Analysis
-
max time kernel
30s -
max time network
24s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
28-12-2024 15:14
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Loader.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
Loader.exe
-
Size
3.1MB
-
MD5
e9a138d8c5ab2cccc8bf9976f66d30c8
-
SHA1
e996894168f0d4e852162d1290250dfa986310f8
-
SHA256
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
-
SHA512
5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc
-
SSDEEP
49152:fvrI22SsaNYfdPBldt698dBcjHCWvXE/sGkCqILo+dPVTHHB72eh2NT:fvU22SsaNYfdPBldt6+dBcjHCWvTm
Malware Config
Extracted
quasar
1.4.1
Office04
Dystopian-62863.portmap.host:62863
e1de8f9b-5a7a-4798-a6fb-c03591ef3442
-
encryption_key
8C1BB32BFD240218BA0CB04D65341FB1FDE1E001
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SubStart
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral3/memory/2044-1-0x0000000000490000-0x00000000007B4000-memory.dmp family_quasar behavioral3/files/0x002800000004608f-3.dat family_quasar -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 3 IoCs
pid Process 632 Client.exe 3108 Client.exe 2728 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2704 PING.EXE 3004 PING.EXE 4996 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2704 PING.EXE 3004 PING.EXE 4996 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4028 schtasks.exe 4716 schtasks.exe 3724 schtasks.exe 3428 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2044 Loader.exe Token: SeDebugPrivilege 632 Client.exe Token: SeDebugPrivilege 3108 Client.exe Token: SeDebugPrivilege 2728 Client.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2044 wrote to memory of 4716 2044 Loader.exe 82 PID 2044 wrote to memory of 4716 2044 Loader.exe 82 PID 2044 wrote to memory of 632 2044 Loader.exe 84 PID 2044 wrote to memory of 632 2044 Loader.exe 84 PID 632 wrote to memory of 3724 632 Client.exe 85 PID 632 wrote to memory of 3724 632 Client.exe 85 PID 632 wrote to memory of 1964 632 Client.exe 87 PID 632 wrote to memory of 1964 632 Client.exe 87 PID 1964 wrote to memory of 3624 1964 cmd.exe 89 PID 1964 wrote to memory of 3624 1964 cmd.exe 89 PID 1964 wrote to memory of 2704 1964 cmd.exe 90 PID 1964 wrote to memory of 2704 1964 cmd.exe 90 PID 1964 wrote to memory of 3108 1964 cmd.exe 98 PID 1964 wrote to memory of 3108 1964 cmd.exe 98 PID 3108 wrote to memory of 3428 3108 Client.exe 99 PID 3108 wrote to memory of 3428 3108 Client.exe 99 PID 3108 wrote to memory of 1312 3108 Client.exe 101 PID 3108 wrote to memory of 1312 3108 Client.exe 101 PID 1312 wrote to memory of 4348 1312 cmd.exe 103 PID 1312 wrote to memory of 4348 1312 cmd.exe 103 PID 1312 wrote to memory of 3004 1312 cmd.exe 104 PID 1312 wrote to memory of 3004 1312 cmd.exe 104 PID 1312 wrote to memory of 2728 1312 cmd.exe 105 PID 1312 wrote to memory of 2728 1312 cmd.exe 105 PID 2728 wrote to memory of 4028 2728 Client.exe 106 PID 2728 wrote to memory of 4028 2728 Client.exe 106 PID 2728 wrote to memory of 1708 2728 Client.exe 108 PID 2728 wrote to memory of 1708 2728 Client.exe 108 PID 1708 wrote to memory of 1996 1708 cmd.exe 110 PID 1708 wrote to memory of 1996 1708 cmd.exe 110 PID 1708 wrote to memory of 4996 1708 cmd.exe 111 PID 1708 wrote to memory of 4996 1708 cmd.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4716
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytfDY6aFWNV5.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3624
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2704
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RlRSBj8PuOSH.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4348
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3004
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dkgz0SKuabHk.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4996
-
-
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53RequestDystopian-62863.portmap.hostIN AResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53RequestDystopian-62863.portmap.hostIN AResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53RequestDystopian-62863.portmap.hostIN AResponse
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
68.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
74 B 167 B 1 1
DNS Request
Dystopian-62863.portmap.host
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
74 B 167 B 1 1
DNS Request
Dystopian-62863.portmap.host
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
74 B 167 B 1 1
DNS Request
Dystopian-62863.portmap.host
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57787ce173dfface746f5a9cf5477883d
SHA14587d870e914785b3a8fb017fec0c0f1c7ec0004
SHA256c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1
SHA5123a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff
-
Filesize
207B
MD5f15ed91bc8e7d8399b0ce895631f79a3
SHA100f5533166ed8899b8b378d9084437fedfc5061e
SHA256275a61700e52f55cc0f20ce023ffdff4cfedc39e07583d44fcac32377c6423fb
SHA5123a7086e7063aec4f854f687ee060600781d48d85065732b54892905abe4101df5dc0ddb3bd832458f8be99449492c01d3c53fdb2e9bec0b7d74dd407f813ff8d
-
Filesize
207B
MD50f254c6fd9633b64da1f3c57ba434a71
SHA1f4535746bbc298b4ef6ec7223cab23e58ec6ab44
SHA25621088accfb401ee3302cbc6b8850aa4f2ef3dfe7fe7c96e701f7bc453fe9eda2
SHA51261db7634efc43bfb6a306a84a3ce69ab6da996ad8573892673a5b89156791696fa94e5df74a5c3d17a5c1aed407a680fdbbe64ff1608c4994dc8ae5c945e3aa6
-
Filesize
207B
MD50ba95ddb38b384e37dbf77b0d43f502a
SHA1577dd2e435d1981288d9934f315dbfeb88b6ad9d
SHA25605d686738b5898b6c4b2f67760fb0062d83a090be8463e19a2dc084c905c05a6
SHA5129c362481e2035985d3815d276664ff82191504f26d53dee172481ef68a50c60951e0f6d9edb6d5b29f7b7eb22bdba0c2f2290e61f08ad8d3d62315635178e4fc
-
Filesize
3.1MB
MD5e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1e996894168f0d4e852162d1290250dfa986310f8
SHA256e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA5125982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc