Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04-12-2024 06:27
Behavioral task
behavioral1
Sample
Pulse.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Pulse.exe
-
Size
3.2MB
-
MD5
535322149244cd68409b0993ae2a754c
-
SHA1
2853957fbf35d1a52eabf3e8a795f76d385d60bd
-
SHA256
65603e83477ef928bedc7aa918d3b1dee61896f602fa3313a74188fbcb965596
-
SHA512
18d31f91ebbf934daec9f887359088f5702efb8438e100d054a1009c14a614d38611e8fcc7562c9b81d0069a83439c58f40d5883abfd3005e9241be4ce4a2fc3
-
SSDEEP
49152:TvEt62XlaSFNWPjljiFa2RoUYIkCn1JyLoGdMTHHB72eh2NT:TvY62XlaSFNWPjljiFXRoUYIkCE
Malware Config
Extracted
quasar
1.4.1
Enigma
192.168.1.86:4782
bd83f1df-b3b7-42d7-8445-4f609db2329e
-
encryption_key
F3A4FE9327E3E026CF9F5187588DCA6A20115433
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
host.exe
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/540-1-0x00000000006A0000-0x00000000009CE000-memory.dmp family_quasar behavioral1/files/0x0028000000045052-3.dat family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid Process 4176 Client.exe -
Drops file in System32 directory 5 IoCs
Processes:
Pulse.exeClient.exedescription ioc Process File created C:\Windows\system32\SubDir\Client.exe Pulse.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Pulse.exe File opened for modification C:\Windows\system32\SubDir Pulse.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 3128 schtasks.exe 4844 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Pulse.exeClient.exedescription pid Process Token: SeDebugPrivilege 540 Pulse.exe Token: SeDebugPrivilege 4176 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid Process 4176 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid Process 4176 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid Process 4176 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Pulse.exeClient.exedescription pid Process procid_target PID 540 wrote to memory of 3128 540 Pulse.exe 82 PID 540 wrote to memory of 3128 540 Pulse.exe 82 PID 540 wrote to memory of 4176 540 Pulse.exe 84 PID 540 wrote to memory of 4176 540 Pulse.exe 84 PID 4176 wrote to memory of 4844 4176 Client.exe 85 PID 4176 wrote to memory of 4844 4176 Client.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pulse.exe"C:\Users\Admin\AppData\Local\Temp\Pulse.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "host.exe" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3128
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "host.exe" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4844
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5535322149244cd68409b0993ae2a754c
SHA12853957fbf35d1a52eabf3e8a795f76d385d60bd
SHA25665603e83477ef928bedc7aa918d3b1dee61896f602fa3313a74188fbcb965596
SHA51218d31f91ebbf934daec9f887359088f5702efb8438e100d054a1009c14a614d38611e8fcc7562c9b81d0069a83439c58f40d5883abfd3005e9241be4ce4a2fc3