Analysis
-
max time kernel
303s -
max time network
427s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 15:40
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10v2004-20241007-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
749286088524b5c49a9f6fd5dd15de49
-
SHA1
bc255bc2f5a7f50e8fec2e5eca55c82de0bb15a2
-
SHA256
e1dd16d3d0550466cd1e5efa60ea8f0d3b204f52ddccb4b58d46a7dba9dc5587
-
SHA512
b0ac4798d04e443f6e795e718bf301a885bc96ab2bd12f4d2b14d47e75aa897b5f53c22dab14b95a12a4f2e177d86a78a0af08ab916906a9a9ce7eb0b860dd8e
-
SSDEEP
49152:WvWI22SsaNYfdPBldt698dBcjHSlRJ6ibR3LoGd09THHB72eh2NT:Wv722SsaNYfdPBldt6+dBcjHSlRJ6c
Malware Config
Extracted
quasar
1.4.1
KDOTCrypt
fedx.ddns.net:7000
f70e50c5-1467-4cc3-8be1-b4ca15c11c35
-
encryption_key
92470F4731518ABFA77DC89068544FB7E7B7C459
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/416-1-0x00000000001E0000-0x0000000000504000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client-built.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 api.ipify.org 25 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2820 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2820 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 416 Client-built.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 416 wrote to memory of 3204 416 Client-built.exe 90 PID 416 wrote to memory of 3204 416 Client-built.exe 90 PID 3204 wrote to memory of 944 3204 cmd.exe 92 PID 3204 wrote to memory of 944 3204 cmd.exe 92 PID 3204 wrote to memory of 2820 3204 cmd.exe 93 PID 3204 wrote to memory of 2820 3204 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyTzdRRiA8vO.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:944
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD55316887352308abd1d675de86dc13d5a
SHA123abc9dba2b65a0bd10b2278a5329595edbaa316
SHA256534def8b4c8cc783876f8f17b293d86458d8ba2b5f9d3627c40589d89100dd61
SHA5121565018990b15e90be39bf407788abf49c071a0450edb093f1b43c1e6020b265ea6f3bf987a13085324443a4a2314215d995275d56091ef9c9b005818477cf20