Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 06:37
Behavioral task
behavioral1
Sample
nj.exe
Resource
win7-20240903-en
General
-
Target
nj.exe
-
Size
3.1MB
-
MD5
fd683344e5fc0a2dc8693f32ff45bf1f
-
SHA1
285fbe54593c2d616caecbaba986ba15cc4972ab
-
SHA256
4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e
-
SHA512
b272fe1b94e5b8a55167956d7baf1795fc1fc638cb8af12268bfc40c05a6f8dc22bbf06feb0e5c315ed327b60c6e14c11586d569612c8742ceb27f66c04caa79
-
SSDEEP
49152:qvVt62XlaSFNWPjljiFa2RoUYI7mcH+mZHLo0dPBNTHHB72eh2NT:qvn62XlaSFNWPjljiFXRoUYIicHBtB
Malware Config
Extracted
quasar
1.4.1
Office04
209.145.59.89:443
9d1a4f0d-2ea1-4330-81b0-244a91bf932c
-
encryption_key
B90D9A43F7C3BF3BBA75403410E571B5F80BA7E1
-
install_name
winboot.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
UEFI boot
-
subdirectory
bootufi
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2516-1-0x0000000001260000-0x0000000001584000-memory.dmp family_quasar behavioral1/files/0x0008000000015cf1-6.dat family_quasar behavioral1/memory/2452-10-0x0000000001340000-0x0000000001664000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2452 winboot.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\bootufi\winboot.exe winboot.exe File opened for modification C:\Windows\system32\bootufi winboot.exe File created C:\Windows\system32\bootufi\winboot.exe nj.exe File opened for modification C:\Windows\system32\bootufi\winboot.exe nj.exe File opened for modification C:\Windows\system32\bootufi nj.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1776 schtasks.exe 1332 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2516 nj.exe Token: SeDebugPrivilege 2452 winboot.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2516 wrote to memory of 1776 2516 nj.exe 30 PID 2516 wrote to memory of 1776 2516 nj.exe 30 PID 2516 wrote to memory of 1776 2516 nj.exe 30 PID 2516 wrote to memory of 2452 2516 nj.exe 32 PID 2516 wrote to memory of 2452 2516 nj.exe 32 PID 2516 wrote to memory of 2452 2516 nj.exe 32 PID 2452 wrote to memory of 1332 2452 winboot.exe 33 PID 2452 wrote to memory of 1332 2452 winboot.exe 33 PID 2452 wrote to memory of 1332 2452 winboot.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nj.exe"C:\Users\Admin\AppData\Local\Temp\nj.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1776
-
-
C:\Windows\system32\bootufi\winboot.exe"C:\Windows\system32\bootufi\winboot.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1332
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5fd683344e5fc0a2dc8693f32ff45bf1f
SHA1285fbe54593c2d616caecbaba986ba15cc4972ab
SHA2564c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e
SHA512b272fe1b94e5b8a55167956d7baf1795fc1fc638cb8af12268bfc40c05a6f8dc22bbf06feb0e5c315ed327b60c6e14c11586d569612c8742ceb27f66c04caa79