Analysis
-
max time kernel
132s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 14:17
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20241023-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
c10246a3d7708f3f62e843ece9d68fa4
-
SHA1
81c15351ad25c46676a93b82eccf6a7abb9c4727
-
SHA256
9a20abb95dd8ee12f24afcd2729e9f92493feca9d2fe75aaa9b1758c08a93f44
-
SHA512
a960fed8a6780f598be60634bbcbf0967a7035c3a74ffb293610f10153afcfe92989c5253c75c0b164fd36cf00a83a6b2ff0be722bd6b9a9d8bff4a8a5e69323
-
SSDEEP
49152:2vOI22SsaNYfdPBldt698dBcjHVPDPEQs/kC6nLoG7pTHHB72eh2NT:2vj22SsaNYfdPBldt6+dBcjHVPD9L
Malware Config
Extracted
quasar
1.4.1
Office04
147.185.221.24:26130
0c16ac3a-65ad-4a46-aa3d-7e603e8df11d
-
encryption_key
8DF659EF1733572C92CB099CAABF5BB85EC5170A
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1068-1-0x0000000000AD0000-0x0000000000DF4000-memory.dmp family_quasar behavioral2/files/0x0007000000023cb5-5.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1676 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1068 Client-built.exe Token: SeDebugPrivilege 1676 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1676 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1676 Client.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1068 wrote to memory of 1676 1068 Client-built.exe 83 PID 1068 wrote to memory of 1676 1068 Client-built.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5c10246a3d7708f3f62e843ece9d68fa4
SHA181c15351ad25c46676a93b82eccf6a7abb9c4727
SHA2569a20abb95dd8ee12f24afcd2729e9f92493feca9d2fe75aaa9b1758c08a93f44
SHA512a960fed8a6780f598be60634bbcbf0967a7035c3a74ffb293610f10153afcfe92989c5253c75c0b164fd36cf00a83a6b2ff0be722bd6b9a9d8bff4a8a5e69323