Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-05-2022 20:09
Static task
static1
Behavioral task
behavioral1
Sample
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Resource
win7-20220414-en
General
-
Target
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
-
Size
664KB
-
MD5
1f2f26a299287d8353502a9133df4cf1
-
SHA1
ee40f71067f91d23841e2f2f2b178a153e0f4e07
-
SHA256
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726
-
SHA512
135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97
Malware Config
Extracted
quasar
2.1.0.0
Office04
127.0.0.1:4782
karmina113.sytes.net:2222
karmina200.sytes.net:2222
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
Utv1d8B5zhHYcWfy3OEQ
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/4964-132-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def -
Quasar Payload 1 IoCs
resource yara_rule behavioral2/memory/4964-132-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 2 IoCs
pid Process 688 Client.exe 3392 Client.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3648 set thread context of 4964 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 81 PID 688 set thread context of 3392 688 Client.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1860 schtasks.exe 540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2400 powershell.exe 2400 powershell.exe 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe Token: SeDebugPrivilege 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe Token: SeDebugPrivilege 688 Client.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 3392 Client.exe Token: SeDebugPrivilege 3392 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3392 Client.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3648 wrote to memory of 4964 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 81 PID 3648 wrote to memory of 4964 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 81 PID 3648 wrote to memory of 4964 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 81 PID 3648 wrote to memory of 4964 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 81 PID 3648 wrote to memory of 4964 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 81 PID 3648 wrote to memory of 4964 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 81 PID 3648 wrote to memory of 4964 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 81 PID 3648 wrote to memory of 4964 3648 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 81 PID 4964 wrote to memory of 1860 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 84 PID 4964 wrote to memory of 1860 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 84 PID 4964 wrote to memory of 1860 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 84 PID 4964 wrote to memory of 688 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 86 PID 4964 wrote to memory of 688 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 86 PID 4964 wrote to memory of 688 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 86 PID 4964 wrote to memory of 2400 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 87 PID 4964 wrote to memory of 2400 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 87 PID 4964 wrote to memory of 2400 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 87 PID 688 wrote to memory of 3392 688 Client.exe 89 PID 688 wrote to memory of 3392 688 Client.exe 89 PID 688 wrote to memory of 3392 688 Client.exe 89 PID 688 wrote to memory of 3392 688 Client.exe 89 PID 688 wrote to memory of 3392 688 Client.exe 89 PID 688 wrote to memory of 3392 688 Client.exe 89 PID 688 wrote to memory of 3392 688 Client.exe 89 PID 688 wrote to memory of 3392 688 Client.exe 89 PID 3392 wrote to memory of 540 3392 Client.exe 91 PID 3392 wrote to memory of 540 3392 Client.exe 91 PID 3392 wrote to memory of 540 3392 Client.exe 91 PID 4964 wrote to memory of 3272 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 106 PID 4964 wrote to memory of 3272 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 106 PID 4964 wrote to memory of 3272 4964 d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe 106 PID 3272 wrote to memory of 4908 3272 cmd.exe 108 PID 3272 wrote to memory of 4908 3272 cmd.exe 108 PID 3272 wrote to memory of 4908 3272 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"2⤵
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1860
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:540
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵PID:4908
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe.log
Filesize425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
664KB
MD51f2f26a299287d8353502a9133df4cf1
SHA1ee40f71067f91d23841e2f2f2b178a153e0f4e07
SHA256d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726
SHA512135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97
-
Filesize
664KB
MD51f2f26a299287d8353502a9133df4cf1
SHA1ee40f71067f91d23841e2f2f2b178a153e0f4e07
SHA256d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726
SHA512135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97
-
Filesize
664KB
MD51f2f26a299287d8353502a9133df4cf1
SHA1ee40f71067f91d23841e2f2f2b178a153e0f4e07
SHA256d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726
SHA512135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97