Analysis
-
max time kernel
42s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 03:44
Behavioral task
behavioral1
Sample
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
Resource
win7-20220718-en
General
-
Target
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
-
Size
349KB
-
MD5
94cb4509fbc7d4a000a35094532b2dc6
-
SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39
-
SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
-
SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
Malware Config
Extracted
quasar
1.3.0.0
Matei
getrektscrub.hopto.org:4782
QSR_MUTEX_KkiFVxzP7AThmUYEE7
-
encryption_key
g4oiMoBrx37SHLCg4wcA
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/288-54-0x0000000000E70000-0x0000000000ECE000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\SubDir\svchost.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe family_quasar behavioral1/memory/1724-61-0x0000000001050000-0x00000000010AE000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\SubDir\svchost.exe family_quasar \Users\Admin\AppData\Roaming\SubDir\svchost.exe family_quasar \Users\Admin\AppData\Roaming\SubDir\svchost.exe family_quasar \Users\Admin\AppData\Roaming\SubDir\svchost.exe family_quasar \Users\Admin\AppData\Roaming\SubDir\svchost.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1724 svchost.exe 1920 svchost.exe -
Loads dropped DLL 6 IoCs
Processes:
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exeWerFault.exepid process 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe 1244 WerFault.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1244 1724 WerFault.exe svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1984 schtasks.exe 1500 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exesvchost.exedescription pid process Token: SeDebugPrivilege 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe Token: SeDebugPrivilege 1724 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1724 svchost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exesvchost.execmd.exedescription pid process target process PID 288 wrote to memory of 1984 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe schtasks.exe PID 288 wrote to memory of 1984 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe schtasks.exe PID 288 wrote to memory of 1984 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe schtasks.exe PID 288 wrote to memory of 1984 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe schtasks.exe PID 288 wrote to memory of 1724 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe svchost.exe PID 288 wrote to memory of 1724 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe svchost.exe PID 288 wrote to memory of 1724 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe svchost.exe PID 288 wrote to memory of 1724 288 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe svchost.exe PID 1724 wrote to memory of 1500 1724 svchost.exe schtasks.exe PID 1724 wrote to memory of 1500 1724 svchost.exe schtasks.exe PID 1724 wrote to memory of 1500 1724 svchost.exe schtasks.exe PID 1724 wrote to memory of 1500 1724 svchost.exe schtasks.exe PID 1724 wrote to memory of 1916 1724 svchost.exe cmd.exe PID 1724 wrote to memory of 1916 1724 svchost.exe cmd.exe PID 1724 wrote to memory of 1916 1724 svchost.exe cmd.exe PID 1724 wrote to memory of 1916 1724 svchost.exe cmd.exe PID 1724 wrote to memory of 1244 1724 svchost.exe WerFault.exe PID 1724 wrote to memory of 1244 1724 svchost.exe WerFault.exe PID 1724 wrote to memory of 1244 1724 svchost.exe WerFault.exe PID 1724 wrote to memory of 1244 1724 svchost.exe WerFault.exe PID 1916 wrote to memory of 1864 1916 cmd.exe chcp.com PID 1916 wrote to memory of 1864 1916 cmd.exe chcp.com PID 1916 wrote to memory of 1864 1916 cmd.exe chcp.com PID 1916 wrote to memory of 1864 1916 cmd.exe chcp.com PID 1916 wrote to memory of 1128 1916 cmd.exe PING.EXE PID 1916 wrote to memory of 1128 1916 cmd.exe PING.EXE PID 1916 wrote to memory of 1128 1916 cmd.exe PING.EXE PID 1916 wrote to memory of 1128 1916 cmd.exe PING.EXE PID 1916 wrote to memory of 1920 1916 cmd.exe svchost.exe PID 1916 wrote to memory of 1920 1916 cmd.exe svchost.exe PID 1916 wrote to memory of 1920 1916 cmd.exe svchost.exe PID 1916 wrote to memory of 1920 1916 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe"C:\Users\Admin\AppData\Local\Temp\5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\emFphGyuDX1g.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 14803⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\emFphGyuDX1g.batFilesize
208B
MD56ec4d3bdc68a823faa8d83a3fdfc03ba
SHA1663aa05d63d024e904bc61e442279c4fe8094901
SHA25650d84e2e242c120e1b54c032a57c051807728406e1899eea8199438e62904e8d
SHA512e0f656854c9cc5b98c7f029d472f810f7a65462f0793ea127db6052aed0efc63114c8caec9d4552d325b1a1b7cfa23674ca9eed6d3e0e251ccfc0bf24e6a20f7
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exeFilesize
349KB
MD594cb4509fbc7d4a000a35094532b2dc6
SHA1e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA2565660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA5127666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exeFilesize
349KB
MD594cb4509fbc7d4a000a35094532b2dc6
SHA1e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA2565660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA5127666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exeFilesize
349KB
MD594cb4509fbc7d4a000a35094532b2dc6
SHA1e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA2565660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA5127666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
\Users\Admin\AppData\Roaming\SubDir\svchost.exeFilesize
349KB
MD594cb4509fbc7d4a000a35094532b2dc6
SHA1e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA2565660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA5127666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
\Users\Admin\AppData\Roaming\SubDir\svchost.exeFilesize
349KB
MD594cb4509fbc7d4a000a35094532b2dc6
SHA1e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA2565660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA5127666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
\Users\Admin\AppData\Roaming\SubDir\svchost.exeFilesize
349KB
MD594cb4509fbc7d4a000a35094532b2dc6
SHA1e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA2565660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA5127666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
\Users\Admin\AppData\Roaming\SubDir\svchost.exeFilesize
349KB
MD594cb4509fbc7d4a000a35094532b2dc6
SHA1e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA2565660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA5127666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
\Users\Admin\AppData\Roaming\SubDir\svchost.exeFilesize
349KB
MD594cb4509fbc7d4a000a35094532b2dc6
SHA1e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA2565660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA5127666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
\Users\Admin\AppData\Roaming\SubDir\svchost.exeFilesize
349KB
MD594cb4509fbc7d4a000a35094532b2dc6
SHA1e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA2565660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA5127666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
memory/288-55-0x0000000076921000-0x0000000076923000-memory.dmpFilesize
8KB
-
memory/288-54-0x0000000000E70000-0x0000000000ECE000-memory.dmpFilesize
376KB
-
memory/1128-72-0x0000000000000000-mapping.dmp
-
memory/1244-66-0x0000000000000000-mapping.dmp
-
memory/1500-63-0x0000000000000000-mapping.dmp
-
memory/1724-61-0x0000000001050000-0x00000000010AE000-memory.dmpFilesize
376KB
-
memory/1724-58-0x0000000000000000-mapping.dmp
-
memory/1864-67-0x0000000000000000-mapping.dmp
-
memory/1916-64-0x0000000000000000-mapping.dmp
-
memory/1920-74-0x0000000000000000-mapping.dmp
-
memory/1984-56-0x0000000000000000-mapping.dmp