Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 16:25
Behavioral task
behavioral1
Sample
4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe
Resource
win7-20220414-en
General
-
Target
4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe
-
Size
348KB
-
MD5
6e5fef5da8810aa3fffad5a486c68cf3
-
SHA1
70f6507e9b2644fbcb75c78c6660dbdca4da5ef0
-
SHA256
4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa
-
SHA512
94dec0822aef151ec843732e9f13d550c59bb4575f8fff7822f5c2bf4d36854dc0c4061dbbcd6c2377aaac77ad86aa48092515fdc7388148e76db96f8417d027
Malware Config
Extracted
quasar
1.1.0.0
System
82.202.167.203:4444
xTSR_MUTEX_JOBXsgj4pMGMmIDVNc
-
encryption_key
eu7tm2CUeFG5FGwJlQkW
-
install_name
core.exe
-
log_directory
logs
-
reconnect_delay
3000
-
startup_key
System Core
-
subdirectory
system
Signatures
-
Quasar Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4028-130-0x0000000000580000-0x00000000005DE000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\system\core.exe family_quasar C:\Users\Admin\AppData\Roaming\system\core.exe family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 1 IoCs
Processes:
core.exepid process 4260 core.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4944 schtasks.exe 4956 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.execore.exedescription pid process Token: SeDebugPrivilege 4028 4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe Token: SeDebugPrivilege 4260 core.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
core.exepid process 4260 core.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.execore.exedescription pid process target process PID 4028 wrote to memory of 4944 4028 4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe schtasks.exe PID 4028 wrote to memory of 4944 4028 4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe schtasks.exe PID 4028 wrote to memory of 4944 4028 4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe schtasks.exe PID 4028 wrote to memory of 4260 4028 4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe core.exe PID 4028 wrote to memory of 4260 4028 4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe core.exe PID 4028 wrote to memory of 4260 4028 4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe core.exe PID 4260 wrote to memory of 4956 4260 core.exe schtasks.exe PID 4260 wrote to memory of 4956 4260 core.exe schtasks.exe PID 4260 wrote to memory of 4956 4260 core.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe"C:\Users\Admin\AppData\Local\Temp\4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System Core" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\system\core.exe"C:\Users\Admin\AppData\Roaming\system\core.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System Core" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\core.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\system\core.exeFilesize
348KB
MD56e5fef5da8810aa3fffad5a486c68cf3
SHA170f6507e9b2644fbcb75c78c6660dbdca4da5ef0
SHA2564e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa
SHA51294dec0822aef151ec843732e9f13d550c59bb4575f8fff7822f5c2bf4d36854dc0c4061dbbcd6c2377aaac77ad86aa48092515fdc7388148e76db96f8417d027
-
C:\Users\Admin\AppData\Roaming\system\core.exeFilesize
348KB
MD56e5fef5da8810aa3fffad5a486c68cf3
SHA170f6507e9b2644fbcb75c78c6660dbdca4da5ef0
SHA2564e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa
SHA51294dec0822aef151ec843732e9f13d550c59bb4575f8fff7822f5c2bf4d36854dc0c4061dbbcd6c2377aaac77ad86aa48092515fdc7388148e76db96f8417d027
-
memory/4028-130-0x0000000000580000-0x00000000005DE000-memory.dmpFilesize
376KB
-
memory/4028-131-0x0000000005620000-0x0000000005BC4000-memory.dmpFilesize
5.6MB
-
memory/4028-132-0x0000000004FA0000-0x0000000005032000-memory.dmpFilesize
584KB
-
memory/4028-133-0x0000000005170000-0x00000000051D6000-memory.dmpFilesize
408KB
-
memory/4028-134-0x0000000005DD0000-0x0000000005DE2000-memory.dmpFilesize
72KB
-
memory/4028-135-0x00000000063F0000-0x000000000642C000-memory.dmpFilesize
240KB
-
memory/4260-137-0x0000000000000000-mapping.dmp
-
memory/4260-141-0x0000000007150000-0x000000000715A000-memory.dmpFilesize
40KB
-
memory/4944-136-0x0000000000000000-mapping.dmp
-
memory/4956-140-0x0000000000000000-mapping.dmp