Analysis
-
max time kernel
55s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:43
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
348KB
-
MD5
492eb44f539caa20141bd7d84783d821
-
SHA1
6586778be19a5a4caf0e29b61cace38467ba7367
-
SHA256
44f270569724153f8cc32905397c86d5b37285b34b1ee0df31cd195b2fa4c74a
-
SHA512
a9e2528e54328cade71762185b221699e32b6c4f48c53562bfe950ee704395d399fdd757b4edb496bfb1b8694c69f6da153ce797c58dd9579d5774a86aed7a8f
-
SSDEEP
6144:xI6bPXhLApfp9CpZPBbinJjNKOOlr7H7PAGm:GmhApUZgnJIvH7PAGm
Malware Config
Extracted
quasar
1.3.0.0
Meedo
2.tcp.eu.ngrok.io:8080
QSR_MUTEX_NQUsVoNfuuCMRLITRA
-
encryption_key
stf5wT9i1WRQevpAlPN0
-
install_name
win.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Runtime
-
subdirectory
Subdir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2560-1-0x00000000008A0000-0x00000000008FE000-memory.dmp family_quasar behavioral1/files/0x00090000000174bf-5.dat family_quasar behavioral1/memory/2776-12-0x0000000000C30000-0x0000000000C8E000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2776 win.exe -
Loads dropped DLL 1 IoCs
pid Process 2560 Client-built.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 5 2.tcp.eu.ngrok.io -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client-built.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe 2816 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2560 Client-built.exe Token: SeDebugPrivilege 2776 win.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2776 win.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2472 2560 Client-built.exe 31 PID 2560 wrote to memory of 2472 2560 Client-built.exe 31 PID 2560 wrote to memory of 2472 2560 Client-built.exe 31 PID 2560 wrote to memory of 2472 2560 Client-built.exe 31 PID 2560 wrote to memory of 2776 2560 Client-built.exe 33 PID 2560 wrote to memory of 2776 2560 Client-built.exe 33 PID 2560 wrote to memory of 2776 2560 Client-built.exe 33 PID 2560 wrote to memory of 2776 2560 Client-built.exe 33 PID 2776 wrote to memory of 2816 2776 win.exe 34 PID 2776 wrote to memory of 2816 2776 win.exe 34 PID 2776 wrote to memory of 2816 2776 win.exe 34 PID 2776 wrote to memory of 2816 2776 win.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Runtime" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2472
-
-
C:\Users\Admin\AppData\Roaming\Subdir\win.exe"C:\Users\Admin\AppData\Roaming\Subdir\win.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Runtime" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Subdir\win.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5492eb44f539caa20141bd7d84783d821
SHA16586778be19a5a4caf0e29b61cace38467ba7367
SHA25644f270569724153f8cc32905397c86d5b37285b34b1ee0df31cd195b2fa4c74a
SHA512a9e2528e54328cade71762185b221699e32b6c4f48c53562bfe950ee704395d399fdd757b4edb496bfb1b8694c69f6da153ce797c58dd9579d5774a86aed7a8f