Analysis
-
max time kernel
147s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 22:49
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
85b177add44a49f07c6610191c064bbc
-
SHA1
7766290221b9dafd7c0d6d983070f55863ed1b26
-
SHA256
7b652915c4539bf3c40a0700ca93c63e5fb1e56fdf0eb89567f7f0a8fb081aeb
-
SHA512
0a4d7e6a5c3e2d63a92f2ae57ab68561f47e827edffea6ea83aebac8286aab886c3bd98c6e791222411d272a925e8b3e03e14dc1b1017aaa449c1b0674717798
-
SSDEEP
49152:TvChBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaUEGiBeHLoVd2THHB72eh2NT:Tv8t2d5aKCuVPzlEmVQ0wvwf/Gp
Malware Config
Extracted
quasar
1.4.1
ratted
localhost:4782
87.97.126.177:4782
48887e39-00c3-4c7d-9fbd-aa9bee5b1a88
-
encryption_key
CD36E224C70A801E8033FBB0E5129B1EA712AE1D
-
install_name
Windows Font Manager.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Font Manager
-
subdirectory
Fonts
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2848-1-0x0000000000EF0000-0x0000000001214000-memory.dmp family_quasar behavioral1/files/0x00070000000186de-6.dat family_quasar behavioral1/memory/2756-9-0x0000000000940000-0x0000000000C64000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2756 Windows Font Manager.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\Fonts\Windows Font Manager.exe Client-built.exe File opened for modification C:\Windows\system32\Fonts\Windows Font Manager.exe Client-built.exe File opened for modification C:\Windows\system32\Fonts Client-built.exe File opened for modification C:\Windows\system32\Fonts\Windows Font Manager.exe Windows Font Manager.exe File opened for modification C:\Windows\system32\Fonts Windows Font Manager.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2120 schtasks.exe 2288 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2848 Client-built.exe Token: SeDebugPrivilege 2756 Windows Font Manager.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2288 2848 Client-built.exe 31 PID 2848 wrote to memory of 2288 2848 Client-built.exe 31 PID 2848 wrote to memory of 2288 2848 Client-built.exe 31 PID 2848 wrote to memory of 2756 2848 Client-built.exe 33 PID 2848 wrote to memory of 2756 2848 Client-built.exe 33 PID 2848 wrote to memory of 2756 2848 Client-built.exe 33 PID 2756 wrote to memory of 2120 2756 Windows Font Manager.exe 34 PID 2756 wrote to memory of 2120 2756 Windows Font Manager.exe 34 PID 2756 wrote to memory of 2120 2756 Windows Font Manager.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Font Manager" /sc ONLOGON /tr "C:\Windows\system32\Fonts\Windows Font Manager.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2288
-
-
C:\Windows\system32\Fonts\Windows Font Manager.exe"C:\Windows\system32\Fonts\Windows Font Manager.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Font Manager" /sc ONLOGON /tr "C:\Windows\system32\Fonts\Windows Font Manager.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD585b177add44a49f07c6610191c064bbc
SHA17766290221b9dafd7c0d6d983070f55863ed1b26
SHA2567b652915c4539bf3c40a0700ca93c63e5fb1e56fdf0eb89567f7f0a8fb081aeb
SHA5120a4d7e6a5c3e2d63a92f2ae57ab68561f47e827edffea6ea83aebac8286aab886c3bd98c6e791222411d272a925e8b3e03e14dc1b1017aaa449c1b0674717798