Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 06:33
Behavioral task
behavioral1
Sample
injector.exe
Resource
win7-20240903-en
General
-
Target
injector.exe
-
Size
3.1MB
-
MD5
7d13d756b342ff87ce8db9749afac263
-
SHA1
97ca7f6dfbda61b1f81eedd15ac782caedd74db5
-
SHA256
debb1fc4bbe5a6ee929d11766367ccc6f641610469fbd8e704895683db6f7360
-
SHA512
4683fffbde6993ed877f73b87b39ee40e712d822f18341bd20787183771af73cd07f9757a08a334b58be6ef61186db5f7285402ea5e90886654ecfa3085b8438
-
SSDEEP
49152:LvmI22SsaNYfdPBldt698dBcjHVWxNESEyk/iMLoGdBkTHHB72eh2NT:Lvr22SsaNYfdPBldt6+dBcjHAxpS
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.100.2:4444
72f080a6-63a5-4cb8-b261-46434c791afc
-
encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
-
install_name
Panel.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1548-1-0x0000000000B40000-0x0000000000E64000-memory.dmp family_quasar behavioral1/files/0x0009000000015d03-6.dat family_quasar behavioral1/memory/2204-10-0x00000000000B0000-0x00000000003D4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2204 Panel.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Panel.exe injector.exe File opened for modification C:\Windows\system32\SubDir\Panel.exe injector.exe File opened for modification C:\Windows\system32\SubDir injector.exe File opened for modification C:\Windows\system32\SubDir\Panel.exe Panel.exe File opened for modification C:\Windows\system32\SubDir Panel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1548 injector.exe Token: SeDebugPrivilege 2204 Panel.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2204 Panel.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2204 Panel.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2204 Panel.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1548 wrote to memory of 2204 1548 injector.exe 28 PID 1548 wrote to memory of 2204 1548 injector.exe 28 PID 1548 wrote to memory of 2204 1548 injector.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\SubDir\Panel.exe"C:\Windows\system32\SubDir\Panel.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2204
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD57d13d756b342ff87ce8db9749afac263
SHA197ca7f6dfbda61b1f81eedd15ac782caedd74db5
SHA256debb1fc4bbe5a6ee929d11766367ccc6f641610469fbd8e704895683db6f7360
SHA5124683fffbde6993ed877f73b87b39ee40e712d822f18341bd20787183771af73cd07f9757a08a334b58be6ef61186db5f7285402ea5e90886654ecfa3085b8438