Analysis
-
max time kernel
98s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:53
Behavioral task
behavioral1
Sample
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
Resource
win7-20220414-en
General
-
Target
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
-
Size
348KB
-
MD5
be1958cb2bbcde1fa0ebbdc73a579fff
-
SHA1
d91235298ccc73a1712407db6ff7b83225e66c82
-
SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
-
SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
Malware Config
Extracted
quasar
1.3.0.0
INFECTED
mpapwpodllalw:4787
QSR_MUTEX_ZHiYRTyEwnDVythpPG
-
encryption_key
JJ24c9vhc2iN2AuqTdrZ
-
install_name
lclsrv.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Microsoft SMB Filter 2.0
-
subdirectory
Windows
Signatures
-
Quasar Payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/964-54-0x0000000000D20000-0x0000000000D7E000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\Windows\lclsrv.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe family_quasar behavioral1/memory/1164-61-0x0000000000260000-0x00000000002BE000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\Windows\lclsrv.exe family_quasar \Users\Admin\AppData\Roaming\Windows\lclsrv.exe family_quasar \Users\Admin\AppData\Roaming\Windows\lclsrv.exe family_quasar \Users\Admin\AppData\Roaming\Windows\lclsrv.exe family_quasar \Users\Admin\AppData\Roaming\Windows\lclsrv.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe family_quasar -
Processes:
schtasks.exepid process 1704 schtasks.exe 2 ip-api.com 6 api.ipify.org -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
-
Executes dropped EXE 2 IoCs
Processes:
lclsrv.exelclsrv.exepid process 1164 lclsrv.exe 436 lclsrv.exe -
Loads dropped DLL 6 IoCs
Processes:
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exeWerFault.exepid process 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft SMB Filter 2.0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe\"" 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com 6 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1380 1164 WerFault.exe lclsrv.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exelclsrv.exedescription pid process Token: SeDebugPrivilege 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe Token: SeDebugPrivilege 1164 lclsrv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
lclsrv.exepid process 1164 lclsrv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exelclsrv.execmd.exedescription pid process target process PID 964 wrote to memory of 1704 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe schtasks.exe PID 964 wrote to memory of 1704 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe schtasks.exe PID 964 wrote to memory of 1704 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe schtasks.exe PID 964 wrote to memory of 1704 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe schtasks.exe PID 964 wrote to memory of 1164 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe lclsrv.exe PID 964 wrote to memory of 1164 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe lclsrv.exe PID 964 wrote to memory of 1164 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe lclsrv.exe PID 964 wrote to memory of 1164 964 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe lclsrv.exe PID 1164 wrote to memory of 584 1164 lclsrv.exe schtasks.exe PID 1164 wrote to memory of 584 1164 lclsrv.exe schtasks.exe PID 1164 wrote to memory of 584 1164 lclsrv.exe schtasks.exe PID 1164 wrote to memory of 584 1164 lclsrv.exe schtasks.exe PID 1164 wrote to memory of 1280 1164 lclsrv.exe cmd.exe PID 1164 wrote to memory of 1280 1164 lclsrv.exe cmd.exe PID 1164 wrote to memory of 1280 1164 lclsrv.exe cmd.exe PID 1164 wrote to memory of 1280 1164 lclsrv.exe cmd.exe PID 1280 wrote to memory of 1112 1280 cmd.exe chcp.com PID 1280 wrote to memory of 1112 1280 