Analysis
-
max time kernel
22s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2025 15:30
General
-
Target
better.exe
-
Size
3.1MB
-
MD5
47ec64e3d129b23c44f417cbc2a07aa7
-
SHA1
e65fbcf69e6e808ebe7bc9b13e483c5fc80d5fa2
-
SHA256
ccb17adb4b57a95a61acb010c01da98dc150be67a85df2ab40ba9d1f078f8373
-
SHA512
52247a235b708e98efcf977fd109344e16df9c5a9f13ad5afd395df3f009d9ee6edf81fef9d74a31a9fdec1f851e61642912eb9bc8384b39042b70f9d8b7d510
-
SSDEEP
49152:PvrlL26AaNeWgPhlmVqvMQ7XSKTxPEakPk/LCyoGdzTHHB72eh2NT:PvRL26AaNeWgPhlmVqkQ7XSKTxhv
Malware Config
Extracted
quasar
1.4.1
Office04
himato667-58401.portmap.host:58401
0e2bc079-3316-407c-a26f-115195d9fe5b
-
encryption_key
D14CC6B8490A41A48C1E115285B6932B9A857EA0
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/540-1-0x0000000000830000-0x0000000000B54000-memory.dmp family_quasar behavioral1/files/0x0007000000023c96-5.dat family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 2 IoCs
pid Process 2320 Client.exe 2964 Client.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Client.exe better.exe File opened for modification C:\Windows\system32\SubDir\Client.exe better.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3656 PING.EXE 2568 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3656 PING.EXE 2568 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4696 schtasks.exe 4488 schtasks.exe 4032 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 540 better.exe Token: SeDebugPrivilege 2320 Client.exe Token: SeDebugPrivilege 2964 Client.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2320 Client.exe 2964 Client.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2320 Client.exe 2964 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2320 Client.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 540 wrote to memory of 4696 540 better.exe 83 PID 540 wrote to memory of 4696 540 better.exe 83 PID 540 wrote to memory of 2320 540 better.exe 85 PID 540 wrote to memory of 2320 540 better.exe 85 PID 2320 wrote to memory of 4488 2320 Client.exe 86 PID 2320 wrote to memory of 4488 2320 Client.exe 86 PID 2320 wrote to memory of 2788 2320 Client.exe 88 PID 2320 wrote to memory of 2788 2320 Client.exe 88 PID 2788 wrote to memory of 4232 2788 cmd.exe 90 PID 2788 wrote to memory of 4232 2788 cmd.exe 90 PID 2788 wrote to memory of 3656 2788 cmd.exe 91 PID 2788 wrote to memory of 3656 2788 cmd.exe 91 PID 2788 wrote to memory of 2964 2788 cmd.exe 103 PID 2788 wrote to memory of 2964 2788 cmd.exe 103 PID 2964 wrote to memory of 4032 2964 Client.exe 104 PID 2964 wrote to memory of 4032 2964 Client.exe 104 PID 2964 wrote to memory of 4528 2964 Client.exe 107 PID 2964 wrote to memory of 4528 2964 Client.exe 107 PID 4528 wrote to memory of 4624 4528 cmd.exe 109 PID 4528 wrote to memory of 4624 4528 cmd.exe 109 PID 4528 wrote to memory of 2568 4528 cmd.exe 110 PID 4528 wrote to memory of 2568 4528 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\better.exe"C:\Users\Admin\AppData\Local\Temp\better.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4696
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yczwnELWfiV7.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4232
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3656
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oB0bcObmKmfl.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4624
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2568
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
196B
MD5f0df9be68ba079c916011c7804714b34
SHA150cc595357186ae8a040847023aaa079864c3317
SHA2561f0478a8eb85efbd6cc66a161e6664d1e2e9ad4af07423f097bbcdead6057a52
SHA51296f3f8c869caeca83972b2caf251403281baff444dc4f4fdb6609bc33efd739d1960a55bb398ea159512abfa37428adfe1af04a50f4c04c7bcc9df55bc8c1936
-
Filesize
196B
MD572c50570fb69dab844f7c016ef9ceb83
SHA1dabcd7f93298e2218e402188592e55139390f322
SHA256197bd22a2cf3dc0d059b6971a3e6d7eb7bf3092c27e6d3d142113819714ff331
SHA5126a2d0e1bbe91989c4b3e4f8a7e0a75055ff2dcb703675262a2e5e06695b9688e85243ad55db02b97d229676c406c5c61b2863a7517d36e8c7d0ddb2bf1493793
-
Filesize
3.1MB
MD547ec64e3d129b23c44f417cbc2a07aa7
SHA1e65fbcf69e6e808ebe7bc9b13e483c5fc80d5fa2
SHA256ccb17adb4b57a95a61acb010c01da98dc150be67a85df2ab40ba9d1f078f8373
SHA51252247a235b708e98efcf977fd109344e16df9c5a9f13ad5afd395df3f009d9ee6edf81fef9d74a31a9fdec1f851e61642912eb9bc8384b39042b70f9d8b7d510