Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/03/2025, 21:31
Behavioral task
behavioral1
Sample
9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe
Resource
win7-20240903-en
General
-
Target
9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe
-
Size
3.1MB
-
MD5
265cd3ec1c1ba2c6215c54b5cd39024c
-
SHA1
303c396a4f460dc88397af1ae2dc9e9b4a214b64
-
SHA256
9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2
-
SHA512
448f0cb2f942b3d92a53f4823299bf78639989b07d02706e25ec3648efb4dd894563763bd9de8fae1ac77311d89833b3f75afeb6b17c03ad3a92cde15af9a659
-
SSDEEP
49152:rvFt62XlaSFNWPjljiFa2RoUYIR4mFmzALoGd3BiTHHB72eh2NT:rv362XlaSFNWPjljiFXRoUYIR4mX
Malware Config
Extracted
quasar
1.4.1
0
64.95.11.214:4782
c944155f-3f97-4c60-a0c2-62d9c9732c6e
-
encryption_key
49CED1D49D4E76E51A8DBC72FF6ADC7073955387
-
install_name
audiodg.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
audiodg
-
subdirectory
Windows
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2284-1-0x0000000001280000-0x00000000015A4000-memory.dmp family_quasar behavioral1/files/0x0008000000014b28-6.dat family_quasar behavioral1/memory/2196-8-0x0000000000F10000-0x0000000001234000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2196 audiodg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2332 schtasks.exe 2780 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2284 9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe Token: SeDebugPrivilege 2196 audiodg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2196 audiodg.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2196 audiodg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2332 2284 9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe 28 PID 2284 wrote to memory of 2332 2284 9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe 28 PID 2284 wrote to memory of 2332 2284 9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe 28 PID 2284 wrote to memory of 2196 2284 9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe 30 PID 2284 wrote to memory of 2196 2284 9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe 30 PID 2284 wrote to memory of 2196 2284 9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe 30 PID 2196 wrote to memory of 2780 2196 audiodg.exe 31 PID 2196 wrote to memory of 2780 2196 audiodg.exe 31 PID 2196 wrote to memory of 2780 2196 audiodg.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe"C:\Users\Admin\AppData\Local\Temp\9e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\audiodg.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2332
-
-
C:\Users\Admin\AppData\Roaming\Windows\audiodg.exe"C:\Users\Admin\AppData\Roaming\Windows\audiodg.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\audiodg.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2780
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5265cd3ec1c1ba2c6215c54b5cd39024c
SHA1303c396a4f460dc88397af1ae2dc9e9b4a214b64
SHA2569e1a126888447375a41859f813e03755a37c4cf108c90108ad8fef598360a7b2
SHA512448f0cb2f942b3d92a53f4823299bf78639989b07d02706e25ec3648efb4dd894563763bd9de8fae1ac77311d89833b3f75afeb6b17c03ad3a92cde15af9a659