Analysis
-
max time kernel
52s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-05-2022 11:55
Static task
static1
Behavioral task
behavioral1
Sample
fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe
-
Size
757KB
-
MD5
2957c39376a38df6aefaee72674c92af
-
SHA1
f32007bbb1c99bda6e4c97b4a695e87913fd87b1
-
SHA256
fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314
-
SHA512
8cecae621972be05ab9be0071689fcf29028f63b1519c4698d531bc754af7363f7bc21dbfb1d97e75914d884ecf4e1264ff20b2903f7b11c45dc88a77ec5dcbc
Score
10/10
Malware Config
Extracted
Family
quasar
Mutex
Attributes
- encryption_key
- install_name
- log_directory
-
reconnect_delay
3000
- startup_key
- subdirectory
Signatures
-
Contains code to disable Windows Defender 6 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1160-63-0x0000000000400000-0x000000000048E000-memory.dmp disable_win_def behavioral1/memory/1160-64-0x0000000000400000-0x000000000048E000-memory.dmp disable_win_def behavioral1/memory/1160-65-0x0000000000400000-0x000000000048E000-memory.dmp disable_win_def behavioral1/memory/1160-66-0x0000000000488B8E-mapping.dmp disable_win_def behavioral1/memory/1160-68-0x0000000000400000-0x000000000048E000-memory.dmp disable_win_def behavioral1/memory/1160-70-0x0000000000400000-0x000000000048E000-memory.dmp disable_win_def -
Quasar Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1160-63-0x0000000000400000-0x000000000048E000-memory.dmp family_quasar behavioral1/memory/1160-64-0x0000000000400000-0x000000000048E000-memory.dmp family_quasar behavioral1/memory/1160-65-0x0000000000400000-0x000000000048E000-memory.dmp family_quasar behavioral1/memory/1160-66-0x0000000000488B8E-mapping.dmp family_quasar behavioral1/memory/1160-68-0x0000000000400000-0x000000000048E000-memory.dmp family_quasar behavioral1/memory/1160-70-0x0000000000400000-0x000000000048E000-memory.dmp family_quasar -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxxgldt snybyasm = "C:\\Users\\Admin\\AppData\\Roaming\\fdfhhuxv ssqavqkxj\\chome_exe.exe" powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exedescription pid Process procid_target PID 1472 set thread context of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exepid Process 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe 1160 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exepowershell.exedescription pid Process Token: SeDebugPrivilege 1160 RegAsm.exe Token: SeDebugPrivilege 1812 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid Process 1160 RegAsm.exe 1160 RegAsm.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exeRegAsm.exedescription pid Process procid_target PID 1472 wrote to memory of 1812 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 26 PID 1472 wrote to memory of 1812 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 26 PID 1472 wrote to memory of 1812 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 26 PID 1472 wrote to memory of 1812 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 26 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1472 wrote to memory of 1160 1472 fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe 28 PID 1160 wrote to memory of 928 1160 RegAsm.exe 29 PID 1160 wrote to memory of 928 1160 RegAsm.exe 29 PID 1160 wrote to memory of 928 1160 RegAsm.exe 29 PID 1160 wrote to memory of 928 1160 RegAsm.exe 29 PID 1160 wrote to memory of 928 1160 RegAsm.exe 29 PID 1160 wrote to memory of 928 1160 RegAsm.exe 29 PID 1160 wrote to memory of 928 1160 RegAsm.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe"C:\Users\Admin\AppData\Local\Temp\fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'lxxgldt snybyasm';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'lxxgldt snybyasm' -Value '"C:\Users\Admin\AppData\Roaming\fdfhhuxv ssqavqkxj\chome_exe.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\wh4steqt.inf3⤵PID:928
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
606B
MD5ff2f17302139038f59548fe0ea4f97dc
SHA105e3a84df2168c94fad69d805ee5ef09582d3cad
SHA256d109ea62e699ba48155b6b52e1a2f14f65dd88fb90d7cb7ae8976baeac358be4
SHA51283f897f1b35de84aed7b06674fcb67b27575474bf627bbcd48ee87805e6a492faa0df4741e11372cc567bfa6a38150983d75a907bd1296bdceb0e1b85144124f