Analysis
-
max time kernel
43s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-09-2022 08:59
Behavioral task
behavioral1
Sample
42501e281de15d0331a70d0b34b94b8b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
42501e281de15d0331a70d0b34b94b8b.exe
Resource
win10v2004-20220812-en
General
-
Target
42501e281de15d0331a70d0b34b94b8b.exe
-
Size
348KB
-
MD5
42501e281de15d0331a70d0b34b94b8b
-
SHA1
c9ae2a74d0e25e0d2c4946917767d46d33e208cc
-
SHA256
b85d366a889518edf0a9899e2120de042965a72fc60c8795a2f9bd6eee96d58c
-
SHA512
aaea1b070c6560264d2875b7fb355820af4ceab172ff4c5a6b21d893ec4955419c7b673bedae66beae5626dbbacf1c6fe7860008b49029275016c4ac97392f74
-
SSDEEP
6144:j+NHXf500Mh9fsD02Sp1bS6Zh4SRy80WUw7K:yd50ODqhZh4SYXw7K
Malware Config
Extracted
quasar
1.3.0.0
Godbless my Hustle
mill.hopto.org:7773
QSR_MUTEX_IYpAlOHqocnX5nf6J7
-
encryption_key
4AVo5Pq15qMZSQfQWCXf
-
install_name
Client.exe
-
log_directory
Ll
-
reconnect_delay
123
-
startup_key
str
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/768-54-0x00000000001E0000-0x000000000023E000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1692 768 WerFault.exe 42501e281de15d0331a70d0b34b94b8b.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
42501e281de15d0331a70d0b34b94b8b.exedescription pid process Token: SeDebugPrivilege 768 42501e281de15d0331a70d0b34b94b8b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
42501e281de15d0331a70d0b34b94b8b.exepid process 768 42501e281de15d0331a70d0b34b94b8b.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
42501e281de15d0331a70d0b34b94b8b.execmd.exedescription pid process target process PID 768 wrote to memory of 1988 768 42501e281de15d0331a70d0b34b94b8b.exe schtasks.exe PID 768 wrote to memory of 1988 768 42501e281de15d0331a70d0b34b94b8b.exe schtasks.exe PID 768 wrote to memory of 1988 768 42501e281de15d0331a70d0b34b94b8b.exe schtasks.exe PID 768 wrote to memory of 1988 768 42501e281de15d0331a70d0b34b94b8b.exe schtasks.exe PID 768 wrote to memory of 276 768 42501e281de15d0331a70d0b34b94b8b.exe cmd.exe PID 768 wrote to memory of 276 768 42501e281de15d0331a70d0b34b94b8b.exe cmd.exe PID 768 wrote to memory of 276 768 42501e281de15d0331a70d0b34b94b8b.exe cmd.exe PID 768 wrote to memory of 276 768 42501e281de15d0331a70d0b34b94b8b.exe cmd.exe PID 276 wrote to memory of 1080 276 cmd.exe chcp.com PID 276 wrote to memory of 1080 276 cmd.exe chcp.com PID 276 wrote to memory of 1080 276 cmd.exe chcp.com PID 276 wrote to memory of 1080 276 cmd.exe chcp.com PID 768 wrote to memory of 1692 768 42501e281de15d0331a70d0b34b94b8b.exe WerFault.exe PID 768 wrote to memory of 1692 768 42501e281de15d0331a70d0b34b94b8b.exe WerFault.exe PID 768 wrote to memory of 1692 768 42501e281de15d0331a70d0b34b94b8b.exe WerFault.exe PID 768 wrote to memory of 1692 768 42501e281de15d0331a70d0b34b94b8b.exe WerFault.exe PID 276 wrote to memory of 1292 276 cmd.exe PING.EXE PID 276 wrote to memory of 1292 276 cmd.exe PING.EXE PID 276 wrote to memory of 1292 276 cmd.exe PING.EXE PID 276 wrote to memory of 1292 276 cmd.exe PING.EXE PID 276 wrote to memory of 1220 276 cmd.exe 42501e281de15d0331a70d0b34b94b8b.exe PID 276 wrote to memory of 1220 276 cmd.exe 42501e281de15d0331a70d0b34b94b8b.exe PID 276 wrote to memory of 1220 276 cmd.exe 42501e281de15d0331a70d0b34b94b8b.exe PID 276 wrote to memory of 1220 276 cmd.exe 42501e281de15d0331a70d0b34b94b8b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zRhydHFq45fr.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 14642⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zRhydHFq45fr.batFilesize
229B
MD5fd3b1a8cc2392e91b8f07e6b711bf7ac
SHA1cdd3d747c742bb7f70f8882bf1cbdea04a8e8a2c
SHA2565c20959caeec4c385d5e19b22e65edd270e4d6dc45c9be6b99600de661c5aaec
SHA512b13deac4e6103ed088ebc001eacf49183f273b0585d93e4fc8bb30937753ada2766e792cba6f8da9810c7f531c895aaf911b376bc20eeb08accde661b83e32aa
-
memory/276-57-0x0000000000000000-mapping.dmp
-
memory/768-54-0x00000000001E0000-0x000000000023E000-memory.dmpFilesize
376KB
-
memory/768-55-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/1080-59-0x0000000000000000-mapping.dmp
-
memory/1220-62-0x0000000000000000-mapping.dmp
-
memory/1292-61-0x0000000000000000-mapping.dmp
-
memory/1692-60-0x0000000000000000-mapping.dmp
-
memory/1988-56-0x0000000000000000-mapping.dmp