Analysis
-
max time kernel
43s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
Resource
win7-20220414-en
General
-
Target
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
-
Size
393KB
-
MD5
6a2c2b021b25da0f433c1224a6aa7931
-
SHA1
a0548551a6f59901c1ad587815d31967e7bf00d8
-
SHA256
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1
-
SHA512
0d9b929159b5bc083b30aac612ed2553393bc5cdddc9f50dd5dfba6567ce658e8e67506b7e47ae125a107843846aa06bb4801a33cc06821332e2677000e557c8
Malware Config
Extracted
quasar
1.4.0.0
CEO
don567678.ddns.net:1714
9norn25Q4wM4txx41r
-
encryption_key
ybVCqDzPNXriXCm0UUcE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/860-67-0x0000000004430000-0x000000000447E000-memory.dmp family_quasar behavioral1/memory/2000-72-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/2000-71-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/2000-73-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/2000-74-0x000000000044943E-mapping.dmp family_quasar behavioral1/memory/2000-76-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/2000-78-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Drops startup file 1 IoCs
Processes:
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icUZoz.url 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exedescription pid process target process PID 860 set thread context of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1860 2000 WerFault.exe RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exepid process 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe Token: SeDebugPrivilege 2000 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 2000 RegAsm.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.execsc.exeRegAsm.execmd.exedescription pid process target process PID 860 wrote to memory of 1104 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe csc.exe PID 860 wrote to memory of 1104 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe csc.exe PID 860 wrote to memory of 1104 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe csc.exe PID 860 wrote to memory of 1104 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe csc.exe PID 1104 wrote to memory of 1732 1104 csc.exe cvtres.exe PID 1104 wrote to memory of 1732 1104 csc.exe cvtres.exe PID 1104 wrote to memory of 1732 1104 csc.exe cvtres.exe PID 1104 wrote to memory of 1732 1104 csc.exe cvtres.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 860 wrote to memory of 2000 860 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe RegAsm.exe PID 2000 wrote to memory of 1632 2000 RegAsm.exe cmd.exe PID 2000 wrote to memory of 1632 2000 RegAsm.exe cmd.exe PID 2000 wrote to memory of 1632 2000 RegAsm.exe cmd.exe PID 2000 wrote to memory of 1632 2000 RegAsm.exe cmd.exe PID 2000 wrote to memory of 1860 2000 RegAsm.exe WerFault.exe PID 2000 wrote to memory of 1860 2000 RegAsm.exe WerFault.exe PID 2000 wrote to memory of 1860 2000 RegAsm.exe WerFault.exe PID 2000 wrote to memory of 1860 2000 RegAsm.exe WerFault.exe PID 1632 wrote to memory of 1936 1632 cmd.exe chcp.com PID 1632 wrote to memory of 1936 1632 cmd.exe chcp.com PID 1632 wrote to memory of 1936 1632 cmd.exe chcp.com PID 1632 wrote to memory of 1936 1632 cmd.exe chcp.com PID 1632 wrote to memory of 1976 1632 cmd.exe PING.EXE PID 1632 wrote to memory of 1976 1632 cmd.exe PING.EXE PID 1632 wrote to memory of 1976 1632 cmd.exe PING.EXE PID 1632 wrote to memory of 1976 1632 cmd.exe PING.EXE PID 1632 wrote to memory of 828 1632 cmd.exe RegAsm.exe PID 1632 wrote to memory of 828 1632 cmd.exe RegAsm.exe PID 1632 wrote to memory of 828 1632 cmd.exe RegAsm.exe PID 1632 wrote to memory of 828 1632 cmd.exe RegAsm.exe PID 1632 wrote to memory of 828 1632 cmd.exe RegAsm.exe PID 1632 wrote to memory of 828 1632 cmd.exe RegAsm.exe PID 1632 wrote to memory of 828 1632 cmd.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe"C:\Users\Admin\AppData\Local\Temp\3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES916.tmp" "c:\Users\Admin\AppData\Local\Temp\2orw4ft4\CSC3D37800F74614453A8DD2EE5CF1349.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\T2KQ7ChmZxcj.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 14963⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.dllFilesize
