Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2025 00:35
Behavioral task
behavioral1
Sample
222.exe
Resource
win7-20240903-en
General
-
Target
222.exe
-
Size
3.1MB
-
MD5
12f79c4859c66ba550b2b0a23421209c
-
SHA1
c9105f035bde2e0ff30df75b2be4b82f2c891a07
-
SHA256
5f8cd02b16b38230d9bef9d35052838ab3fd8e67bf2cfc82c89cd62d8eb9fca6
-
SHA512
810274c5bebdb31dcde9189b4d2874623ae1c82c457b7c3aa0f11d6718fb70568dba6ef0de4cac3e670596fb75179f822f4865113570710368880e221f84472c
-
SSDEEP
49152:Dvhuf2NUaNmwzPWlvdaKM7ZxTwLp+zYBxw/oGdyqTHHB72eh2NT:Dv8f2NUaNmwzPWlvdaB7ZxTwQzT
Malware Config
Extracted
quasar
1.4.1
Office04
10.0.0.85:4782
172.16.0.2:4782
192.168.56.1:4782
70b15695-83fa-49d5-9ab7-d6837c0bfe04
-
encryption_key
CE951E8DBE6E2FB19D206CC546AB1C2DB4750281
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Solara
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1248-1-0x0000000000780000-0x0000000000AA4000-memory.dmp family_quasar behavioral2/files/0x0007000000023c83-6.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 3612 Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3472 schtasks.exe 2964 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1248 222.exe Token: SeDebugPrivilege 3612 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3612 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1248 wrote to memory of 3472 1248 222.exe 82 PID 1248 wrote to memory of 3472 1248 222.exe 82 PID 1248 wrote to memory of 3612 1248 222.exe 84 PID 1248 wrote to memory of 3612 1248 222.exe 84 PID 3612 wrote to memory of 2964 3612 Client.exe 85 PID 3612 wrote to memory of 2964 3612 Client.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\222.exe"C:\Users\Admin\AppData\Local\Temp\222.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3472
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD512f79c4859c66ba550b2b0a23421209c
SHA1c9105f035bde2e0ff30df75b2be4b82f2c891a07
SHA2565f8cd02b16b38230d9bef9d35052838ab3fd8e67bf2cfc82c89cd62d8eb9fca6
SHA512810274c5bebdb31dcde9189b4d2874623ae1c82c457b7c3aa0f11d6718fb70568dba6ef0de4cac3e670596fb75179f822f4865113570710368880e221f84472c