Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 02:28
Behavioral task
behavioral1
Sample
4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe
Resource
win7-20241010-en
General
-
Target
4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe
-
Size
3.1MB
-
MD5
fd683344e5fc0a2dc8693f32ff45bf1f
-
SHA1
285fbe54593c2d616caecbaba986ba15cc4972ab
-
SHA256
4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e
-
SHA512
b272fe1b94e5b8a55167956d7baf1795fc1fc638cb8af12268bfc40c05a6f8dc22bbf06feb0e5c315ed327b60c6e14c11586d569612c8742ceb27f66c04caa79
-
SSDEEP
49152:qvVt62XlaSFNWPjljiFa2RoUYI7mcH+mZHLo0dPBNTHHB72eh2NT:qvn62XlaSFNWPjljiFXRoUYIicHBtB
Malware Config
Extracted
quasar
1.4.1
Office04
209.145.59.89:443
9d1a4f0d-2ea1-4330-81b0-244a91bf932c
-
encryption_key
B90D9A43F7C3BF3BBA75403410E571B5F80BA7E1
-
install_name
winboot.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
UEFI boot
-
subdirectory
bootufi
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1712-1-0x0000000000050000-0x0000000000374000-memory.dmp family_quasar behavioral1/files/0x0009000000016cc9-6.dat family_quasar behavioral1/memory/2360-9-0x0000000001140000-0x0000000001464000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2360 winboot.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\bootufi\winboot.exe 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe File opened for modification C:\Windows\system32\bootufi\winboot.exe 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe File opened for modification C:\Windows\system32\bootufi 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe File opened for modification C:\Windows\system32\bootufi\winboot.exe winboot.exe File opened for modification C:\Windows\system32\bootufi winboot.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 484 schtasks.exe 2776 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1712 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe Token: SeDebugPrivilege 2360 winboot.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1712 wrote to memory of 484 1712 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe 31 PID 1712 wrote to memory of 484 1712 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe 31 PID 1712 wrote to memory of 484 1712 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe 31 PID 1712 wrote to memory of 2360 1712 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe 33 PID 1712 wrote to memory of 2360 1712 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe 33 PID 1712 wrote to memory of 2360 1712 4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe 33 PID 2360 wrote to memory of 2776 2360 winboot.exe 34 PID 2360 wrote to memory of 2776 2360 winboot.exe 34 PID 2360 wrote to memory of 2776 2360 winboot.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe"C:\Users\Admin\AppData\Local\Temp\4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:484
-
-
C:\Windows\system32\bootufi\winboot.exe"C:\Windows\system32\bootufi\winboot.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2776
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5fd683344e5fc0a2dc8693f32ff45bf1f
SHA1285fbe54593c2d616caecbaba986ba15cc4972ab
SHA2564c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e
SHA512b272fe1b94e5b8a55167956d7baf1795fc1fc638cb8af12268bfc40c05a6f8dc22bbf06feb0e5c315ed327b60c6e14c11586d569612c8742ceb27f66c04caa79