Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:44
Behavioral task
behavioral1
Sample
Client-builtlocal.exe
Resource
win7-20240903-en
General
-
Target
Client-builtlocal.exe
-
Size
3.1MB
-
MD5
02130800d200407967cb08abbb0aeefe
-
SHA1
6df9a3b4879c3d34b51826bd1d9ad0f64c93d11e
-
SHA256
8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592
-
SHA512
dccf995ac63f9386c909608bd948fe41b64aae9df87c6db2cf158de933dd3d8eaabd3215da98911d51af48fab71b992ea72eed3d807c4ebe0d6ef9927c78a84d
-
SSDEEP
49152:nvrlL26AaNeWgPhlmVqvMQ7XSKvgEcqBxZCoGdYTHHB72eh2NT:nvRL26AaNeWgPhlmVqkQ7XSKHcd
Malware Config
Extracted
quasar
1.4.1
Office04
suport24.ddns.net:4782
192.168.1.74:4782
b4ad83f8-b608-477d-8395-2274bcaab6d1
-
encryption_key
62EF51244AF3535A6A9C77206CD89D5BFECD7E4E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1700-1-0x0000000000D40000-0x0000000001064000-memory.dmp family_quasar behavioral2/files/0x000b000000023b98-6.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 3672 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1700 Client-builtlocal.exe Token: SeDebugPrivilege 3672 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3672 Client.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1700 wrote to memory of 3672 1700 Client-builtlocal.exe 83 PID 1700 wrote to memory of 3672 1700 Client-builtlocal.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-builtlocal.exe"C:\Users\Admin\AppData\Local\Temp\Client-builtlocal.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3672
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD502130800d200407967cb08abbb0aeefe
SHA16df9a3b4879c3d34b51826bd1d9ad0f64c93d11e
SHA2568e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592
SHA512dccf995ac63f9386c909608bd948fe41b64aae9df87c6db2cf158de933dd3d8eaabd3215da98911d51af48fab71b992ea72eed3d807c4ebe0d6ef9927c78a84d