Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 07:53
Behavioral task
behavioral1
Sample
2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe
Resource
win7-20240903-en
General
-
Target
2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe
-
Size
341KB
-
MD5
b8507ead18b15a807cafd59c14315120
-
SHA1
0035b089f47d010865b1792e1e8b3774e292f710
-
SHA256
2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ec
-
SHA512
80257e8a53e173cd218bb48c9b7cfad6dddb99234c2babef4b0ae1e219b42e1ef47a4851210aa5ec3a52e82da4412b488142ec4d4345e65fa8e7385eb5b655ce
-
SSDEEP
6144:oLRmi19KZRIo4sY7d+nTzTzTFPsWo2bMmIo7+vfep0:m19KIonkditIoufI0
Malware Config
Extracted
quasar
1.3.0.0
CHAMUTLDA
xowite7203-56864.portmap.host:56864
QSR_MUTEX_b1MzVBeB2fgsMGAB8R
-
encryption_key
A4r7dFvwva7oUnxJWxHI
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
System32
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1436-1-0x0000000000940000-0x000000000099C000-memory.dmp family_quasar behavioral2/files/0x000a000000023b66-10.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 244 Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4580 schtasks.exe 1068 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1436 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe Token: SeDebugPrivilege 244 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1436 wrote to memory of 4580 1436 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 84 PID 1436 wrote to memory of 4580 1436 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 84 PID 1436 wrote to memory of 4580 1436 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 84 PID 1436 wrote to memory of 244 1436 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 86 PID 1436 wrote to memory of 244 1436 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 86 PID 1436 wrote to memory of 244 1436 2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe 86 PID 244 wrote to memory of 1068 244 Client.exe 88 PID 244 wrote to memory of 1068 244 Client.exe 88 PID 244 wrote to memory of 1068 244 Client.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe"C:\Users\Admin\AppData\Local\Temp\2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\2eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ecN.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4580
-
-
C:\Users\Admin\AppData\Roaming\System32\Client.exe"C:\Users\Admin\AppData\Roaming\System32\Client.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\Client.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341KB
MD5b8507ead18b15a807cafd59c14315120
SHA10035b089f47d010865b1792e1e8b3774e292f710
SHA2562eda48729dc77cb35b9e5cabda7a63c0daf839df13d4047c70b8dbfa288963ec
SHA51280257e8a53e173cd218bb48c9b7cfad6dddb99234c2babef4b0ae1e219b42e1ef47a4851210aa5ec3a52e82da4412b488142ec4d4345e65fa8e7385eb5b655ce