Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 23:27
Static task
static1
Behavioral task
behavioral1
Sample
Crunchyroll GEN_.exe
Resource
win7-20240903-en
General
-
Target
Crunchyroll GEN_.exe
-
Size
3.1MB
-
MD5
697aba2b3c2bc4028ad287b364101483
-
SHA1
4024c8f79c0e99f520ee4bbba87fef93e688ab97
-
SHA256
f65322422149c55e52509d96d6050a36618fd48379b65e340882c5b770370412
-
SHA512
b231d37d4df57cfe36275f8f1ed2e106dbf6619b295eabcc73518cf016c50860142c28697ac6a4d61973685fd28e37460493da27f153c130df440d1c2a28b5f0
-
SSDEEP
49152:65tesQb25VTAQ3wv9qspqyyDuVQFKCAdkuwiIak0LfNshLq:6PesQbUVcQAv9IzGKAdkoIhL
Malware Config
Extracted
quasar
1.4.1
testTSR
testTSR-35311.portmap.host:35311
b1c1e27b-0ae6-47f6-b162-8a3ca61fd7d0
-
encryption_key
3E520C89AF59AB576F107D67332A341C23090C0B
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x0007000000012119-2.dat family_quasar behavioral1/memory/1936-8-0x0000000000D00000-0x0000000001024000-memory.dmp family_quasar behavioral1/memory/2744-14-0x0000000000BA0000-0x0000000000EC4000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 1936 client.exe 2744 Client.exe -
Loads dropped DLL 1 IoCs
pid Process 1928 Crunchyroll GEN_.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crunchyroll GEN_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2688 schtasks.exe 2848 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2300 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 1936 client.exe Token: SeDebugPrivilege 2744 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2744 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2744 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2744 Client.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2300 1928 Crunchyroll GEN_.exe 30 PID 1928 wrote to memory of 2300 1928 Crunchyroll GEN_.exe 30 PID 1928 wrote to memory of 2300 1928 Crunchyroll GEN_.exe 30 PID 1928 wrote to memory of 2300 1928 Crunchyroll GEN_.exe 30 PID 1928 wrote to memory of 1936 1928 Crunchyroll GEN_.exe 32 PID 1928 wrote to memory of 1936 1928 Crunchyroll GEN_.exe 32 PID 1928 wrote to memory of 1936 1928 Crunchyroll GEN_.exe 32 PID 1928 wrote to memory of 1936 1928 Crunchyroll GEN_.exe 32 PID 1936 wrote to memory of 2688 1936 client.exe 33 PID 1936 wrote to memory of 2688 1936 client.exe 33 PID 1936 wrote to memory of 2688 1936 client.exe 33 PID 1936 wrote to memory of 2744 1936 client.exe 35 PID 1936 wrote to memory of 2744 1936 client.exe 35 PID 1936 wrote to memory of 2744 1936 client.exe 35 PID 2744 wrote to memory of 2848 2744 Client.exe 36 PID 2744 wrote to memory of 2848 2744 Client.exe 36 PID 2744 wrote to memory of 2848 2744 Client.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crunchyroll GEN_.exe"C:\Users\Admin\AppData\Local\Temp\Crunchyroll GEN_.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAeQB1ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHMAZwBhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZwBlAG4AZQByAGEAdABpAG8AbgAgAG4AbwB0ACAAYQBsAGwAbwB3AGUAZAAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAaQBhAGMAIwA+AA=="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD53eaf3273123af861e0b9c625524bd3df
SHA1c502e34fe5a1be4c62b9a06ee10e61a3859e0d52
SHA256c28efda8c4be5e1022e3a4a6165f5ceb8a7a73de3f0b5be52e820561bc0db0fc
SHA512f2901c71613fa99b49196fc0bb5937fb0d361e56cd789d9929904682bc11a280f0ef46f0dc3910f593fe2dcc494fa6e3712313236105a994b88b36749d053543