Analysis
-
max time kernel
1782s -
max time network
1798s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-12-2024 03:03
Behavioral task
behavioral1
Sample
poo virus grr.rar
Resource
win11-20241007-en
General
-
Target
poo virus grr.rar
-
Size
1.0MB
-
MD5
188f727e3be9e5d89c86d843441386f8
-
SHA1
d84ecac02426ab30a66de06c7ec72e52a0eaad6d
-
SHA256
8b507e7ba319bcbf1a13540ec20ad4f31d667a6a1cc99e091fc2f74066123c78
-
SHA512
332358be50280c6005b95fc5fc288ab767abb0162c6f0ddd19fab8e4c5dd22f46ea2f724cac63baaf53086b7d095d04527d55a10796275fc9ecedd0f117c1718
-
SSDEEP
24576:2zGoqxxbY9XIPD7Ltr4ol2iu0kiOiIBIvWCcxdxq:2wxxiXIHLyolt/7DIGvsxd0
Malware Config
Extracted
quasar
1.4.1
Office04
181.99.66.83:4782
7b23506c-ff83-4362-93b4-b99c14429834
-
encryption_key
7A8E2417AD5EAA788488BDF81FE6CACB01258933
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x001900000002aac4-4.dat family_quasar behavioral1/memory/3696-15-0x0000000000EF0000-0x0000000001214000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 3696 activate virus [logs ur device].exe 3356 Client.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3884 schtasks.exe 3160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3628 7zFM.exe 3628 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3628 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 3628 7zFM.exe Token: 35 3628 7zFM.exe Token: SeSecurityPrivilege 3628 7zFM.exe Token: SeSecurityPrivilege 3628 7zFM.exe Token: SeDebugPrivilege 3696 activate virus [logs ur device].exe Token: SeDebugPrivilege 3356 Client.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3628 7zFM.exe 3628 7zFM.exe 3628 7zFM.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3356 Client.exe 3372 MiniSearchHost.exe 3396 OpenWith.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3628 wrote to memory of 3696 3628 7zFM.exe 77 PID 3628 wrote to memory of 3696 3628 7zFM.exe 77 PID 3696 wrote to memory of 3884 3696 activate virus [logs ur device].exe 80 PID 3696 wrote to memory of 3884 3696 activate virus [logs ur device].exe 80 PID 3696 wrote to memory of 3356 3696 activate virus [logs ur device].exe 82 PID 3696 wrote to memory of 3356 3696 activate virus [logs ur device].exe 82 PID 3356 wrote to memory of 3160 3356 Client.exe 83 PID 3356 wrote to memory of 3160 3356 Client.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\poo virus grr.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\7zOC2E4AEB7\activate virus [logs ur device].exe"C:\Users\Admin\AppData\Local\Temp\7zOC2E4AEB7\activate virus [logs ur device].exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3884
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:3160
-
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2828
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:4704
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:4528
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:1124
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1be980d1-fa69-465e-97cc-18bea710f2b5.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD51e7dd00b69af4d51fb747a9f42c6cffa
SHA1496cdb3187d75b73c0cd72c69cd8d42d3b97bca2
SHA256bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771
SHA512d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7
-
Filesize
3.1MB
MD57f604852d7713ce48e754d05cfdb9c2e
SHA18caa2ea8644f0014d8949edf576b008de2fcde75
SHA256db706cddf84bb9d83cda2cc00e6832e26daa6592eef27fc37d39eccdc683e5d4
SHA512a36e50b1426e990c1130a309bf453657561b646b3160c1e3a3f4d46b02bf24706982f635be627521a909a61b8fa57f0fbcc108cb1c340a37f86725bc38454ef7