Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 23:07
Static task
static1
Behavioral task
behavioral1
Sample
ef211cb6f339827eba4ab312b5b4a2b477798a233b975702e8d863e5a5c2f260.exe
Resource
win7-20241023-en
General
-
Target
ef211cb6f339827eba4ab312b5b4a2b477798a233b975702e8d863e5a5c2f260.exe
-
Size
2.1MB
-
MD5
087a67ee553b19774b9ce8f45c9532b3
-
SHA1
5a06e39e4000fb1480753d320e3b252c24b51c82
-
SHA256
ef211cb6f339827eba4ab312b5b4a2b477798a233b975702e8d863e5a5c2f260
-
SHA512
fe66c75ca8e55b3d4f34f742852f5821509510ec4dd614d3c7bcd857b3361c47ecb3e7871bf2c2c05362a3e4cfde935fdcf1a61c5995696ab78b30edad8bf274
-
SSDEEP
49152:3Djlabwz9L7bFVItZNvxxiXIHLyoltZMqzlsHbk:zqwhlVQLvxqIHL5t6qobk
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.0.97:4782
ce58d4d7-5ffa-4b20-9aff-e05dd520bef2
-
encryption_key
E7BFEA6A25E205DE16660AD01E8DE9BD5D2907A9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2740-23-0x0000000001230000-0x0000000001554000-memory.dmp family_quasar behavioral1/files/0x0007000000016cf5-21.dat family_quasar behavioral1/memory/1716-15-0x0000000000FA0000-0x00000000012C4000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 1716 Client-built.exe 2740 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2916 schtasks.exe 2852 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1716 Client-built.exe Token: SeDebugPrivilege 2740 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2740 Client.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 692 wrote to memory of 1716 692 ef211cb6f339827eba4ab312b5b4a2b477798a233b975702e8d863e5a5c2f260.exe 31 PID 692 wrote to memory of 1716 692 ef211cb6f339827eba4ab312b5b4a2b477798a233b975702e8d863e5a5c2f260.exe 31 PID 692 wrote to memory of 1716 692 ef211cb6f339827eba4ab312b5b4a2b477798a233b975702e8d863e5a5c2f260.exe 31 PID 1716 wrote to memory of 2852 1716 Client-built.exe 32 PID 1716 wrote to memory of 2852 1716 Client-built.exe 32 PID 1716 wrote to memory of 2852 1716 Client-built.exe 32 PID 1716 wrote to memory of 2740 1716 Client-built.exe 34 PID 1716 wrote to memory of 2740 1716 Client-built.exe 34 PID 1716 wrote to memory of 2740 1716 Client-built.exe 34 PID 2740 wrote to memory of 2916 2740 Client.exe 35 PID 2740 wrote to memory of 2916 2740 Client.exe 35 PID 2740 wrote to memory of 2916 2740 Client.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef211cb6f339827eba4ab312b5b4a2b477798a233b975702e8d863e5a5c2f260.exe"C:\Users\Admin\AppData\Local\Temp\ef211cb6f339827eba4ab312b5b4a2b477798a233b975702e8d863e5a5c2f260.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2852
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2916
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD51ce028c7fcd75ceadf48a00e6e8b3414
SHA1ab34c6edd50267ddba0ad59c6fc4963e79348a4c
SHA2568290155eb76bfffd148ad64980d9d3bdeb4ea04649ef0b7c89e36fd98e8e0369
SHA512e16877d56fad7d05f67ca08d5ae39ec4e3ac380fccc99ff67ab66129b0333789bc324b556d4ca04f90e15d95c9beb9560d74488d22765a1ec0893f1bd4c46148