Analysis
-
max time kernel
109s -
max time network
111s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-12-2024 06:27
Behavioral task
behavioral1
Sample
Pulse.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Pulse.exe
-
Size
3.2MB
-
MD5
535322149244cd68409b0993ae2a754c
-
SHA1
2853957fbf35d1a52eabf3e8a795f76d385d60bd
-
SHA256
65603e83477ef928bedc7aa918d3b1dee61896f602fa3313a74188fbcb965596
-
SHA512
18d31f91ebbf934daec9f887359088f5702efb8438e100d054a1009c14a614d38611e8fcc7562c9b81d0069a83439c58f40d5883abfd3005e9241be4ce4a2fc3
-
SSDEEP
49152:TvEt62XlaSFNWPjljiFa2RoUYIkCn1JyLoGdMTHHB72eh2NT:TvY62XlaSFNWPjljiFXRoUYIkCE
Malware Config
Extracted
quasar
1.4.1
Enigma
192.168.1.86:4782
bd83f1df-b3b7-42d7-8445-4f609db2329e
-
encryption_key
F3A4FE9327E3E026CF9F5187588DCA6A20115433
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
host.exe
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/460-1-0x00000000007E0000-0x0000000000B0E000-memory.dmp family_quasar behavioral2/files/0x001c00000002aae0-6.dat family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid Process 548 Client.exe -
Drops file in System32 directory 5 IoCs
Processes:
Pulse.exeClient.exedescription ioc Process File opened for modification C:\Windows\system32\SubDir\Client.exe Pulse.exe File opened for modification C:\Windows\system32\SubDir Pulse.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\system32\SubDir\Client.exe Pulse.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mshta.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 5060 schtasks.exe 1320 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Pulse.exeClient.exedescription pid Process Token: SeDebugPrivilege 460 Pulse.exe Token: SeDebugPrivilege 548 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid Process 548 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid Process 548 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid Process 548 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Pulse.exeClient.exedescription pid Process procid_target PID 460 wrote to memory of 5060 460 Pulse.exe 77 PID 460 wrote to memory of 5060 460 Pulse.exe 77 PID 460 wrote to memory of 548 460 Pulse.exe 79 PID 460 wrote to memory of 548 460 Pulse.exe 79 PID 548 wrote to memory of 1320 548 Client.exe 80 PID 548 wrote to memory of 1320 548 Client.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pulse.exe"C:\Users\Admin\AppData\Local\Temp\Pulse.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "host.exe" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:5060
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "host.exe" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1320
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4852
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UninstallCompress.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
PID:3320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5535322149244cd68409b0993ae2a754c
SHA12853957fbf35d1a52eabf3e8a795f76d385d60bd
SHA25665603e83477ef928bedc7aa918d3b1dee61896f602fa3313a74188fbcb965596
SHA51218d31f91ebbf934daec9f887359088f5702efb8438e100d054a1009c14a614d38611e8fcc7562c9b81d0069a83439c58f40d5883abfd3005e9241be4ce4a2fc3