Analysis
-
max time kernel
444s -
max time network
446s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
15-12-2024 15:40
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10v2004-20241007-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
749286088524b5c49a9f6fd5dd15de49
-
SHA1
bc255bc2f5a7f50e8fec2e5eca55c82de0bb15a2
-
SHA256
e1dd16d3d0550466cd1e5efa60ea8f0d3b204f52ddccb4b58d46a7dba9dc5587
-
SHA512
b0ac4798d04e443f6e795e718bf301a885bc96ab2bd12f4d2b14d47e75aa897b5f53c22dab14b95a12a4f2e177d86a78a0af08ab916906a9a9ce7eb0b860dd8e
-
SSDEEP
49152:WvWI22SsaNYfdPBldt698dBcjHSlRJ6ibR3LoGd09THHB72eh2NT:Wv722SsaNYfdPBldt6+dBcjHSlRJ6c
Malware Config
Extracted
quasar
1.4.1
KDOTCrypt
fedx.ddns.net:7000
f70e50c5-1467-4cc3-8be1-b4ca15c11c35
-
encryption_key
92470F4731518ABFA77DC89068544FB7E7B7C459
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/5020-1-0x00000000009D0000-0x0000000000CF4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Control Panel\International\Geo\Nation Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3468 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3468 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5020 Client-built.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5020 wrote to memory of 1016 5020 Client-built.exe 84 PID 5020 wrote to memory of 1016 5020 Client-built.exe 84 PID 1016 wrote to memory of 4428 1016 cmd.exe 86 PID 1016 wrote to memory of 4428 1016 cmd.exe 86 PID 1016 wrote to memory of 3468 1016 cmd.exe 87 PID 1016 wrote to memory of 3468 1016 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\urjvr2YSBGsY.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4428
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3468
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD54e152bc968b3e152ea292cb750a251cd
SHA1deb3a27ffe7479374bdf7dd1bbddb2f4bc7a3c66
SHA2569e62ff1cffc1bf72b7055b66c861c8bdb327833c91e8f58f55b9b7891e454633
SHA512af909879185a23a369b18c7594eb0033b3ee551991b2441c5fdac5b179f02a6ec0acea43bdbcc2ce661cd8645dff024b3663c3302602be6230b1b65b631fb12e