Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 03:02
Behavioral task
behavioral1
Sample
854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Resource
win7-20240903-en
General
-
Target
854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
-
Size
3.1MB
-
MD5
051bfba0c640694d241f6b3621e241b6
-
SHA1
a5269b7485203914af50cb932d952c10440878c9
-
SHA256
854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09
-
SHA512
bdfea5dfca423c4d66de1c9f435a1c0403b8615a0b7627fff665876fa2da48e8914cc2961ca9e66b7d32d2bc4004354e5e932297a479fcc90d495327d14577dc
-
SSDEEP
49152:AvKgo2QSaNpzyPllgamb0CZof/JDj5RbR4jRoGdMOAuTHHB72eh2NT:Avjo2QSaNpzyPllgamYCZof/JDj5wFc
Malware Config
Extracted
quasar
1.4.1
SGVP
192.168.1.9:4782
150.129.206.176:4782
Ai-Sgvp-33452.portmap.host:33452
2464c7bf-a165-4397-85fe-def5290750b0
-
encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
-
install_name
User Application Data.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowns Client Startup
-
subdirectory
Quasar
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/3052-1-0x0000000000DE0000-0x0000000001104000-memory.dmp family_quasar behavioral1/memory/776-15-0x0000000001050000-0x0000000001374000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2624 PING.EXE 2528 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2624 PING.EXE 2528 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2324 schtasks.exe 1880 schtasks.exe 484 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3052 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe Token: SeDebugPrivilege 776 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe Token: SeDebugPrivilege 1660 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3052 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 776 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 1660 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2324 3052 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 31 PID 3052 wrote to memory of 2324 3052 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 31 PID 3052 wrote to memory of 2324 3052 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 31 PID 3052 wrote to memory of 2744 3052 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 33 PID 3052 wrote to memory of 2744 3052 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 33 PID 3052 wrote to memory of 2744 3052 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 33 PID 2744 wrote to memory of 2604 2744 cmd.exe 35 PID 2744 wrote to memory of 2604 2744 cmd.exe 35 PID 2744 wrote to memory of 2604 2744 cmd.exe 35 PID 2744 wrote to memory of 2624 2744 cmd.exe 36 PID 2744 wrote to memory of 2624 2744 cmd.exe 36 PID 2744 wrote to memory of 2624 2744 cmd.exe 36 PID 2744 wrote to memory of 776 2744 cmd.exe 37 PID 2744 wrote to memory of 776 2744 cmd.exe 37 PID 2744 wrote to memory of 776 2744 cmd.exe 37 PID 776 wrote to memory of 1880 776 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 38 PID 776 wrote to memory of 1880 776 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 38 PID 776 wrote to memory of 1880 776 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 38 PID 776 wrote to memory of 2268 776 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 40 PID 776 wrote to memory of 2268 776 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 40 PID 776 wrote to memory of 2268 776 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 40 PID 2268 wrote to memory of 2100 2268 cmd.exe 42 PID 2268 wrote to memory of 2100 2268 cmd.exe 42 PID 2268 wrote to memory of 2100 2268 cmd.exe 42 PID 2268 wrote to memory of 2528 2268 cmd.exe 43 PID 2268 wrote to memory of 2528 2268 cmd.exe 43 PID 2268 wrote to memory of 2528 2268 cmd.exe 43 PID 2268 wrote to memory of 1660 2268 cmd.exe 44 PID 2268 wrote to memory of 1660 2268 cmd.exe 44 PID 2268 wrote to memory of 1660 2268 cmd.exe 44 PID 1660 wrote to memory of 484 1660 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 45 PID 1660 wrote to memory of 484 1660 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 45 PID 1660 wrote to memory of 484 1660 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe 45 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2324
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\OLv5z8ALFq69.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1880
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EKGquT9w1Fmc.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2100
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:484
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD542a4fdeea43e160b3d16c37aa908661b
SHA17a7fe70bc2953dbcfb4ddf5785604591cb4b5b7c
SHA256520b1b721f2058f1a4fc137f5cb510a56e2d5a6a4e403bede7b7ec0a81a6b6b9
SHA51247dd247c139b6f24819222525fd5d256d27583b73af334230cac581b670b771b7a478c476fe5eebe14e893e613740a21eb60cf749931be5e753eb713e6d74b96
-
Filesize
261B
MD54efd182cb0ef4d3a5c2383edc1317691
SHA1202e88339b26c6b6e101f0eb56ec2624f29c5dfd
SHA256c4919091c563dd95f08f11aae97680bf147b943d73833b6cd4cd1e7a1b78613b
SHA512b7bf6cde9a28a5cdb1ae3f054037738b8903ef16125e2a51b7e62a87f013b5b4c67a31c1ba583a9966df7341ee4fb8c984613b55e2ce520a7fb80be5f7b15a9e