Analysis
-
max time kernel
41s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-09-2022 19:39
Behavioral task
behavioral1
Sample
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe
Resource
win7-20220812-en
General
-
Target
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe
-
Size
347KB
-
MD5
0c7b4927d8473e50866b28bc6ec37c07
-
SHA1
ccc11ecdbce975a18b9a673d4adbcff48168af12
-
SHA256
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57
-
SHA512
6979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07
-
SSDEEP
6144:4dSz2Hgw9AHLrTfBkuaFnXDtcCy13o6w2uu7z7SYSb04sqvgJADBd/xz/:kUsAHLrTfBkuaFnXDtcCyrw2uu7zdplE
Malware Config
Extracted
quasar
1.3.0.0
system
106.12.192.231:4782
QSR_MUTEX_j15VAOgMonMS1ue4Db
-
encryption_key
R2b2TrZWSxj5VWSKaHoD
-
install_name
system.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsUpdate
-
subdirectory
.WINDOWS
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1680-54-0x0000000000290000-0x00000000002EE000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\.WINDOWS\system.exe family_quasar C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe family_quasar C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe family_quasar behavioral1/memory/1448-61-0x0000000000C70000-0x0000000000CCE000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 1448 system.exe -
Loads dropped DLL 1 IoCs
Processes:
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exepid process 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1988 schtasks.exe 1456 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exesystem.exedescription pid process Token: SeDebugPrivilege 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe Token: SeDebugPrivilege 1448 system.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
system.exepid process 1448 system.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exesystem.exedescription pid process target process PID 1680 wrote to memory of 1988 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe schtasks.exe PID 1680 wrote to memory of 1988 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe schtasks.exe PID 1680 wrote to memory of 1988 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe schtasks.exe PID 1680 wrote to memory of 1988 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe schtasks.exe PID 1680 wrote to memory of 1448 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe system.exe PID 1680 wrote to memory of 1448 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe system.exe PID 1680 wrote to memory of 1448 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe system.exe PID 1680 wrote to memory of 1448 1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe system.exe PID 1448 wrote to memory of 1456 1448 system.exe schtasks.exe PID 1448 wrote to memory of 1456 1448 system.exe schtasks.exe PID 1448 wrote to memory of 1456 1448 system.exe schtasks.exe PID 1448 wrote to memory of 1456 1448 system.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe"C:\Users\Admin\AppData\Local\Temp\f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe"C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exeFilesize
347KB
MD50c7b4927d8473e50866b28bc6ec37c07
SHA1ccc11ecdbce975a18b9a673d4adbcff48168af12
SHA256f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57
SHA5126979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07
-
C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exeFilesize
347KB
MD50c7b4927d8473e50866b28bc6ec37c07
SHA1ccc11ecdbce975a18b9a673d4adbcff48168af12
SHA256f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57
SHA5126979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07
-
\Users\Admin\AppData\Roaming\.WINDOWS\system.exeFilesize
347KB
MD50c7b4927d8473e50866b28bc6ec37c07
SHA1ccc11ecdbce975a18b9a673d4adbcff48168af12
SHA256f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57
SHA5126979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07
-
memory/1448-58-0x0000000000000000-mapping.dmp
-
memory/1448-61-0x0000000000C70000-0x0000000000CCE000-memory.dmpFilesize
376KB
-
memory/1456-63-0x0000000000000000-mapping.dmp
-
memory/1680-54-0x0000000000290000-0x00000000002EE000-memory.dmpFilesize
376KB
-
memory/1680-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1988-56-0x0000000000000000-mapping.dmp