Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 18:26
Static task
static1
Behavioral task
behavioral1
Sample
b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe
Resource
win7-20241010-en
General
-
Target
b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe
-
Size
1.4MB
-
MD5
e95f7184a33d6edeecd365f7ad93d11e
-
SHA1
b9154f8ad3d068549617c7cd32bfade8ce2c5f09
-
SHA256
b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f
-
SHA512
7d85203949dc197766391e96c7638e2ee630043ac443ffc7ae271acfc70f29b5d748ac40eec8062705de23ab1545ad3abb642e3b890f87632b9ac36b84d24fa8
-
SSDEEP
12288:b/bzOGnF/lx54LOaJleaqIs/eBj52DYWQNwF/zsjVODN/By:bmGLZmx5gYWRaYJ/w
Malware Config
Extracted
quasar
1.4.1
man
new-visit.com:3791
3302836a-f2f9-4646-981e-42b54ed610dd
-
encryption_key
C058A6A166AF85C9027394334AA2BDC41A9B7D9C
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/4724-1098-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2520 created 3520 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 56 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MaxGeneration.vbs b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2520 set thread context of 4724 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3740 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3740 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe Token: SeDebugPrivilege 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe Token: SeDebugPrivilege 4724 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4724 InstallUtil.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4724 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2520 wrote to memory of 4724 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 88 PID 2520 wrote to memory of 4724 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 88 PID 2520 wrote to memory of 4724 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 88 PID 2520 wrote to memory of 4724 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 88 PID 2520 wrote to memory of 4724 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 88 PID 2520 wrote to memory of 4724 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 88 PID 2520 wrote to memory of 4724 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 88 PID 2520 wrote to memory of 4724 2520 b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe 88 PID 4724 wrote to memory of 5100 4724 InstallUtil.exe 94 PID 4724 wrote to memory of 5100 4724 InstallUtil.exe 94 PID 4724 wrote to memory of 5100 4724 InstallUtil.exe 94 PID 5100 wrote to memory of 1444 5100 cmd.exe 96 PID 5100 wrote to memory of 1444 5100 cmd.exe 96 PID 5100 wrote to memory of 1444 5100 cmd.exe 96 PID 5100 wrote to memory of 3740 5100 cmd.exe 97 PID 5100 wrote to memory of 3740 5100 cmd.exe 97 PID 5100 wrote to memory of 3740 5100 cmd.exe 97 PID 5100 wrote to memory of 5020 5100 cmd.exe 103 PID 5100 wrote to memory of 5020 5100 cmd.exe 103 PID 5100 wrote to memory of 5020 5100 cmd.exe 103
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe"C:\Users\Admin\AppData\Local\Temp\b8955e1e7cb3acd7b1bcd6328c5e11969c5dbacd2162cd34f3afb73d7ba4b80f.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n3gvaOWqymEb.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538b07cd5da5c740e9629fd801dc26e5a
SHA142816159ab9367165cf58603b09b134d488c1690
SHA25620049cc7ade63a31f442dfd2b99740f0512fdcc764266b8b105292e30d2b7483
SHA5121769ffefe181531476e10311295f38d11b85b5ec3710000b5cb081675e5f233792f96bb4178b75fd0e2cfc86965e7368173d22799a1e9fa3317ddd49047fab5a
-
Filesize
220B
MD59e0794d2967d2acab61f1181f2b7fba9
SHA1bb8a1449ca4adc94cd27962c9197df1a3d68e3f2
SHA2564d37c4c6a3cc6f3367a999225920d542f9a1b40f3ffdefe6fa06659480a2d627
SHA512831588190eee785cd5222aff30d979f2b40a1908818773a7a3e569a3d342dc8a7116c7a522990880c1034d85d528827d2f9aa5929cdbe9293dd2f508d0709f67