec10
-
SHA512
2dedaec26edd4e9b23b31bdab83fabd88884da7958f4e7611fb7667cd3ddc6a795cf7b1b79abcf0c6f13b03ac74763532705e316742f1052a1a5f6e5bb92dd6d
-
SSDEEP
12288:b/bzOGnF/lx54LOaJleaqIs/eBj52DYWQNwF/zsjVODN/B:bmGLZmx5gYWRaYJ/
Malware Config
Extracted
quasar
1.4.1
man
new-visit.com:3791
3302836a-f2f9-4646-981e-42b54ed610dd
-
encryption_key
C058A6A166AF85C9027394334AA2BDC41A9B7D9C
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4284-1098-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Order88983273293729387293828PDF.exedescription pid process target process PID 4836 created 3432 4836 Order88983273293729387293828PDF.exe Explorer.EXE -
Drops startup file 1 IoCs
Processes:
Order88983273293729387293828PDF.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MaxGeneration.vbs Order88983273293729387293828PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order88983273293729387293828PDF.exedescription pid process target process PID 4836 set thread context of 4284 4836 Order88983273293729387293828PDF.exe InstallUtil.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Order88983273293729387293828PDF.exeInstallUtil.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Order88983273293729387293828PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Order88983273293729387293828PDF.exepid process 4836 Order88983273293729387293828PDF.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Order88983273293729387293828PDF.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 4836 Order88983273293729387293828PDF.exe Token: SeDebugPrivilege 4836 Order88983273293729387293828PDF.exe Token: SeDebugPrivilege 4284 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
InstallUtil.exepid process 4284 InstallUtil.exe 4284 InstallUtil.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
InstallUtil.exepid process 4284 InstallUtil.exe 4284 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Order88983273293729387293828PDF.exedescription pid process target process PID 4836 wrote to memory of 4284 4836 Order88983273293729387293828PDF.exe InstallUtil.exe PID 4836 wrote to memory of 4284 4836 Order88983273293729387293828PDF.exe InstallUtil.exe PID 4836 wrote to memory of 4284 4836 Order88983273293729387293828PDF.exe InstallUtil.exe PID 4836 wrote to memory of 4284 4836 Order88983273293729387293828PDF.exe InstallUtil.exe PID 4836 wrote to memory of 4284 4836 Order88983273293729387293828PDF.exe InstallUtil.exe PID 4836 wrote to memory of 4284 4836 Order88983273293729387293828PDF.exe InstallUtil.exe PID 4836 wrote to memory of 4284 4836 Order88983273293729387293828PDF.exe InstallUtil.exe PID 4836 wrote to memory of 4284 4836 Order88983273293729387293828PDF.exe InstallUtil.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\Order88983273293729387293828PDF.exe"C:\Users\Admin\AppData\Local\Temp\Order88983273293729387293828PDF.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4284
-