Analysis
-
max time kernel
96s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/12/2024, 07:23 UTC
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240708-en
General
-
Target
Client-built.exe
-
Size
348KB
-
MD5
e8ecdeb99f70e49718a4fc9986f86df3
-
SHA1
4f50bde0200a60dfe74a957a4f927e5648e2e78f
-
SHA256
d0030ab6b4ed701eca6cad94f123517f564edb6a17ca33cbe6415cea10ac1401
-
SHA512
f04bbab81c20eb22315914d20fa3d34761e0821592189b12c8821b311a3056f9c767bfc57eb41403c55a5eeb0cef50575686c1766ccfb164c5bb1892637c37ba
-
SSDEEP
6144:SRNHXf500Mr7ULWRbNlPyDg+Rve9cc6i0pzci:Kd50xUxs+RWGcdOzci
Malware Config
Extracted
quasar
1.3.0.0
Test
5.tcp.eu.ngrok.io:13432
5.tcp.eu.ngrok.io:8080
QSR_MUTEX_zDi3X3iiANcUc0nFPZ
-
encryption_key
10b0G4xQi1VrldATZzJ7
-
install_name
win.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Runtime
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/432-1-0x0000000000570000-0x00000000005CE000-memory.dmp family_quasar behavioral2/files/0x0007000000023cd0-10.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2360 win.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 16 5.tcp.eu.ngrok.io 40 5.tcp.eu.ngrok.io 44 5.tcp.eu.ngrok.io -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\SubDir\win.exe Client-built.exe File opened for modification C:\Windows\SysWOW64\SubDir\win.exe Client-built.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client-built.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2944 schtasks.exe 3408 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 432 Client-built.exe Token: SeDebugPrivilege 2360 win.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2360 win.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 432 wrote to memory of 2944 432 Client-built.exe 84 PID 432 wrote to memory of 2944 432 Client-built.exe 84 PID 432 wrote to memory of 2944 432 Client-built.exe 84 PID 432 wrote to memory of 2360 432 Client-built.exe 86 PID 432 wrote to memory of 2360 432 Client-built.exe 86 PID 432 wrote to memory of 2360 432 Client-built.exe 86 PID 2360 wrote to memory of 3408 2360 win.exe 87 PID 2360 wrote to memory of 3408 2360 win.exe 87 PID 2360 wrote to memory of 3408 2360 win.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Runtime" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
C:\Windows\SysWOW64\SubDir\win.exe"C:\Windows\SysWOW64\SubDir\win.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Runtime" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\win.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3408
-
-
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.112.95.208.in-addr.arpaIN PTRResponse1.112.95.208.in-addr.arpaIN PTRip-apicom
-
Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:8.8.8.8:53Request5.tcp.eu.ngrok.ioIN AResponse5.tcp.eu.ngrok.ioIN A18.158.58.205
-
Remote address:8.8.8.8:53Request205.58.158.18.in-addr.arpaIN PTRResponse205.58.158.18.in-addr.arpaIN PTRec2-18-158-58-205eu-central-1compute amazonawscom
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request5.tcp.eu.ngrok.ioIN AResponse5.tcp.eu.ngrok.ioIN A3.64.4.198
-
Remote address:8.8.8.8:53Request5.tcp.eu.ngrok.ioIN AResponse5.tcp.eu.ngrok.ioIN A3.64.4.198
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.4.64.3.in-addr.arpaIN PTRResponse198.4.64.3.in-addr.arpaIN PTRec2-3-64-4-198eu-central-1compute amazonawscom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
374 B 560 B 5 2
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
374 B 640 B 5 4
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
190 B 132 B 4 3
-
260 B 5
-
190 B 132 B 4 3
-
260 B 5
-
734 B 584 B 11 10
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 95 B 1 1
DNS Request
1.112.95.208.in-addr.arpa
-
63 B 79 B 1 1
DNS Request
5.tcp.eu.ngrok.io
DNS Response
18.158.58.205
-
72 B 138 B 1 1
DNS Request
205.58.158.18.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
63 B 79 B 1 1
DNS Request
5.tcp.eu.ngrok.io
DNS Response
3.64.4.198
-
63 B 79 B 1 1
DNS Request
5.tcp.eu.ngrok.io
DNS Response
3.64.4.198
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
69 B 132 B 1 1
DNS Request
198.4.64.3.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5e8ecdeb99f70e49718a4fc9986f86df3
SHA14f50bde0200a60dfe74a957a4f927e5648e2e78f
SHA256d0030ab6b4ed701eca6cad94f123517f564edb6a17ca33cbe6415cea10ac1401
SHA512f04bbab81c20eb22315914d20fa3d34761e0821592189b12c8821b311a3056f9c767bfc57eb41403c55a5eeb0cef50575686c1766ccfb164c5bb1892637c37ba