Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 01:35
Behavioral task
behavioral1
Sample
Authenticator.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Authenticator.exe
Resource
win10v2004-20241007-en
General
-
Target
Authenticator.exe
-
Size
375KB
-
MD5
85b43fd8aa9d8b09b8613f2fa47c6bb0
-
SHA1
3729c0739c24b7ed9fda30684173a869c7398e80
-
SHA256
6eea566794504979f9fa4d75285751f49afde178ad8a0cdfb81fceec9ebb2eb9
-
SHA512
2898dc0c44a6543136281cf0bbdc03c3cc958098366773fc31ab047c2819e9df3d2b5596ded0d9a2811d915d4ced0404494dfa3381572c56dda9bf2772706ef2
-
SSDEEP
6144:YbqQ4i1FFiEKZVSQZzs5jQKbgQ203StbjjSQkzaozVVqH:CpliPScgCy73StbjjSQkVzV0H
Malware Config
Extracted
quasar
1.3.0.0
Authenticator
iamaskibiditoilet-58299.portmap.host:58299
QSR_MUTEX_bNzknSVeSVx21JnqhQ
-
encryption_key
wAIAzlOLR0d5V3YI1aCM
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3196-1-0x0000000000EC0000-0x0000000000F24000-memory.dmp family_quasar behavioral2/files/0x0007000000023c87-11.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 3764 Runtime Broker.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Authenticator.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Broker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4116 schtasks.exe 264 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3196 Authenticator.exe Token: SeDebugPrivilege 3764 Runtime Broker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3764 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3196 wrote to memory of 4116 3196 Authenticator.exe 84 PID 3196 wrote to memory of 4116 3196 Authenticator.exe 84 PID 3196 wrote to memory of 4116 3196 Authenticator.exe 84 PID 3196 wrote to memory of 3764 3196 Authenticator.exe 86 PID 3196 wrote to memory of 3764 3196 Authenticator.exe 86 PID 3196 wrote to memory of 3764 3196 Authenticator.exe 86 PID 3764 wrote to memory of 264 3764 Runtime Broker.exe 89 PID 3764 wrote to memory of 264 3764 Runtime Broker.exe 89 PID 3764 wrote to memory of 264 3764 Runtime Broker.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Authenticator.exe"C:\Users\Admin\AppData\Local\Temp\Authenticator.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Authenticator.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4116
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:264
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
375KB
MD585b43fd8aa9d8b09b8613f2fa47c6bb0
SHA13729c0739c24b7ed9fda30684173a869c7398e80
SHA2566eea566794504979f9fa4d75285751f49afde178ad8a0cdfb81fceec9ebb2eb9
SHA5122898dc0c44a6543136281cf0bbdc03c3cc958098366773fc31ab047c2819e9df3d2b5596ded0d9a2811d915d4ced0404494dfa3381572c56dda9bf2772706ef2