Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 16:07
Behavioral task
behavioral1
Sample
0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe
Resource
win7-20241010-en
General
-
Target
0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe
-
Size
3.1MB
-
MD5
cff3e677b6383632eff6d1b52cd6d277
-
SHA1
0936fb4aa7e39f2b56bc1b4c9364bb95e8f0c2a8
-
SHA256
0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea
-
SHA512
ddc33da48cf00e6ee4a57a07a98630082082f5cf76b9c1f844b17ff7f8328f0986a0d95f458947c6ca141a657991b31c608d9b3a9bdc83428ee53e55a34c2e61
-
SSDEEP
49152:6vht62XlaSFNWPjljiFa2RoUYIz0HxNESEqk/iGLoGd1THHB72eh2NT:6vL62XlaSFNWPjljiFXRoUYI4HxlI
Malware Config
Extracted
quasar
1.4.1
Office04
73.62.14.5:4782
3aaa11be-d135-4877-a61e-c409c29a7a60
-
encryption_key
BC9162791FD860195CF75664AE64885B64D5B5CE
-
install_name
Client1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/620-1-0x0000000000380000-0x00000000006A4000-memory.dmp family_quasar behavioral1/files/0x0008000000016dbc-6.dat family_quasar behavioral1/memory/1940-10-0x0000000000170000-0x0000000000494000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1940 Client1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3008 schtasks.exe 2788 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 620 0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe Token: SeDebugPrivilege 1940 Client1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1940 Client1.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1940 Client1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1940 Client1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 620 wrote to memory of 3008 620 0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe 30 PID 620 wrote to memory of 3008 620 0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe 30 PID 620 wrote to memory of 3008 620 0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe 30 PID 620 wrote to memory of 1940 620 0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe 32 PID 620 wrote to memory of 1940 620 0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe 32 PID 620 wrote to memory of 1940 620 0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe 32 PID 1940 wrote to memory of 2788 1940 Client1.exe 33 PID 1940 wrote to memory of 2788 1940 Client1.exe 33 PID 1940 wrote to memory of 2788 1940 Client1.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe"C:\Users\Admin\AppData\Local\Temp\0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3008
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2788
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5cff3e677b6383632eff6d1b52cd6d277
SHA10936fb4aa7e39f2b56bc1b4c9364bb95e8f0c2a8
SHA2560d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea
SHA512ddc33da48cf00e6ee4a57a07a98630082082f5cf76b9c1f844b17ff7f8328f0986a0d95f458947c6ca141a657991b31c608d9b3a9bdc83428ee53e55a34c2e61