Analysis
-
max time kernel
4294183s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
19-03-2022 13:18
Behavioral task
behavioral1
Sample
The increasingly complicated Russia-Ukraine crisis explained.pdf
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
The increasingly complicated Russia-Ukraine crisis explained.pdf
Resource
win10v2004-20220310-en
Behavioral task
behavioral3
Sample
The increasingly complicated Russia-Ukraine crisis explained.pdf.exe
Resource
win7-20220311-en
General
-
Target
The increasingly complicated Russia-Ukraine crisis explained.pdf.exe
-
Size
713KB
-
MD5
19338d49c7f6a98163ed63ca165a6d9d
-
SHA1
bbb9bf63efc448706f974050bef23bb1edd13782
-
SHA256
b4e3216803e2ec15ff0df82bf47656df179a4efa977eb187607bab0c38909a00
-
SHA512
b8c9235a9a825284dcd3bf5c210f1f842e90639c4459ae1728e2e96aa738a9f8fdf7a119cc2d4e92a5400870644c571278f0f33679d7b398d399c981c8a6fa31
Malware Config
Extracted
quasar
1.4.0
https://web.sunvn.net:4782
https://taisunwin.club:4782
https://web.sunwinvn.vip:4782
http://b29.bet:4782
https://playgo88.fun:4782
https://choigo88.us:4782
ca1a9340-65d7-49a9-b045-50c69210b55d
-
encryption_key
9C84151BA76B2D40C2A4C55E8D137720CE7C0137
-
install_name
PDF.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
PDF Reader
-
subdirectory
PDF Reader
Signatures
-
Quasar Payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/1708-54-0x0000000001210000-0x00000000012C8000-memory.dmp family_quasar -
Drops file in Program Files directory 2 IoCs
Processes:
The increasingly complicated Russia-Ukraine crisis explained.pdf.exedescription ioc process File created C:\Program Files\PDF Reader\PDF.exe The increasingly complicated Russia-Ukraine crisis explained.pdf.exe File opened for modification C:\Program Files\PDF Reader\PDF.exe The increasingly complicated Russia-Ukraine crisis explained.pdf.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
The increasingly complicated Russia-Ukraine crisis explained.pdf.exedescription pid process Token: SeDebugPrivilege 1708 The increasingly complicated Russia-Ukraine crisis explained.pdf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
The increasingly complicated Russia-Ukraine crisis explained.pdf.exedescription pid process target process PID 1708 wrote to memory of 636 1708 The increasingly complicated Russia-Ukraine crisis explained.pdf.exe schtasks.exe PID 1708 wrote to memory of 636 1708 The increasingly complicated Russia-Ukraine crisis explained.pdf.exe schtasks.exe PID 1708 wrote to memory of 636 1708 The increasingly complicated Russia-Ukraine crisis explained.pdf.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\The increasingly complicated Russia-Ukraine crisis explained.pdf.exe"C:\Users\Admin\AppData\Local\Temp\The increasingly complicated Russia-Ukraine crisis explained.pdf.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "PDF Reader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\The increasingly complicated Russia-Ukraine crisis explained.pdf.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:636