Analysis
-
max time kernel
131s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 00:13
Behavioral task
behavioral1
Sample
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
Resource
win7-20220718-en
General
-
Target
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
-
Size
1.6MB
-
MD5
2c5dcf7821c1098be0c0fb0b9111b112
-
SHA1
0d034ed0671d6f90b3be6f92fc010ae533bdcd05
-
SHA256
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
-
SHA512
5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b
Malware Config
Extracted
quasar
1.3.0.0
Mine New
manuel3.publicvm.com:1022
QSR_MUTEX_z2tvmEKtJhCWkEoFqb
-
encryption_key
lzO7ipRSIXeoGW0A0XSN
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
netwire
manuel3.publicvm.com:3366
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
KosdgdKb
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2380-133-0x0000000000A10000-0x0000000000A3C000-memory.dmp netwire behavioral2/memory/2380-143-0x0000000000A10000-0x0000000000A3C000-memory.dmp netwire behavioral2/memory/656-153-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/656-164-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Quasar payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe family_quasar C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe family_quasar C:\Users\Admin\AppData\Roaming\Install\Host.exe family_quasar C:\Users\Admin\AppData\Roaming\Install\Host.exe family_quasar behavioral2/memory/4504-147-0x00000000003C0000-0x000000000041E000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe family_quasar C:\Users\Admin\AppData\Roaming\Install\Host.exe family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 4 IoCs
Processes:
Client-built New Mine Quasar.exeHost.exeClient-built New Mine Quasar.exeHost.exepid process 4504 Client-built New Mine Quasar.exe 2668 Host.exe 2536 Client-built New Mine Quasar.exe 656 Host.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exeHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation Host.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exeHost.exedescription pid process target process PID 1588 set thread context of 2380 1588 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe PID 2668 set thread context of 656 2668 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Host.exepid process 2668 Host.exe 2668 Host.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client-built New Mine Quasar.exedescription pid process Token: SeDebugPrivilege 4504 Client-built New Mine Quasar.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client-built New Mine Quasar.exepid process 4504 Client-built New Mine Quasar.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exeHost.exedescription pid process target process PID 1588 wrote to memory of 4504 1588 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe Client-built New Mine Quasar.exe PID 1588 wrote to memory of 4504 1588 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe Client-built New Mine Quasar.exe PID 1588 wrote to memory of 4504 1588 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe Client-built New Mine Quasar.exe PID 1588 wrote to memory of 2380 1588 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe PID 1588 wrote to memory of 2380 1588 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe PID 1588 wrote to memory of 2380 1588 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe PID 1588 wrote to memory of 2380 1588 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe PID 1588 wrote to memory of 2380 1588 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe PID 2380 wrote to memory of 2668 2380 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe Host.exe PID 2380 wrote to memory of 2668 2380 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe Host.exe PID 2380 wrote to memory of 2668 2380 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe Host.exe PID 2668 wrote to memory of 2536 2668 Host.exe Client-built New Mine Quasar.exe PID 2668 wrote to memory of 2536 2668 Host.exe Client-built New Mine Quasar.exe PID 2668 wrote to memory of 2536 2668 Host.exe Client-built New Mine Quasar.exe PID 2668 wrote to memory of 656 2668 Host.exe Host.exe PID 2668 wrote to memory of 656 2668 Host.exe Host.exe PID 2668 wrote to memory of 656 2668 Host.exe Host.exe PID 2668 wrote to memory of 656 2668 Host.exe Host.exe PID 2668 wrote to memory of 656 2668 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe"C:\Users\Admin\AppData\Local\Temp\573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe"C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe"C:\Users\Admin\AppData\Local\Temp\573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe"C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exeFilesize
349KB
MD5dc1f074b41b4aa0ae4c5d1341a653299
SHA17ab804dbe6492e37fa880d12fc1102fead2faffb
SHA256bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0
SHA512fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e
-
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exeFilesize
349KB
MD5dc1f074b41b4aa0ae4c5d1341a653299
SHA17ab804dbe6492e37fa880d12fc1102fead2faffb
SHA256bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0
SHA512fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e
-
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exeFilesize
349KB
MD5dc1f074b41b4aa0ae4c5d1341a653299
SHA17ab804dbe6492e37fa880d12fc1102fead2faffb
SHA256bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0
SHA512fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
1.6MB
MD52c5dcf7821c1098be0c0fb0b9111b112
SHA10d034ed0671d6f90b3be6f92fc010ae533bdcd05
SHA256573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
SHA5125e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
1.6MB
MD52c5dcf7821c1098be0c0fb0b9111b112
SHA10d034ed0671d6f90b3be6f92fc010ae533bdcd05
SHA256573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
SHA5125e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
1.6MB
MD52c5dcf7821c1098be0c0fb0b9111b112
SHA10d034ed0671d6f90b3be6f92fc010ae533bdcd05
SHA256573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
SHA5125e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b
-
C:\Users\Admin\AppData\Roaming\server 2019.exeFilesize
172KB
MD53146f4dd38096e1fe25844d859098f7b
SHA1aa3f3cb481100feac6128288c30539d5dba4477c
SHA256feef025eaebb31b58e46d7d0e8db5f0e0352f26bb210874a540b514545940365
SHA512092f8a7b24b2c723b9d933de5ca8f32a8dbe46f31e6d343ce465c9a3f8c098d70fdc122b87db91e05f0108f3b5cebe142811fa4f39539df09e99869881ca3209
-
memory/656-152-0x0000000000000000-mapping.dmp
-
memory/656-153-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/656-164-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2380-132-0x0000000000000000-mapping.dmp
-
memory/2380-133-0x0000000000A10000-0x0000000000A3C000-memory.dmpFilesize
176KB
-
memory/2380-143-0x0000000000A10000-0x0000000000A3C000-memory.dmpFilesize
176KB
-
memory/2536-150-0x0000000000000000-mapping.dmp
-
memory/2536-156-0x0000000004C40000-0x0000000004CD2000-memory.dmpFilesize
584KB
-
memory/2536-165-0x0000000004CE0000-0x0000000004D46000-memory.dmpFilesize
408KB
-
memory/2668-144-0x0000000000000000-mapping.dmp
-
memory/4504-149-0x0000000005320000-0x00000000058C4000-memory.dmpFilesize
5.6MB
-
memory/4504-130-0x0000000000000000-mapping.dmp
-
memory/4504-147-0x00000000003C0000-0x000000000041E000-memory.dmpFilesize
376KB
-
memory/4504-166-0x0000000005D30000-0x0000000005D42000-memory.dmpFilesize
72KB
-
memory/4504-167-0x0000000006160000-0x000000000619C000-memory.dmpFilesize
240KB
-
memory/4504-168-0x00000000061B0000-0x00000000061BA000-memory.dmpFilesize
40KB