Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe
Resource
win7-20220718-en
General
-
Target
7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe
-
Size
463KB
-
MD5
fe410944a04368c81eef23bc3e519888
-
SHA1
e374403c0fd537d5af14d421bdaa902245a03d91
-
SHA256
7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786
-
SHA512
456d52068aca2ed3dab67e247524a818f77e2eb4a45296a6fcd9939b1770e042866ea09a0d751a503f16eafdf681bb7bebeee9a60409d61549a6838f39ac801e
Malware Config
Extracted
quasar
1.4.0.0
Office04
107.173.219.125:1714
NRgo8ArOed1VVkhIyd
-
encryption_key
XZyY0DaQV5kpii268lOQ
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1712-145-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar -
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
-
Executes dropped EXE 1 IoCs
Processes:
vW0wEDKCm80ZnMdKhed.exepid process 1852 vW0wEDKCm80ZnMdKhed.exe -
Drops startup file 1 IoCs
Processes:
vW0wEDKCm80ZnMdKhed.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vW0wEDKCm80ZnMdK.exe.url vW0wEDKCm80ZnMdKhed.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vW0wEDKCm80ZnMdKhed.exedescription pid process target process PID 1852 set thread context of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vW0wEDKCm80ZnMdKhed.exepid process 1852 vW0wEDKCm80ZnMdKhed.exe 1852 vW0wEDKCm80ZnMdKhed.exe 1852 vW0wEDKCm80ZnMdKhed.exe 1852 vW0wEDKCm80ZnMdKhed.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vW0wEDKCm80ZnMdKhed.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1852 vW0wEDKCm80ZnMdKhed.exe Token: SeDebugPrivilege 1712 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1712 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exevW0wEDKCm80ZnMdKhed.execsc.exedescription pid process target process PID 4180 wrote to memory of 1852 4180 7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe vW0wEDKCm80ZnMdKhed.exe PID 4180 wrote to memory of 1852 4180 7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe vW0wEDKCm80ZnMdKhed.exe PID 4180 wrote to memory of 1852 4180 7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe vW0wEDKCm80ZnMdKhed.exe PID 1852 wrote to memory of 4700 1852 vW0wEDKCm80ZnMdKhed.exe csc.exe PID 1852 wrote to memory of 4700 1852 vW0wEDKCm80ZnMdKhed.exe csc.exe PID 1852 wrote to memory of 4700 1852 vW0wEDKCm80ZnMdKhed.exe csc.exe PID 4700 wrote to memory of 2464 4700 csc.exe cvtres.exe PID 4700 wrote to memory of 2464 4700 csc.exe cvtres.exe PID 4700 wrote to memory of 2464 4700 csc.exe cvtres.exe PID 1852 wrote to memory of 4564 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 4564 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 4564 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe PID 1852 wrote to memory of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe"C:\Users\Admin\AppData\Local\Temp\7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\vW0wEDKCm80ZnMdKhed.exeC:\Users\Admin\vW0wEDKCm80ZnMdKhed.exe 12⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ED7.tmp" "c:\Users\Admin\AppData\Local\Temp\wjzsvtax\CSCEEE94CED71E3485EA8FB3C429C6EE450.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES8ED7.tmpFilesize
1KB
MD52bce79aebe9bdde46cf1d696ee690113
SHA1800c31c47d521aa1d4722d58e3f1bf6748a8f28b
SHA256d58b56abe4b7c40ffcdc3e90c128df3c362b45d244217700a233e17d5771d144
SHA5122fe0c8c574c96baf3b9c2da1285f01a72207d920b3d767615edb259d9cad74e02d567c126e47f30f68b0fea12f548046b7650bbcdd6d0baa10be89ee92bc280a
