Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 07:53
Behavioral task
behavioral1
Sample
2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe
Resource
win7-20240903-en
General
-
Target
2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe
-
Size
341KB
-
MD5
b8507ead18b15a807cafd59c14315120
-
SHA1
0035b089f47d010865b1792e1e8b3774e292f710
-
SHA256
2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ec
-
SHA512
80257e8a53e173cd218bb48c9b7cfad6dddb99234c2babef4b0ae1e219b42e1ef47a4851210aa5ec3a52e82da4412b488142ec4d4345e65fa8e7385eb5b655ce
-
SSDEEP
6144:oLRmi19KZRIo4sY7d+nTzTzTFPsWo2bMmIo7+vfep0:m19KIonkditIoufI0
Malware Config
Extracted
quasar
1.3.0.0
CHAMUTLDA
xowite7203-56864.portmap.host:56864
QSR_MUTEX_b1MzVBeB2fgsMGAB8R
-
encryption_key
A4r7dFvwva7oUnxJWxHI
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
System32
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1632-1-0x0000000000370000-0x00000000003CC000-memory.dmp family_quasar behavioral1/files/0x0008000000018683-4.dat family_quasar behavioral1/memory/2400-9-0x0000000001080000-0x00000000010DC000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2400 Client.exe -
Loads dropped DLL 1 IoCs
pid Process 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2012 schtasks.exe 2896 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe Token: SeDebugPrivilege 2400 Client.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2012 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 31 PID 1632 wrote to memory of 2012 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 31 PID 1632 wrote to memory of 2012 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 31 PID 1632 wrote to memory of 2012 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 31 PID 1632 wrote to memory of 2400 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 33 PID 1632 wrote to memory of 2400 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 33 PID 1632 wrote to memory of 2400 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 33 PID 1632 wrote to memory of 2400 1632 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 33 PID 2400 wrote to memory of 2896 2400 Client.exe 34 PID 2400 wrote to memory of 2896 2400 Client.exe 34 PID 2400 wrote to memory of 2896 2400 Client.exe 34 PID 2400 wrote to memory of 2896 2400 Client.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe"C:\Users\Admin\AppData\Local\Temp\2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2012
-
-
C:\Users\Admin\AppData\Roaming\System32\Client.exe"C:\Users\Admin\AppData\Roaming\System32\Client.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\Client.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2896
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341KB
MD5b8507ead18b15a807cafd59c14315120
SHA10035b089f47d010865b1792e1e8b3774e292f710
SHA2562eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ec
SHA51280257e8a53e173cd218bb48c9b7cfad6dddb99234c2babef4b0ae1e219b42e1ef47a4851210aa5ec3a52e82da4412b488142ec4d4345e65fa8e7385eb5b655ce