Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:26
Behavioral task
behavioral1
Sample
d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe
Resource
win7-20240729-en
General
-
Target
d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe
-
Size
3.1MB
-
MD5
f611f4dd12e51ca7a946f308ebd5e04c
-
SHA1
2f7d049ec2b3ae6a8113b499d92ebc117eed890c
-
SHA256
d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73
-
SHA512
7057884406612bff108f1e315efacf83a99f1ec725b4496e737a57938b67edf5f23476b8f99395ec9f8ba355a68779fd5a2668b9caf0ca32b8862529eb413b83
-
SSDEEP
49152:rvuz92YpaQI6oPZlhP3ReybewozV+vJH4RoGdeJYTHHB72eh2NT:rv092YpaQI6oPZlhP3YybewozV+e
Malware Config
Extracted
quasar
1.4.1
SGVP
192.168.1.9:4782
150.129.206.176:4782
Ai-Sgvp-33452.portmap.host:33452
a27420c6-f346-4b84-b7bd-6b3eab5a43cb
-
encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
-
install_name
User Application Data.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowns Client Startup
-
subdirectory
Quasar
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1476-1-0x0000000000EB0000-0x00000000011D4000-memory.dmp family_quasar behavioral2/files/0x0007000000023cb1-6.dat family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation User Application Data.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation User Application Data.exe -
Executes dropped EXE 3 IoCs
pid Process 3944 User Application Data.exe 3964 User Application Data.exe 4368 User Application Data.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\Quasar\User Application Data.exe d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe File opened for modification C:\Windows\system32\Quasar d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe File opened for modification C:\Windows\system32\Quasar User Application Data.exe File opened for modification C:\Windows\system32\Quasar\User Application Data.exe User Application Data.exe File opened for modification C:\Windows\system32\Quasar User Application Data.exe File created C:\Windows\system32\Quasar\User Application Data.exe d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe File opened for modification C:\Windows\system32\Quasar\User Application Data.exe User Application Data.exe File opened for modification C:\Windows\system32\Quasar User Application Data.exe File opened for modification C:\Windows\system32\Quasar\User Application Data.exe User Application Data.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1628 PING.EXE 4968 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1628 PING.EXE 4968 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3644 schtasks.exe 1040 schtasks.exe 1548 schtasks.exe 4264 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1476 d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe Token: SeDebugPrivilege 3944 User Application Data.exe Token: SeDebugPrivilege 3964 User Application Data.exe Token: SeDebugPrivilege 4368 User Application Data.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3944 User Application Data.exe 3964 User Application Data.exe 4368 User Application Data.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1476 wrote to memory of 3644 1476 d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe 83 PID 1476 wrote to memory of 3644 1476 d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe 83 PID 1476 wrote to memory of 3944 1476 d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe 85 PID 1476 wrote to memory of 3944 1476 d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe 85 PID 3944 wrote to memory of 1040 3944 User Application Data.exe 86 PID 3944 wrote to memory of 1040 3944 User Application Data.exe 86 PID 3944 wrote to memory of 3172 3944 User Application Data.exe 106 PID 3944 wrote to memory of 3172 3944 User Application Data.exe 106 PID 3172 wrote to memory of 1004 3172 cmd.exe 108 PID 3172 wrote to memory of 1004 3172 cmd.exe 108 PID 3172 wrote to memory of 1628 3172 cmd.exe 109 PID 3172 wrote to memory of 1628 3172 cmd.exe 109 PID 3172 wrote to memory of 3964 3172 cmd.exe 112 PID 3172 wrote to memory of 3964 3172 cmd.exe 112 PID 3964 wrote to memory of 1548 3964 User Application Data.exe 113 PID 3964 wrote to memory of 1548 3964 User Application Data.exe 113 PID 3964 wrote to memory of 3608 3964 User Application Data.exe 116 PID 3964 wrote to memory of 3608 3964 User Application Data.exe 116 PID 3608 wrote to memory of 3936 3608 cmd.exe 118 PID 3608 wrote to memory of 3936 3608 cmd.exe 118 PID 3608 wrote to memory of 4968 3608 cmd.exe 119 PID 3608 wrote to memory of 4968 3608 cmd.exe 119 PID 3608 wrote to memory of 4368 3608 cmd.exe 121 PID 3608 wrote to memory of 4368 3608 cmd.exe 121 PID 4368 wrote to memory of 4264 4368 User Application Data.exe 122 PID 4368 wrote to memory of 4264 4368 User Application Data.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe"C:\Users\Admin\AppData\Local\Temp\d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3644
-
-
C:\Windows\system32\Quasar\User Application Data.exe"C:\Windows\system32\Quasar\User Application Data.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiJwtPvwdg68.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1004
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1628
-
-
C:\Windows\system32\Quasar\User Application Data.exe"C:\Windows\system32\Quasar\User Application Data.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gN4Uxy3CGPAl.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3936
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4968
-
-
C:\Windows\system32\Quasar\User Application Data.exe"C:\Windows\system32\Quasar\User Application Data.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4264
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
211B
MD5f6243329240a0ee4d83708ede08bbf76
SHA1fab36e333b34af1780a1a32b2ca18687f4ece0c4
SHA256597b748483bbd0b69668e0a1a4e56dbe4af9aa23a6a49d65fadcf78c314a7323
SHA51234dc4c5dfb2c1f3056f02a9c3c0acd4f644e9831c28d34a291d1f31621a4965fd393e238621386c81a28be007a41f7a8b6a1d77ed9180bbc65a476c201e77345
-
Filesize
211B
MD54b5d4597021bba14a9a08ca8daf176d1
SHA1853bb48b88e6c7c1b048024a96fcd8183b211be3
SHA2560d2813833a69c0f1b7f67d9c76010d358ea0fda51c6320d621081d80ad2346c5
SHA512daa28097f1411a93d3e000df6230baf0457a3a6e4b634d147604b8ff455af92c5fc58e78c4c9d080fed76dd46005fd6fa82036edbb99f0a208ea62318b93707d
-
Filesize
3.1MB
MD5f611f4dd12e51ca7a946f308ebd5e04c
SHA12f7d049ec2b3ae6a8113b499d92ebc117eed890c
SHA256d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73
SHA5127057884406612bff108f1e315efacf83a99f1ec725b4496e737a57938b67edf5f23476b8f99395ec9f8ba355a68779fd5a2668b9caf0ca32b8862529eb413b83