-
C:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.dllFilesize
5KB
MD50789e7e8862063f1c77f276c6c1507be
SHA1e7e9e50273e84d847b3605e07c4ed7cdbaa9a060
SHA256742c27ddd1d6faeda7cb009c856d7b5a25edf25d0ff7659fe8155f3f71d52956
SHA5123a2215fc27c1e3ef5432a1beab6fe52efba1263276b9227530e54caf1b09d600e7ce5f7225a19c3ca450ff8c43505d3a21334eec673e3c08108d8a644c06de89
-
C:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.pdbFilesize
15KB
MD57253d53335ac4945c465add3c90cf66a
SHA1a703dec636509da178f04c851f526fd177c33856
SHA256c1b24321ebd91e28d26a9bf90d216a637bcb47bf74da03b126edf24c3f3f4ea5
SHA5122b07355c5ec8dffa6ab2fd63f468b9617e42a7242387918eb7fb4cd74804abb8545af00a520011f1ad539fb58e4bd118112ab29346ad9d1f42967b2dceb145c1
-
C:\Users\Admin\vW0wEDKCm80ZnMdKhed.exeFilesize
339KB
MD5b0e7b0b02a31f317bd5285fd973b2f51
SHA152b8e10ff270cae050cf5cc43f72fd6cc367fbb8
SHA256563bedc1171ef94458bc3acddbe2215fb0278ca749e8915a781e1a33678c5c7b
SHA512f4ee187578a30d40611fb577b24be01131ec28deb26f798269db45ed47fe663ad12b32484d531d010072c8870b93befecadb7a955da0eab05db9d470fe4c8468
-
C:\Users\Admin\vW0wEDKCm80ZnMdKhed.exeFilesize
339KB
MD5b0e7b0b02a31f317bd5285fd973b2f51
SHA152b8e10ff270cae050cf5cc43f72fd6cc367fbb8
SHA256563bedc1171ef94458bc3acddbe2215fb0278ca749e8915a781e1a33678c5c7b
SHA512f4ee187578a30d40611fb577b24be01131ec28deb26f798269db45ed47fe663ad12b32484d531d010072c8870b93befecadb7a955da0eab05db9d470fe4c8468
-
\??\c:\Users\Admin\AppData\Local\Temp\wjzsvtax\CSCEEE94CED71E3485EA8FB3C429C6EE450.TMPFilesize
1KB
MD5567743744c556664e38a70002fbb4236
SHA1b86d53b2ee91b5617c68c2183cdd3abaa4df06cb
SHA25649c2d6dbf50c1ef4a766fc4d8a98e17c7edf072a3a19de15d4c67c395603c75a
SHA5120eee96477baf3a05b0310f8f30fe977bd84f50d8ec497d5e1e0001be533356339b3cfa6669f25f175176757a51dcdeee270ed9b523aef130c8013927d7afad35
-
\??\c:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.0.csFilesize
2KB
MD56777f580d9718e696aaef081870ceabe
SHA1aef4e152604965ecd26ea4a32ec4282792633043
SHA256d3ce5a4eafbe7c6ae9e0039facd57059b7cc3f3173663d63433e358e4ceff572
SHA512f32522d03f482bbfc93b8ac7241cb74fab4c7f19addbeae97969cbcc6410a3117d2279465a1c9bfaa015cc3ac7a9ce2f9714ea6e8607d42906e8ee9a8454c8bc
-
\??\c:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.cmdlineFilesize
224B
MD58ce89c5c50c33ae7ac044efb81c2b8db
SHA15b8327c3ed1ccf29799976196715882732bcbc0a
SHA256b02a2032d7e67da33dc1a8cfd57ade194c9f7937bd6757a46c7a8ae89f7f3a9e
SHA51235eb575c44b775e0607981cbaf721e90aac18f3541dbfce4d282031598f72bac756c7828729a60fdbe302f674d21d7e21db2be4ffa8c5ea90bcc774a5eee1aef
-
memory/1712-147-0x0000000004D60000-0x0000000004DF2000-memory.dmpFilesize
584KB
-
memory/1712-144-0x0000000000000000-mapping.dmp
-
memory/1712-145-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1712-146-0x0000000005270000-0x0000000005814000-memory.dmpFilesize
5.6MB
-
memory/1712-148-0x0000000004F70000-0x0000000004FD6000-memory.dmpFilesize
408KB
-
memory/1712-149-0x0000000005B20000-0x0000000005B32000-memory.dmpFilesize
72KB
-
memory/1712-150-0x0000000006580000-0x000000000658A000-memory.dmpFilesize
40KB
-
memory/1852-130-0x0000000000000000-mapping.dmp
-
memory/1852-133-0x0000000000FA0000-0x0000000000FFC000-memory.dmpFilesize
368KB
-
memory/1852-142-0x0000000005B90000-0x0000000005C2C000-memory.dmpFilesize
624KB
-
memory/2464-137-0x0000000000000000-mapping.dmp
-
memory/4564-143-0x0000000000000000-mapping.dmp
-
memory/4700-134-0x0000000000000000-mapping.dmp