Analysis
-
max time kernel
60s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 19:39
Behavioral task
behavioral1
Sample
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe
Resource
win7-20220812-en
General
-
Target
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe
-
Size
347KB
-
MD5
0c7b4927d8473e50866b28bc6ec37c07
-
SHA1
ccc11ecdbce975a18b9a673d4adbcff48168af12
-
SHA256
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57
-
SHA512
6979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07
-
SSDEEP
6144:4dSz2Hgw9AHLrTfBkuaFnXDtcCy13o6w2uu7z7SYSb04sqvgJADBd/xz/:kUsAHLrTfBkuaFnXDtcCyrw2uu7zdplE
Malware Config
Extracted
quasar
1.3.0.0
system
106.12.192.231:4782
QSR_MUTEX_j15VAOgMonMS1ue4Db
-
encryption_key
R2b2TrZWSxj5VWSKaHoD
-
install_name
system.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsUpdate
-
subdirectory
.WINDOWS
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1532-132-0x0000000000240000-0x000000000029E000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe family_quasar C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 2752 system.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4872 schtasks.exe 3524 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exesystem.exedescription pid process Token: SeDebugPrivilege 1532 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe Token: SeDebugPrivilege 2752 system.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
system.exepid process 2752 system.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exesystem.exedescription pid process target process PID 1532 wrote to memory of 4872 1532 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe schtasks.exe PID 1532 wrote to memory of 4872 1532 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe schtasks.exe PID 1532 wrote to memory of 4872 1532 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe schtasks.exe PID 1532 wrote to memory of 2752 1532 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe system.exe PID 1532 wrote to memory of 2752 1532 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe system.exe PID 1532 wrote to memory of 2752 1532 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe system.exe PID 2752 wrote to memory of 3524 2752 system.exe schtasks.exe PID 2752 wrote to memory of 3524 2752 system.exe schtasks.exe PID 2752 wrote to memory of 3524 2752 system.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe"C:\Users\Admin\AppData\Local\Temp\f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe"C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exeFilesize
347KB
MD50c7b4927d8473e50866b28bc6ec37c07
SHA1ccc11ecdbce975a18b9a673d4adbcff48168af12
SHA256f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57
SHA5126979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07
-
C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exeFilesize
347KB
MD50c7b4927d8473e50866b28bc6ec37c07
SHA1ccc11ecdbce975a18b9a673d4adbcff48168af12
SHA256f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57
SHA5126979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07
-
memory/1532-132-0x0000000000240000-0x000000000029E000-memory.dmpFilesize
376KB
-
memory/1532-133-0x00000000052E0000-0x0000000005884000-memory.dmpFilesize
5.6MB
-
memory/1532-134-0x0000000004D30000-0x0000000004DC2000-memory.dmpFilesize
584KB
-
memory/1532-135-0x0000000005040000-0x00000000050A6000-memory.dmpFilesize
408KB
-
memory/1532-136-0x0000000005C90000-0x0000000005CA2000-memory.dmpFilesize
72KB
-
memory/1532-137-0x00000000060B0000-0x00000000060EC000-memory.dmpFilesize
240KB
-
memory/2752-139-0x0000000000000000-mapping.dmp
-
memory/2752-143-0x0000000006DF0000-0x0000000006DFA000-memory.dmpFilesize
40KB
-
memory/3524-142-0x0000000000000000-mapping.dmp
-
memory/4872-138-0x0000000000000000-mapping.dmp