Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 00:38
Static task
static1
Behavioral task
behavioral1
Sample
5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
Resource
win7-20220414-en
General
-
Target
5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
-
Size
1.3MB
-
MD5
289b643e1a46d2b8de76323db780b6cf
-
SHA1
ef7ff8a8a634319e57043a35a9c3a9aa062f8a93
-
SHA256
5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6
-
SHA512
6353d2a666d5b99d9e6e22cbe9fafb4a0640ade812c3c613bde47ceea612eefc5ef835051b88163edad7a8a49b861ee8847f5a663a9b1049b5578293ccb74a04
Malware Config
Extracted
quasar
1.4.0.0
Office
46.249.59.99:111
mz2wiNFAWq1HjJ2fUn
-
encryption_key
8DIs0SbdWcImnvHm2I9I
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
NET framework
-
subdirectory
SubDir
Signatures
-
Quasar Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1528-137-0x0000000000000000-mapping.dmp family_quasar behavioral2/memory/1528-138-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aa1.url powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2644 set thread context of 1528 2644 powershell.exe RegAsm.exe -
NTFS ADS 1 IoCs
Processes:
5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\default:StdRegProv 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2644 powershell.exe 2644 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 1528 RegAsm.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exepid process 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exepid process 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exepowershell.exedescription pid process target process PID 3560 wrote to memory of 2644 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe powershell.exe PID 3560 wrote to memory of 2644 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe powershell.exe PID 3560 wrote to memory of 2644 3560 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe powershell.exe PID 2644 wrote to memory of 1492 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1492 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1492 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 4152 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 4152 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 4152 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1528 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1528 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1528 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1528 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1528 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1528 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1528 2644 powershell.exe RegAsm.exe PID 2644 wrote to memory of 1528 2644 powershell.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe"C:\Users\Admin\AppData\Local\Temp\5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe"1⤵
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell [System.Threading.Thread]::GetDomain().Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\yVP').GetValue('GJW'));[Rkb]::eEyo('C:\Users\Admin\AppData\Local\Temp\5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe', 'QTEO', '5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe')2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1528-137-0x0000000000000000-mapping.dmp
-
memory/1528-143-0x0000000006670000-0x000000000667A000-memory.dmpFilesize
40KB
-
memory/1528-142-0x00000000064B0000-0x00000000064EC000-memory.dmpFilesize
240KB
-
memory/1528-141-0x0000000006090000-0x00000000060A2000-memory.dmpFilesize
72KB
-
memory/1528-140-0x00000000052B0000-0x0000000005342000-memory.dmpFilesize
584KB
-
memory/1528-139-0x00000000057C0000-0x0000000005D64000-memory.dmpFilesize
5.6MB
-
memory/1528-138-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2644-133-0x0000000005100000-0x0000000005122000-memory.dmpFilesize
136KB
-
memory/2644-136-0x00000000060A0000-0x00000000060BE000-memory.dmpFilesize
120KB
-
memory/2644-135-0x0000000005A40000-0x0000000005AA6000-memory.dmpFilesize
408KB
-
memory/2644-134-0x00000000059D0000-0x0000000005A36000-memory.dmpFilesize
408KB
-
memory/2644-130-0x0000000000000000-mapping.dmp
-
memory/2644-132-0x00000000051F0000-0x0000000005818000-memory.dmpFilesize
6.2MB
-
memory/2644-131-0x0000000002780000-0x00000000027B6000-memory.dmpFilesize
216KB