16KB
MD5e1815f9355e407fc1f55714ea7d21bfe
SHA1f7ecee25d65bdf63840860fbdc6528de774c0640
SHA256082dca9f38c300fd84e9193c4f25e2e4eac78c151316f808bb7fe7a08a0ef62a
SHA512bc30819ca9c40900bdf31ba3c8c343e9368ee07ed82f09481d8aaef2cee167ceff9fc48fbc0cb26644fc982174f9923df5a902bbdbd79a8adefc3cc628b34125
-
C:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.pdbFilesize
49KB
MD5f0f3f36a897423c682f024e9f2c9784b
SHA15d3006bc5bc3c39393548cef7d2a53ccde256566
SHA256a4a65ffb4616fbf4926b21ccd69734c3a62b9ea61d250af140ae994cc267badb
SHA512b46677d81de0920f4baf00c4c5817545e344247dd3a15d258addb04ace53293f5a91cdc823fab2d3bc261685ab5f48e345581e8977e88293090c5a920441198e
-
C:\Users\Admin\AppData\Local\Temp\RES916.tmpFilesize
1KB
MD558bba69772a65747c708efc0076a25f9
SHA15b09050449705bde6d9d20c972b4a71bf6830b09
SHA2560ea01a628cca22d300fc83ec3399a78a80fe022795778602df3025a84d3a9429
SHA512a625c9e6a8a35034c4a22a8890334f0d4dff71f5431d274597300d47d3805cf1f92303df5ac0f5f6d9e1a6db7ca709a7823bed822ffc473b594288b3b5b251f1
-
C:\Users\Admin\AppData\Local\Temp\T2KQ7ChmZxcj.batFilesize
215B
MD552e5e66b36680c1aa7f328204ce8682b
SHA19a2b30b26bea60423485f4fa797ad7253beecf39
SHA25693c89533c0168889e9c03e33788754d0601a291a1ed72c0d24c1520437d0fff3
SHA5120a7963f02aef7f18612674ce0d4a8849cea8f1f8bf94cb586aff207b2db68f8bad283ad4b6a9162cf18203b5b7007eda4181b6e7a1b62f3fce25d75cea510ee5
-
\??\c:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.0.csFilesize
34KB
MD5b056dc44506a4145e2642d5959ead5f2
SHA1e67cd09700a8b7bcbecf006ed6aa90249aab765e
SHA256a2d7d38fdaee967ae27b548db5eb709be0887cd1ebb31ff46ae6f58af681b38e
SHA5122ff69c3a0792207a2ebeaf00e41e8acd3a9b91d95082af1a20a5cb4594d22488ed71ef1163f822edecf8646999daa298b724be2cbf9c097b75f7b68f4f35b4e4
-
\??\c:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.cmdlineFilesize
312B
MD5f86a521bf81fd54019d0b458158f4198
SHA16f85c8c112a48f31fbcb382f261ed7ce7ed34207
SHA25665a9ae8458d8dcc82fb69fe2ce36747ffad505d94d78c23858961c188f64f64f
SHA5123f7129e8c2b2a5218caa4dd2ddf78ea01571187fd235d4629a614becf28b1ef01865209027c8c6f6b50fb6ca642c84f52b161289b29c83de55904fb7ea7404c3
-
\??\c:\Users\Admin\AppData\Local\Temp\2orw4ft4\CSC3D37800F74614453A8DD2EE5CF1349.TMPFilesize
1KB
MD5a4dbb7c1fea2f068d8280e7e996abfa4
SHA1a819720ad3974382095d470ff531917311b89022
SHA256c6abd4e7df9b8007292f5a6865eb46ce15d9ec0a1b146742898753822524129c
SHA512dfc223b72f6c485f2c4a0a98c846b72bc5045672cc4b1f9eaeff3eabddc86fb50d6d64ab079fd3dcd02851d029d17273df2f80e2948771ea63bf60d17dc8c8b7
-
memory/828-87-0x0000000000030000-0x0000000000042000-memory.dmpFilesize
72KB
-
memory/828-85-0x0000000000000000-mapping.dmp
-
memory/860-54-0x00000000003E0000-0x0000000000448000-memory.dmpFilesize
416KB
-
memory/860-64-0x0000000004340000-0x0000000004398000-memory.dmpFilesize
352KB
-
memory/860-65-0x00000000003C0000-0x00000000003CC000-memory.dmpFilesize
48KB
-
memory/860-66-0x0000000074C81000-0x0000000074C83000-memory.dmpFilesize
8KB
-
memory/860-67-0x0000000004430000-0x000000000447E000-memory.dmpFilesize
312KB
-
memory/860-63-0x0000000000290000-0x000000000029A000-memory.dmpFilesize
40KB
-
memory/1104-55-0x0000000000000000-mapping.dmp
-
memory/1632-80-0x0000000000000000-mapping.dmp
-
memory/1732-58-0x0000000000000000-mapping.dmp
-
memory/1860-82-0x0000000000000000-mapping.dmp
-
memory/1936-83-0x0000000000000000-mapping.dmp
-
memory/1976-84-0x0000000000000000-mapping.dmp
-
memory/2000-69-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2000-78-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2000-76-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2000-74-0x000000000044943E-mapping.dmp
-
memory/2000-73-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2000-71-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2000-72-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2000-68-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB