Analysis
-
max time kernel
103s -
max time network
112s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
15-12-2024 15:42
General
-
Target
app.exe
-
Size
3.1MB
-
MD5
b8f097d5264902c9a54edf5cb26b4731
-
SHA1
4c2670bc094f0ed3b44de87fca95403073ddd81d
-
SHA256
93a291be0837344a2f715c9941a23b03232294865835f1dce8e81fdce5382bc9
-
SHA512
983ae07639c872fbcf07aac883f76f9cc04e7ad3b743be3d500818830ff0db8a9626a32ff7c8a7c3e11ff991a94d8c942d6702f3ec9d2aba7f65a3b290e980d5
-
SSDEEP
49152:OvWI22SsaNYfdPBldt698dBcjHddRJ6xbR3LoGdyVTHHB72eh2NT:Ov722SsaNYfdPBldt6+dBcjHddRJ6T
Malware Config
Extracted
quasar
1.4.1
KDOTCrypt
fedx.ddns.net:7000
70b69453-9c90-490b-81c2-83279615d904
-
encryption_key
92470F4731518ABFA77DC89068544FB7E7B7C459
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/3160-1-0x0000000000D60000-0x0000000001084000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Control Panel\International\Geo\Nation app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3804 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3804 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3160 app.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3160 wrote to memory of 220 3160 app.exe 85 PID 3160 wrote to memory of 220 3160 app.exe 85 PID 220 wrote to memory of 2184 220 cmd.exe 87 PID 220 wrote to memory of 2184 220 cmd.exe 87 PID 220 wrote to memory of 3804 220 cmd.exe 88 PID 220 wrote to memory of 3804 220 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\app.exe"C:\Users\Admin\AppData\Local\Temp\app.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEVSJ41AB8P7.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD5dd34d9a2e8ddcf37836c33015392d31f
SHA1161d7361c42829369837284451936b9bcfa96b35
SHA256552e1270540594677c25996fcb1e0f8d4c8a2f0c18114566e69f6d4f723c2133
SHA5121dc794fafbcee3e7f4e8c6a7620bafcfcdb67a18b0dbfe75ee852a857777dfebcbc7d0d7720cf6e5f20a3ef52213f8a23f219eef7956800ff8be1e4e946ce10a