Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
03-11-2021 19:54
Static task
static1
Behavioral task
behavioral1
Sample
9860743c4ff83784de05aa8444594aed.exe
Resource
win7-en-20210920
General
-
Target
9860743c4ff83784de05aa8444594aed.exe
-
Size
14KB
-
MD5
9860743c4ff83784de05aa8444594aed
-
SHA1
517ab424f9f6ee8de223e396691f1cb3b2d01a09
-
SHA256
70da41b661dc8de4e8cd1bde0f17f434433115bffad2fb762205b734acd4ed35
-
SHA512
cae8c9f056f7556d30e170caca7b4146baf00eaa32b6d2fac8659d2547d97e1461ee8cce0b123db02d5497faf9e12057d5daa530b4b8e722d73c66e769064b88
Malware Config
Extracted
quasar
1.4.0
helper
41.79.11.214:61032
307d89ac-968f-48de-a3b3-0c81d2cf4d4a
-
encryption_key
0D0F7891BD61AE0C503175723ADA783C9973F3B8
-
install_name
DllHelper.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
DllHelper
-
subdirectory
DllHelper
Signatures
-
Quasar Payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\tbdtasya.exe family_quasar C:\Users\Admin\AppData\Local\Temp\tbdtasya.exe family_quasar C:\Users\Admin\AppData\Local\Temp\tbdtasya.exe family_quasar C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exe family_quasar C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exe family_quasar -
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
tbdtasya.exeDllHelper.exepid process 1032 tbdtasya.exe 1692 DllHelper.exe -
Drops startup file 2 IoCs
Processes:
9860743c4ff83784de05aa8444594aed.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wmic.exe 9860743c4ff83784de05aa8444594aed.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wmic.exe 9860743c4ff83784de05aa8444594aed.exe -
Loads dropped DLL 1 IoCs
Processes:
9860743c4ff83784de05aa8444594aed.exepid process 240 9860743c4ff83784de05aa8444594aed.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1800 schtasks.exe 1892 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tbdtasya.exeDllHelper.exedescription pid process Token: SeDebugPrivilege 1032 tbdtasya.exe Token: SeDebugPrivilege 1692 DllHelper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DllHelper.exepid process 1692 DllHelper.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
9860743c4ff83784de05aa8444594aed.exetbdtasya.exeDllHelper.exedescription pid process target process PID 240 wrote to memory of 1032 240 9860743c4ff83784de05aa8444594aed.exe tbdtasya.exe PID 240 wrote to memory of 1032 240 9860743c4ff83784de05aa8444594aed.exe tbdtasya.exe PID 240 wrote to memory of 1032 240 9860743c4ff83784de05aa8444594aed.exe tbdtasya.exe PID 240 wrote to memory of 1032 240 9860743c4ff83784de05aa8444594aed.exe tbdtasya.exe PID 1032 wrote to memory of 1800 1032 tbdtasya.exe schtasks.exe PID 1032 wrote to memory of 1800 1032 tbdtasya.exe schtasks.exe PID 1032 wrote to memory of 1800 1032 tbdtasya.exe schtasks.exe PID 1032 wrote to memory of 1692 1032 tbdtasya.exe DllHelper.exe PID 1032 wrote to memory of 1692 1032 tbdtasya.exe DllHelper.exe PID 1032 wrote to memory of 1692 1032 tbdtasya.exe DllHelper.exe PID 1692 wrote to memory of 1892 1692 DllHelper.exe schtasks.exe PID 1692 wrote to memory of 1892 1692 DllHelper.exe schtasks.exe PID 1692 wrote to memory of 1892 1692 DllHelper.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9860743c4ff83784de05aa8444594aed.exe"C:\Users\Admin\AppData\Local\Temp\9860743c4ff83784de05aa8444594aed.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tbdtasya.exeC:\Users\Admin\AppData\Local\Temp\tbdtasya.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "DllHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\tbdtasya.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exe"C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "DllHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tbdtasya.exeMD5
0b1906293450341a4fc2d4cd2d4f1b48
SHA10f9a4604fb09b2262c8a99653e856ed71dbdc054
SHA2563c70bee98b3b7ec593a986787ad60f4ad8c1161e48986d3ed254886fbadc55d5
SHA512cd21a212f6f2c31b4b0fb42a1c739376ccbe607e2af639635b1889f37e8a7e916c6e197aa33cc15a62ddc33bd2091462f98ea1c4e9a3af77a759b9cff1ac6aca
-
C:\Users\Admin\AppData\Local\Temp\tbdtasya.exeMD5
0b1906293450341a4fc2d4cd2d4f1b48
SHA10f9a4604fb09b2262c8a99653e856ed71dbdc054
SHA2563c70bee98b3b7ec593a986787ad60f4ad8c1161e48986d3ed254886fbadc55d5
SHA512cd21a212f6f2c31b4b0fb42a1c739376ccbe607e2af639635b1889f37e8a7e916c6e197aa33cc15a62ddc33bd2091462f98ea1c4e9a3af77a759b9cff1ac6aca
-
C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exeMD5
0b1906293450341a4fc2d4cd2d4f1b48
SHA10f9a4604fb09b2262c8a99653e856ed71dbdc054
SHA2563c70bee98b3b7ec593a986787ad60f4ad8c1161e48986d3ed254886fbadc55d5
SHA512cd21a212f6f2c31b4b0fb42a1c739376ccbe607e2af639635b1889f37e8a7e916c6e197aa33cc15a62ddc33bd2091462f98ea1c4e9a3af77a759b9cff1ac6aca
-
C:\Users\Admin\AppData\Roaming\DllHelper\DllHelper.exeMD5
0b1906293450341a4fc2d4cd2d4f1b48
SHA10f9a4604fb09b2262c8a99653e856ed71dbdc054
SHA2563c70bee98b3b7ec593a986787ad60f4ad8c1161e48986d3ed254886fbadc55d5
SHA512cd21a212f6f2c31b4b0fb42a1c739376ccbe607e2af639635b1889f37e8a7e916c6e197aa33cc15a62ddc33bd2091462f98ea1c4e9a3af77a759b9cff1ac6aca
-
\Users\Admin\AppData\Local\Temp\tbdtasya.exeMD5
0b1906293450341a4fc2d4cd2d4f1b48
SHA10f9a4604fb09b2262c8a99653e856ed71dbdc054
SHA2563c70bee98b3b7ec593a986787ad60f4ad8c1161e48986d3ed254886fbadc55d5
SHA512cd21a212f6f2c31b4b0fb42a1c739376ccbe607e2af639635b1889f37e8a7e916c6e197aa33cc15a62ddc33bd2091462f98ea1c4e9a3af77a759b9cff1ac6aca
-
memory/240-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1032-56-0x0000000000000000-mapping.dmp
-
memory/1032-59-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1032-61-0x000000001AE80000-0x000000001AE82000-memory.dmpFilesize
8KB
-
memory/1692-63-0x0000000000000000-mapping.dmp
-
memory/1692-66-0x0000000001380000-0x0000000001381000-memory.dmpFilesize
4KB
-
memory/1692-68-0x000000001AEA0000-0x000000001AEA2000-memory.dmpFilesize
8KB
-
memory/1800-62-0x0000000000000000-mapping.dmp
-
memory/1892-69-0x0000000000000000-mapping.dmp