Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 19:10
Behavioral task
behavioral1
Sample
AugustusInstaller.exe
Resource
win7-20240903-en
General
-
Target
AugustusInstaller.exe
-
Size
3.1MB
-
MD5
d0d6aa544dd91fa40db301efa7528019
-
SHA1
c02eb4a05fcd515bfb247dccc765c0e4b9ddfffa
-
SHA256
d27d4eb04172e979d6660f5f3ef9b9caced7a535c423571ad6685d76445a7d8d
-
SHA512
bc8961509e54ad4f3f96d224b1f44fb415358a9ebfada09b995860799cbb169fe39bcf6520cf3e9e30b63915633692c21e5dbc5af569da59f7e2d80fd36df532
-
SSDEEP
49152:mvaY52fyaSZOrPWluWBuGG5g5hCnc+p7RvkCqLoMdITHHB72eh2NT:mvv52fyaSZOrPWluWBDG5g5hCncX
Malware Config
Extracted
quasar
1.4.1
Office04
10.0.2.15:4782
467b644d-3aa7-4652-9849-85b82e772b7e
-
encryption_key
D65D0AFFBB620AD32D40AB4922CBBC09E85999E8
-
install_name
Augustus.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3352-1-0x0000000000070000-0x0000000000394000-memory.dmp family_quasar behavioral2/files/0x0008000000023cb6-5.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4448 Augustus.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1672 schtasks.exe 4136 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3352 AugustusInstaller.exe Token: SeDebugPrivilege 4448 Augustus.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4448 Augustus.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3352 wrote to memory of 4136 3352 AugustusInstaller.exe 83 PID 3352 wrote to memory of 4136 3352 AugustusInstaller.exe 83 PID 3352 wrote to memory of 4448 3352 AugustusInstaller.exe 85 PID 3352 wrote to memory of 4448 3352 AugustusInstaller.exe 85 PID 4448 wrote to memory of 1672 4448 Augustus.exe 86 PID 4448 wrote to memory of 1672 4448 Augustus.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AugustusInstaller.exe"C:\Users\Admin\AppData\Local\Temp\AugustusInstaller.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Augustus.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4136
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Augustus.exe"C:\Users\Admin\AppData\Roaming\SubDir\Augustus.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Augustus.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5d0d6aa544dd91fa40db301efa7528019
SHA1c02eb4a05fcd515bfb247dccc765c0e4b9ddfffa
SHA256d27d4eb04172e979d6660f5f3ef9b9caced7a535c423571ad6685d76445a7d8d
SHA512bc8961509e54ad4f3f96d224b1f44fb415358a9ebfada09b995860799cbb169fe39bcf6520cf3e9e30b63915633692c21e5dbc5af569da59f7e2d80fd36df532