Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 02:14
Static task
static1
Behavioral task
behavioral1
Sample
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe
Resource
win7-20220414-en
General
-
Target
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe
-
Size
628KB
-
MD5
2ca449f58a5f5c95541640a52e611180
-
SHA1
3159a573bf68b83c2f19c9d0c738f8995a8d9147
-
SHA256
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a
-
SHA512
9674de07081da790be80096e7075dc69defcd6fc3fbc8688eb745087111c84afc8917034d4d07c7aa86583833d4f43e98d5a127d08f2dbce273431308b65c091
Malware Config
Extracted
quasar
1.3.0.0
Office04
118.208.43.110:9991
118.208.43.110:9992
118.208.43.110:9993
118.208.43.110:9994
118.208.43.110:9995
118.208.43.110:10000
118.208.43.110:9000
QSR_MUTEX_wm8imRtp10eDcwBwM1
-
encryption_key
CLr3aJXqYhM5uP8HVkUg
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-66-0x0000000000400000-0x0000000000482000-memory.dmp family_quasar behavioral1/memory/1212-68-0x0000000000400000-0x0000000000482000-memory.dmp family_quasar behavioral1/memory/1212-69-0x0000000000400000-0x0000000000482000-memory.dmp family_quasar behavioral1/memory/1212-70-0x00000000004582DE-mapping.dmp family_quasar behavioral1/memory/1212-72-0x0000000000400000-0x0000000000482000-memory.dmp family_quasar behavioral1/memory/1212-74-0x0000000000400000-0x0000000000482000-memory.dmp family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/892-57-0x00000000051F0000-0x000000000527A000-memory.dmp rezer0 -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2040 Client.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe -
Loads dropped DLL 1 IoCs
Processes:
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exepid process 1212 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe -
Processes:
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exedescription pid process target process PID 892 set thread context of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exe3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exepid process 1788 powershell.exe 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exe3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exedescription pid process Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe Token: SeDebugPrivilege 1212 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exedescription pid process target process PID 892 wrote to memory of 1788 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe powershell.exe PID 892 wrote to memory of 1788 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe powershell.exe PID 892 wrote to memory of 1788 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe powershell.exe PID 892 wrote to memory of 1788 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe powershell.exe PID 892 wrote to memory of 1760 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe schtasks.exe PID 892 wrote to memory of 1760 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe schtasks.exe PID 892 wrote to memory of 1760 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe schtasks.exe PID 892 wrote to memory of 1760 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe schtasks.exe PID 892 wrote to memory of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe PID 892 wrote to memory of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe PID 892 wrote to memory of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe PID 892 wrote to memory of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe PID 892 wrote to memory of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe PID 892 wrote to memory of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe PID 892 wrote to memory of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe PID 892 wrote to memory of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe PID 892 wrote to memory of 1212 892 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe PID 1212 wrote to memory of 2040 1212 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe Client.exe PID 1212 wrote to memory of 2040 1212 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe Client.exe PID 1212 wrote to memory of 2040 1212 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe Client.exe PID 1212 wrote to memory of 2040 1212 3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe"C:\Users\Admin\AppData\Local\Temp\3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe"1⤵
- Checks BIOS information in registry
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XBTsEUzeb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31DB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe"{path}"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp31DB.tmpFilesize
1KB
MD56fd68b64fb59384d47ad4abb256ee322
SHA1d2b2ce161745a428d1f03faad17765ffcb2b1ac1
SHA256e05e58c61e98fe8c19ee51378fc744a1e61ba4edead5aaa64de853bef52b2bba
SHA512c28f4ba78fce7be18edb419fe92e96bbe102070fd3344a1a87b08e8ecb984862be31d9a9642bbdbb4e28cc78f72b16d95ca33705d6757bee48d955493725b59f
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
628KB
MD52ca449f58a5f5c95541640a52e611180
SHA13159a573bf68b83c2f19c9d0c738f8995a8d9147
SHA2563cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a
SHA5129674de07081da790be80096e7075dc69defcd6fc3fbc8688eb745087111c84afc8917034d4d07c7aa86583833d4f43e98d5a127d08f2dbce273431308b65c091
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
628KB
MD52ca449f58a5f5c95541640a52e611180
SHA13159a573bf68b83c2f19c9d0c738f8995a8d9147
SHA2563cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a
SHA5129674de07081da790be80096e7075dc69defcd6fc3fbc8688eb745087111c84afc8917034d4d07c7aa86583833d4f43e98d5a127d08f2dbce273431308b65c091
-
\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
628KB
MD52ca449f58a5f5c95541640a52e611180
SHA13159a573bf68b83c2f19c9d0c738f8995a8d9147
SHA2563cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a
SHA5129674de07081da790be80096e7075dc69defcd6fc3fbc8688eb745087111c84afc8917034d4d07c7aa86583833d4f43e98d5a127d08f2dbce273431308b65c091
-
memory/892-54-0x00000000008A0000-0x0000000000944000-memory.dmpFilesize
656KB
-
memory/892-55-0x0000000075441000-0x0000000075443000-memory.dmpFilesize
8KB
-
memory/892-56-0x0000000000370000-0x000000000037E000-memory.dmpFilesize
56KB
-
memory/892-57-0x00000000051F0000-0x000000000527A000-memory.dmpFilesize
552KB
-
memory/1212-74-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1212-64-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1212-66-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1212-68-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1212-69-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1212-70-0x00000000004582DE-mapping.dmp
-
memory/1212-72-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1212-63-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1760-61-0x0000000000000000-mapping.dmp
-
memory/1788-60-0x000000006E8D0000-0x000000006EE7B000-memory.dmpFilesize
5.7MB
-
memory/1788-58-0x0000000000000000-mapping.dmp
-
memory/2040-77-0x0000000000000000-mapping.dmp
-
memory/2040-80-0x00000000003E0000-0x0000000000484000-memory.dmpFilesize
656KB