Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
21-09-2022 14:59
General
-
Target
invoice554684093903ye74674.exe
-
Size
214KB
-
MD5
7658e4288d97431e0b22ee17ce907162
-
SHA1
2a7b17759b037e3cd4799f9bdb099256197b94d1
-
SHA256
4ed20217d84f7055b14abf31f97802c5f97b304b147f4d4132c0c1be177e3ff0
-
SHA512
51553c9b0d335c9a7a9591bc29c4171549405f011b8b9f8663b00e97d832685c1153bc69443eeb3c7ab598d0f8d3e4ac8f60dad10a8e5f7e4a15947502bafc00
-
SSDEEP
3072:P8oVzkyxfZoB5aDx+Y6HRUHmzhxlI35MNzFNub2h/DWih/H3GR:P8A4HvIdHehj7ubg/Phf3
Malware Config
Extracted
quasar
1.3.0.0
Godbless my Hustle
mill.hopto.org:7773
QSR_MUTEX_IYpAlOHqocnX5nf6J7
-
encryption_key
4AVo5Pq15qMZSQfQWCXf
-
install_name
Client.exe
-
log_directory
Ll
-
reconnect_delay
123
-
startup_key
str
-
subdirectory
SubDir
Extracted
nanocore
1.2.2.0
mill.hopto.org:4489
127.0.0.1:4489
f26f6140-1dcf-4d19-b29d-e8b4eda43999
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-03T15:17:26.062415736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4489
-
default_group
Heavenly
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f26f6140-1dcf-4d19-b29d-e8b4eda43999
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mill.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice554684093903ye74674.exe"C:\Users\Admin\AppData\Local\Temp\invoice554684093903ye74674.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Server.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\invoice554684093903ye74674.exe"C:\Users\Admin\AppData\Local\Temp\invoice554684093903ye74674.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD542501e281de15d0331a70d0b34b94b8b
SHA1c9ae2a74d0e25e0d2c4946917767d46d33e208cc
SHA256b85d366a889518edf0a9899e2120de042965a72fc60c8795a2f9bd6eee96d58c
SHA512aaea1b070c6560264d2875b7fb355820af4ceab172ff4c5a6b21d893ec4955419c7b673bedae66beae5626dbbacf1c6fe7860008b49029275016c4ac97392f74
-
Filesize
348KB
MD542501e281de15d0331a70d0b34b94b8b
SHA1c9ae2a74d0e25e0d2c4946917767d46d33e208cc
SHA256b85d366a889518edf0a9899e2120de042965a72fc60c8795a2f9bd6eee96d58c
SHA512aaea1b070c6560264d2875b7fb355820af4ceab172ff4c5a6b21d893ec4955419c7b673bedae66beae5626dbbacf1c6fe7860008b49029275016c4ac97392f74
-
Filesize
348KB
MD542501e281de15d0331a70d0b34b94b8b
SHA1c9ae2a74d0e25e0d2c4946917767d46d33e208cc
SHA256b85d366a889518edf0a9899e2120de042965a72fc60c8795a2f9bd6eee96d58c
SHA512aaea1b070c6560264d2875b7fb355820af4ceab172ff4c5a6b21d893ec4955419c7b673bedae66beae5626dbbacf1c6fe7860008b49029275016c4ac97392f74
-
-
-
Filesize
376KB
-
Filesize
240KB
-
Filesize
8KB
-
Filesize
72KB
-
-
Filesize
72KB
-
Filesize
496KB
-
Filesize
496KB
-
Filesize
496KB
-
Filesize
496KB
-
Filesize
496KB
-
Filesize
496KB
-
Filesize
40KB
-
Filesize
496KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
80KB
-
Filesize
184KB
-
Filesize
496KB