Analysis
-
max time kernel
128s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 20:32
Behavioral task
behavioral1
Sample
built.exe
Resource
win7-20240903-en
General
-
Target
built.exe
-
Size
348KB
-
MD5
fb1057eee229c44ceea060397b9f8ff1
-
SHA1
0528f64effa73492a54a97535ee1a4e65d0ad023
-
SHA256
97a83514d72fdb32ff49a7c8526c4a180a5affefc1af9f2abd9c799aa3ac0548
-
SHA512
899c3e467379c04e32e4ca9868640c3e4a282c40780ebb5be63677d4c2155e5970e37f6e490e45796b7964a8736d24aa50936861236b29e7dfc71b9cc43dd892
-
SSDEEP
6144:1mSiPqU23zkkEUcadASlBx+bS7VqlvfbbOA30DbJi:coU2fIS11EtbOu0DbJi
Malware Config
Extracted
quasar
1.3.0.0
Test
100.115.92.196:8080
100.115.92.196:22
100.115.92.196:3389
QSR_MUTEX_B6Q8duJmC3tqQvImXE
-
encryption_key
Fv3xsfvJChgh6yTF3T1x
-
install_name
win.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Runtime
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3224-1-0x0000000000F60000-0x0000000000FBE000-memory.dmp family_quasar behavioral2/files/0x0007000000023c88-11.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4808 win.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language built.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5060 schtasks.exe 2012 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3224 built.exe Token: SeDebugPrivilege 4808 win.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4808 win.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3224 wrote to memory of 5060 3224 built.exe 83 PID 3224 wrote to memory of 5060 3224 built.exe 83 PID 3224 wrote to memory of 5060 3224 built.exe 83 PID 3224 wrote to memory of 4808 3224 built.exe 85 PID 3224 wrote to memory of 4808 3224 built.exe 85 PID 3224 wrote to memory of 4808 3224 built.exe 85 PID 4808 wrote to memory of 2012 4808 win.exe 86 PID 4808 wrote to memory of 2012 4808 win.exe 86 PID 4808 wrote to memory of 2012 4808 win.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\built.exe"C:\Users\Admin\AppData\Local\Temp\built.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Runtime" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\built.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5060
-
-
C:\Users\Admin\AppData\Roaming\SubDir\win.exe"C:\Users\Admin\AppData\Roaming\SubDir\win.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Runtime" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\win.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2012
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5fb1057eee229c44ceea060397b9f8ff1
SHA10528f64effa73492a54a97535ee1a4e65d0ad023
SHA25697a83514d72fdb32ff49a7c8526c4a180a5affefc1af9f2abd9c799aa3ac0548
SHA512899c3e467379c04e32e4ca9868640c3e4a282c40780ebb5be63677d4c2155e5970e37f6e490e45796b7964a8736d24aa50936861236b29e7dfc71b9cc43dd892