Analysis
-
max time kernel
48s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 23:17
Static task
static1
Behavioral task
behavioral1
Sample
e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe
-
Size
488KB
-
MD5
0f9120aa260daa1849a56062f8b6a492
-
SHA1
a56e35f6cc5424936a56827d307253c56a937a0e
-
SHA256
e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215
-
SHA512
ae52b328521f6a550951ac0c53745034f985230dcd850d0881079d1a2f50b865c30e646271dd4230f3d07db34bf6515b434bcf0f085f8e703533ae14180f81dc
Malware Config
Extracted
Family
quasar
Attributes
- encryption_key
- install_name
- log_directory
-
reconnect_delay
3000
- startup_key
- subdirectory
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1032-56-0x0000000000400000-0x00000000004A9000-memory.dmp disable_win_def behavioral1/memory/1032-58-0x0000000000400000-0x00000000004A9000-memory.dmp disable_win_def behavioral1/memory/1032-66-0x0000000000400000-0x00000000004A9000-memory.dmp disable_win_def behavioral1/memory/1032-67-0x0000000000400000-0x00000000004A9000-memory.dmp disable_win_def -
Quasar Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1032-56-0x0000000000400000-0x00000000004A9000-memory.dmp family_quasar behavioral1/memory/1032-58-0x0000000000400000-0x00000000004A9000-memory.dmp family_quasar behavioral1/memory/1032-66-0x0000000000400000-0x00000000004A9000-memory.dmp family_quasar behavioral1/memory/1032-67-0x0000000000400000-0x00000000004A9000-memory.dmp family_quasar -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exepid Process 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exepid Process 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exedescription pid Process Token: SeDebugPrivilege 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exepid Process 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exedescription pid Process procid_target PID 1032 wrote to memory of 1700 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 28 PID 1032 wrote to memory of 1700 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 28 PID 1032 wrote to memory of 1700 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 28 PID 1032 wrote to memory of 1700 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 28 PID 1032 wrote to memory of 1700 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 28 PID 1032 wrote to memory of 1700 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 28 PID 1032 wrote to memory of 1700 1032 e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe"C:\Users\Admin\AppData\Local\Temp\e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\tfgbtn2x.inf2⤵PID:1700
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
606B
MD58a21ec65169635cc1e9b452bd7b0748c
SHA1621f953814059aa8321d61533fc25597f4b0508b
SHA2564e06e3d87c60b96da7cc976769fb7b1d2e7ff363eb91ad246ace0b0e3c15bd07
SHA512d197f06706ad5be01284479478e23ed745b6eac2b9a6feaf0e414ac1e66f9d909473d07c1ca6615dac4c7b211013e371e8c2b64e5e939a8f4b4af7ba453f2ecc