Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:28
Static task
static1
Behavioral task
behavioral1
Sample
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Resource
win7-20220414-en
General
-
Target
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
-
Size
2.2MB
-
MD5
faa3ca0d0141f9fe88188504bc3bac89
-
SHA1
edd03d0de17de2caef384daf792118cfdefc0fa8
-
SHA256
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db
-
SHA512
b5693333a3ae10dbf5707927d85ea8e96fbd668b822bd9a337b13df374957720db9c03e4d801d75244902f29a6bbb7dc882647f45fcd5ccf8d8d496307b85922
Malware Config
Extracted
quasar
1.4.0.0
AlekFudd
52.188.202.106:8888
9QxkaRC5yCiT4nYveU
-
encryption_key
p22ObTAqvAaz7xZDWYTK
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Malwarebytes Corp.
-
subdirectory
SubDir
Signatures
-
Quasar Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1068-56-0x00000000011F0000-0x00000000017DA000-memory.dmp family_quasar behavioral1/memory/1068-57-0x00000000011F0000-0x00000000017DA000-memory.dmp family_quasar behavioral1/memory/1668-63-0x00000000011F0000-0x00000000017DA000-memory.dmp family_quasar behavioral1/memory/1668-64-0x00000000011F0000-0x00000000017DA000-memory.dmp family_quasar behavioral1/memory/1736-67-0x00000000011F0000-0x00000000017DA000-memory.dmp family_quasar behavioral1/memory/1736-68-0x00000000011F0000-0x00000000017DA000-memory.dmp family_quasar behavioral1/memory/1736-69-0x0000000076F70000-0x00000000770F0000-memory.dmp family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Malwarebytes Corp. = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe\"" 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exepid process 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe 1668 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe 1736 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2036 schtasks.exe 1108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exepid process 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe 1668 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe 1736 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exedescription pid process Token: SeDebugPrivilege 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exetaskeng.exedescription pid process target process PID 1068 wrote to memory of 2036 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe schtasks.exe PID 1068 wrote to memory of 2036 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe schtasks.exe PID 1068 wrote to memory of 2036 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe schtasks.exe PID 1068 wrote to memory of 2036 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe schtasks.exe PID 1068 wrote to memory of 1108 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe schtasks.exe PID 1068 wrote to memory of 1108 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe schtasks.exe PID 1068 wrote to memory of 1108 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe schtasks.exe PID 1068 wrote to memory of 1108 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe schtasks.exe PID 876 wrote to memory of 1668 876 taskeng.exe 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe PID 876 wrote to memory of 1668 876 taskeng.exe 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe PID 876 wrote to memory of 1668 876 taskeng.exe 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe PID 876 wrote to memory of 1668 876 taskeng.exe 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe PID 876 wrote to memory of 1736 876 taskeng.exe 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe PID 876 wrote to memory of 1736 876 taskeng.exe 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe PID 876 wrote to memory of 1736 876 taskeng.exe 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe PID 876 wrote to memory of 1736 876 taskeng.exe 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe"C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Malwarebytes Corp." /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe" /sc MINUTE /MO 12⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {28ACA247-0FB0-4780-B073-50B58965687B} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exeC:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exeC:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1068-55-0x0000000076F70000-0x00000000770F0000-memory.dmpFilesize
1.5MB
-
memory/1068-56-0x00000000011F0000-0x00000000017DA000-memory.dmpFilesize
5.9MB
-
memory/1068-57-0x00000000011F0000-0x00000000017DA000-memory.dmpFilesize
5.9MB
-
memory/1068-54-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1108-59-0x0000000000000000-mapping.dmp
-
memory/1668-60-0x0000000000000000-mapping.dmp
-
memory/1668-62-0x0000000076F70000-0x00000000770F0000-memory.dmpFilesize
1.5MB
-
memory/1668-63-0x00000000011F0000-0x00000000017DA000-memory.dmpFilesize
5.9MB
-
memory/1668-64-0x00000000011F0000-0x00000000017DA000-memory.dmpFilesize
5.9MB
-
memory/1736-65-0x0000000000000000-mapping.dmp
-
memory/1736-67-0x00000000011F0000-0x00000000017DA000-memory.dmpFilesize
5.9MB
-
memory/1736-68-0x00000000011F0000-0x00000000017DA000-memory.dmpFilesize
5.9MB
-
memory/1736-69-0x0000000076F70000-0x00000000770F0000-memory.dmpFilesize
1.5MB
-
memory/2036-58-0x0000000000000000-mapping.dmp