Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 06:44
Behavioral task
behavioral1
Sample
local.exe
Resource
win7-20240903-en
General
-
Target
local.exe
-
Size
3.1MB
-
MD5
ef27ef58c0f84cbcbbc4655dedbf4de0
-
SHA1
2d22660414046a0ed5f9ce19e0aa64fb1942b335
-
SHA256
dc4e60715160d270d5b34204c0ef1f947a94d71eccc4b01111bfce0af6debf3b
-
SHA512
f703ca5c85d10ae8fc5d5ddc259d034df3845f20a8709eab3eea54fe99d7fec5866cfa406c8d0c1bb475ef00cc4aecbba6b963ab510938a9a768811b11083d9b
-
SSDEEP
49152:rvDI22SsaNYfdPBldt698dBcjHJwRJ6/bR3LoGdkTHHB72eh2NT:rv822SsaNYfdPBldt6+dBcjHJwRJ6R
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.74:4782
b4ad83f8-b608-477d-8395-2274bcaab6d1
-
encryption_key
62EF51244AF3535A6A9C77206CD89D5BFECD7E4E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2516-1-0x0000000000070000-0x0000000000394000-memory.dmp family_quasar behavioral1/files/0x0008000000015cc0-6.dat family_quasar behavioral1/memory/656-10-0x0000000001230000-0x0000000001554000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 656 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2516 local.exe Token: SeDebugPrivilege 656 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 656 Client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2516 wrote to memory of 656 2516 local.exe 30 PID 2516 wrote to memory of 656 2516 local.exe 30 PID 2516 wrote to memory of 656 2516 local.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\local.exe"C:\Users\Admin\AppData\Local\Temp\local.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:656
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5ef27ef58c0f84cbcbbc4655dedbf4de0
SHA12d22660414046a0ed5f9ce19e0aa64fb1942b335
SHA256dc4e60715160d270d5b34204c0ef1f947a94d71eccc4b01111bfce0af6debf3b
SHA512f703ca5c85d10ae8fc5d5ddc259d034df3845f20a8709eab3eea54fe99d7fec5866cfa406c8d0c1bb475ef00cc4aecbba6b963ab510938a9a768811b11083d9b