Analysis
-
max time kernel
1795s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-12-2024 03:03
Behavioral task
behavioral1
Sample
poo virus grr.rar
Resource
win11-20241007-en
General
-
Target
poo virus grr/activate virus [logs ur device].exe
-
Size
3.1MB
-
MD5
7f604852d7713ce48e754d05cfdb9c2e
-
SHA1
8caa2ea8644f0014d8949edf576b008de2fcde75
-
SHA256
db706cddf84bb9d83cda2cc00e6832e26daa6592eef27fc37d39eccdc683e5d4
-
SHA512
a36e50b1426e990c1130a309bf453657561b646b3160c1e3a3f4d46b02bf24706982f635be627521a909a61b8fa57f0fbcc108cb1c340a37f86725bc38454ef7
-
SSDEEP
49152:DvyI22SsaNYfdPBldt698dBcjHDXUue8LzCoGhtTHHB72eh2NT:Dvf22SsaNYfdPBldt6+dBcjHDXUu0
Malware Config
Extracted
quasar
1.4.1
Office04
181.99.66.83:4782
7b23506c-ff83-4362-93b4-b99c14429834
-
encryption_key
7A8E2417AD5EAA788488BDF81FE6CACB01258933
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3640-1-0x0000000000670000-0x0000000000994000-memory.dmp family_quasar behavioral2/files/0x002000000002ab00-6.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 3492 Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3456 schtasks.exe 2908 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3640 activate virus [logs ur device].exe Token: SeDebugPrivilege 3492 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3492 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3640 wrote to memory of 3456 3640 activate virus [logs ur device].exe 77 PID 3640 wrote to memory of 3456 3640 activate virus [logs ur device].exe 77 PID 3640 wrote to memory of 3492 3640 activate virus [logs ur device].exe 79 PID 3640 wrote to memory of 3492 3640 activate virus [logs ur device].exe 79 PID 3492 wrote to memory of 2908 3492 Client.exe 80 PID 3492 wrote to memory of 2908 3492 Client.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\poo virus grr\activate virus [logs ur device].exe"C:\Users\Admin\AppData\Local\Temp\poo virus grr\activate virus [logs ur device].exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3456
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2908
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD57f604852d7713ce48e754d05cfdb9c2e
SHA18caa2ea8644f0014d8949edf576b008de2fcde75
SHA256db706cddf84bb9d83cda2cc00e6832e26daa6592eef27fc37d39eccdc683e5d4
SHA512a36e50b1426e990c1130a309bf453657561b646b3160c1e3a3f4d46b02bf24706982f635be627521a909a61b8fa57f0fbcc108cb1c340a37f86725bc38454ef7