cmd.exe chcp.com PID 1280 wrote to memory of 1112 1280 cmd.exe chcp.com PID 1280 wrote to memory of 1112 1280 cmd.exe chcp.com PID 1164 wrote to memory of 1380 1164 lclsrv.exe WerFault.exe PID 1164 wrote to memory of 1380 1164 lclsrv.exe WerFault.exe PID 1164 wrote to memory of 1380 1164 lclsrv.exe WerFault.exe PID 1164 wrote to memory of 1380 1164 lclsrv.exe WerFault.exe PID 1280 wrote to memory of 1264 1280 cmd.exe PING.EXE PID 1280 wrote to memory of 1264 1280 cmd.exe PING.EXE PID 1280 wrote to memory of 1264 1280 cmd.exe PING.EXE PID 1280 wrote to memory of 1264 1280 cmd.exe PING.EXE PID 1280 wrote to memory of 436 1280 cmd.exe lclsrv.exe PID 1280 wrote to memory of 436 1280 cmd.exe lclsrv.exe PID 1280 wrote to memory of 436 1280 cmd.exe lclsrv.exe PID 1280 wrote to memory of 436 1280 cmd.exe lclsrv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe"C:\Users\Admin\AppData\Local\Temp\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe" /rl HIGHEST /f2⤵
- Quasar RAT
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oG177jQhFjkx.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 14883⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oG177jQhFjkx.batFilesize
208B
MD52795bdd1f8721a1e403c935297702bbd
SHA1df8a2a8cac4246b963605ab69b4e30aedbd22149
SHA2564c699dc2033d735895852eaf1538fa5adb9e4ba39bfe322bef1593296b1a565f
SHA51249e765b215061c412d796496e9d39a08722eea2e96188ad10c7b828ca0f9438cb529879cfdee58a3ec0065d591178d70cfc21cd4c5c525e6c55f6564751ce38c
-
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exeFilesize
348KB
MD5be1958cb2bbcde1fa0ebbdc73a579fff
SHA1d91235298ccc73a1712407db6ff7b83225e66c82
SHA2560a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exeFilesize
348KB
MD5be1958cb2bbcde1fa0ebbdc73a579fff
SHA1d91235298ccc73a1712407db6ff7b83225e66c82
SHA2560a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exeFilesize
348KB
MD5be1958cb2bbcde1fa0ebbdc73a579fff
SHA1d91235298ccc73a1712407db6ff7b83225e66c82
SHA2560a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
\Users\Admin\AppData\Roaming\Windows\lclsrv.exeFilesize
348KB
MD5be1958cb2bbcde1fa0ebbdc73a579fff
SHA1d91235298ccc73a1712407db6ff7b83225e66c82
SHA2560a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
\Users\Admin\AppData\Roaming\Windows\lclsrv.exeFilesize
348KB
MD5be1958cb2bbcde1fa0ebbdc73a579fff
SHA1d91235298ccc73a1712407db6ff7b83225e66c82
SHA2560a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
\Users\Admin\AppData\Roaming\Windows\lclsrv.exeFilesize
348KB
MD5be1958cb2bbcde1fa0ebbdc73a579fff
SHA1d91235298ccc73a1712407db6ff7b83225e66c82
SHA2560a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
\Users\Admin\AppData\Roaming\Windows\lclsrv.exeFilesize
348KB
MD5be1958cb2bbcde1fa0ebbdc73a579fff
SHA1d91235298ccc73a1712407db6ff7b83225e66c82
SHA2560a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
\Users\Admin\AppData\Roaming\Windows\lclsrv.exeFilesize
348KB
MD5be1958cb2bbcde1fa0ebbdc73a579fff
SHA1d91235298ccc73a1712407db6ff7b83225e66c82
SHA2560a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
\Users\Admin\AppData\Roaming\Windows\lclsrv.exeFilesize
348KB
MD5be1958cb2bbcde1fa0ebbdc73a579fff
SHA1d91235298ccc73a1712407db6ff7b83225e66c82
SHA2560a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
memory/436-74-0x0000000000000000-mapping.dmp
-
memory/584-63-0x0000000000000000-mapping.dmp
-
memory/964-54-0x0000000000D20000-0x0000000000D7E000-memory.dmpFilesize
376KB
-
memory/964-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1112-66-0x0000000000000000-mapping.dmp
-
memory/1164-61-0x0000000000260000-0x00000000002BE000-memory.dmpFilesize
376KB
-
memory/1164-58-0x0000000000000000-mapping.dmp
-
memory/1264-72-0x0000000000000000-mapping.dmp
-
memory/1280-64-0x0000000000000000-mapping.dmp
-
memory/1380-67-0x0000000000000000-mapping.dmp
-
memory/1704-56-0x0000000000000000-mapping.dmp