Analysis
-
max time kernel
108s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 04:14
Static task
static1
Behavioral task
behavioral1
Sample
d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe
Resource
win7-20220718-en
General
-
Target
d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe
-
Size
786KB
-
MD5
0acf6ea8ea82fd3aae0da111f91e0052
-
SHA1
7a04c82c0081741a3fe211a7eda63584937ddea5
-
SHA256
d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f
-
SHA512
da5d1d3cd47af8e66bc21ba33bc66782474c728a009f78b6040350107ffa4a8075bf6c0c70e383db62ab5e7ee7de681bf52f7d24bb0174cc8802e320505ced57
Malware Config
Extracted
quasar
1.3.0.0
Wallets
mailsdc61.ga:5490
QSR_MUTEX_AlGzVdofAbXTg5UjU1
-
encryption_key
kjsUY5tlvrmAWR8ZxfU3
-
install_name
skype.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
skype
-
subdirectory
AppData
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1096-133-0x0000000000000000-mapping.dmp family_quasar behavioral2/memory/1096-134-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 2 IoCs
Processes:
skype.exeskype.exepid process 228 skype.exe 3748 skype.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exeskype.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12Build = "C:\\Users\\Admin\\AppData\\Roaming\\iBJoj\\smhpo.exe" d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12Build = "C:\\Users\\Admin\\AppData\\Roaming\\iBJoj\\smhpo.exe" skype.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exeskype.exedescription pid process target process PID 2368 set thread context of 1096 2368 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe PID 228 set thread context of 3748 228 skype.exe skype.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3644 3748 WerFault.exe skype.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exedescription pid process Token: SeDebugPrivilege 1096 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exed0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exeskype.exedescription pid process target process PID 2368 wrote to memory of 1096 2368 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe PID 2368 wrote to memory of 1096 2368 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe PID 2368 wrote to memory of 1096 2368 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe PID 2368 wrote to memory of 1096 2368 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe PID 2368 wrote to memory of 1096 2368 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe PID 2368 wrote to memory of 1096 2368 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe PID 2368 wrote to memory of 1096 2368 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe PID 2368 wrote to memory of 1096 2368 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe PID 1096 wrote to memory of 4160 1096 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe schtasks.exe PID 1096 wrote to memory of 4160 1096 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe schtasks.exe PID 1096 wrote to memory of 4160 1096 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe schtasks.exe PID 1096 wrote to memory of 228 1096 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe skype.exe PID 1096 wrote to memory of 228 1096 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe skype.exe PID 1096 wrote to memory of 228 1096 d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe skype.exe PID 228 wrote to memory of 3748 228 skype.exe skype.exe PID 228 wrote to memory of 3748 228 skype.exe skype.exe PID 228 wrote to memory of 3748 228 skype.exe skype.exe PID 228 wrote to memory of 3748 228 skype.exe skype.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe"C:\Users\Admin\AppData\Local\Temp\d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe"C:\Users\Admin\AppData\Local\Temp\d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "skype" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\AppData\skype.exe"C:\Users\Admin\AppData\Roaming\AppData\skype.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\AppData\skype.exe"C:\Users\Admin\AppData\Roaming\AppData\skype.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 805⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3748 -ip 37481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe.logFilesize
611B
MD5e09032fb626c6c1d10e2ab27b0278463
SHA1a26ea328ef81ab53a9883f7b9c7d3998883eaf47
SHA2561b834fc0faded24ae9665629c739742a2614784d62f96f9f982a6c678e916147
SHA5122c341b371103d67fb0bd1e49a4a07b3037e3a304b914446c103de43f87370d584e666f0b93e2c28c776188e975cd95855bb3a1bc4ddbcac89acd62ec46cb5e35
-
C:\Users\Admin\AppData\Roaming\AppData\skype.exeFilesize
786KB
MD50acf6ea8ea82fd3aae0da111f91e0052
SHA17a04c82c0081741a3fe211a7eda63584937ddea5
SHA256d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f
SHA512da5d1d3cd47af8e66bc21ba33bc66782474c728a009f78b6040350107ffa4a8075bf6c0c70e383db62ab5e7ee7de681bf52f7d24bb0174cc8802e320505ced57
-
C:\Users\Admin\AppData\Roaming\AppData\skype.exeFilesize
786KB
MD50acf6ea8ea82fd3aae0da111f91e0052
SHA17a04c82c0081741a3fe211a7eda63584937ddea5
SHA256d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f
SHA512da5d1d3cd47af8e66bc21ba33bc66782474c728a009f78b6040350107ffa4a8075bf6c0c70e383db62ab5e7ee7de681bf52f7d24bb0174cc8802e320505ced57
-
C:\Users\Admin\AppData\Roaming\AppData\skype.exeFilesize
786KB
MD50acf6ea8ea82fd3aae0da111f91e0052
SHA17a04c82c0081741a3fe211a7eda63584937ddea5
SHA256d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f
SHA512da5d1d3cd47af8e66bc21ba33bc66782474c728a009f78b6040350107ffa4a8075bf6c0c70e383db62ab5e7ee7de681bf52f7d24bb0174cc8802e320505ced57
-
memory/228-141-0x0000000000000000-mapping.dmp
-
memory/228-144-0x0000000000630000-0x00000000006FA000-memory.dmpFilesize
808KB
-
memory/1096-134-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1096-137-0x0000000004D70000-0x0000000004DD6000-memory.dmpFilesize
408KB
-
memory/1096-138-0x0000000005D80000-0x0000000005D92000-memory.dmpFilesize
72KB
-
memory/1096-139-0x00000000062E0000-0x000000000631C000-memory.dmpFilesize
240KB
-
memory/1096-136-0x0000000005270000-0x0000000005814000-memory.dmpFilesize
5.6MB
-
memory/1096-133-0x0000000000000000-mapping.dmp
-
memory/2368-130-0x0000000000060000-0x000000000012A000-memory.dmpFilesize
808KB
-
memory/2368-132-0x0000000007070000-0x0000000007102000-memory.dmpFilesize
584KB
-
memory/2368-131-0x0000000006F20000-0x0000000006FBC000-memory.dmpFilesize
624KB
-
memory/3748-145-0x0000000000000000-mapping.dmp
-
memory/4160-140-0x0000000000000000-mapping.dmp