Analysis
-
max time kernel
80s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 01:35
Behavioral task
behavioral1
Sample
Authenticator.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Authenticator.exe
Resource
win10v2004-20241007-en
General
-
Target
Authenticator.exe
-
Size
375KB
-
MD5
85b43fd8aa9d8b09b8613f2fa47c6bb0
-
SHA1
3729c0739c24b7ed9fda30684173a869c7398e80
-
SHA256
6eea566794504979f9fa4d75285751f49afde178ad8a0cdfb81fceec9ebb2eb9
-
SHA512
2898dc0c44a6543136281cf0bbdc03c3cc958098366773fc31ab047c2819e9df3d2b5596ded0d9a2811d915d4ced0404494dfa3381572c56dda9bf2772706ef2
-
SSDEEP
6144:YbqQ4i1FFiEKZVSQZzs5jQKbgQ203StbjjSQkzaozVVqH:CpliPScgCy73StbjjSQkVzV0H
Malware Config
Extracted
quasar
1.3.0.0
Authenticator
iamaskibiditoilet-58299.portmap.host:58299
QSR_MUTEX_bNzknSVeSVx21JnqhQ
-
encryption_key
wAIAzlOLR0d5V3YI1aCM
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1600-1-0x0000000000340000-0x00000000003A4000-memory.dmp family_quasar behavioral1/files/0x0008000000015d0e-5.dat family_quasar behavioral1/memory/2712-10-0x0000000000DF0000-0x0000000000E54000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2712 Runtime Broker.exe -
Loads dropped DLL 1 IoCs
pid Process 1600 Authenticator.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Authenticator.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Broker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2968 schtasks.exe 2984 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1600 Authenticator.exe Token: SeDebugPrivilege 2712 Runtime Broker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2712 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2968 1600 Authenticator.exe 31 PID 1600 wrote to memory of 2968 1600 Authenticator.exe 31 PID 1600 wrote to memory of 2968 1600 Authenticator.exe 31 PID 1600 wrote to memory of 2968 1600 Authenticator.exe 31 PID 1600 wrote to memory of 2712 1600 Authenticator.exe 33 PID 1600 wrote to memory of 2712 1600 Authenticator.exe 33 PID 1600 wrote to memory of 2712 1600 Authenticator.exe 33 PID 1600 wrote to memory of 2712 1600 Authenticator.exe 33 PID 2712 wrote to memory of 2984 2712 Runtime Broker.exe 34 PID 2712 wrote to memory of 2984 2712 Runtime Broker.exe 34 PID 2712 wrote to memory of 2984 2712 Runtime Broker.exe 34 PID 2712 wrote to memory of 2984 2712 Runtime Broker.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Authenticator.exe"C:\Users\Admin\AppData\Local\Temp\Authenticator.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Authenticator.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2968
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
375KB
MD585b43fd8aa9d8b09b8613f2fa47c6bb0
SHA13729c0739c24b7ed9fda30684173a869c7398e80
SHA2566eea566794504979f9fa4d75285751f49afde178ad8a0cdfb81fceec9ebb2eb9
SHA5122898dc0c44a6543136281cf0bbdc03c3cc958098366773fc31ab047c2819e9df3d2b5596ded0d9a2811d915d4ced0404494dfa3381572c56dda9bf2772706ef2