quasar | 6b4ae1bde5c68bdc96647dc1154eeea23eda290a970f8ddd9991a67337ab3689

Analysis

max time kernel
135s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-10-2022 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doc01201763000.exe
Size

2.9MB
MD5

6bdc2941aadda12fde04af72c227eadd
SHA1

7ad28b6c109ae7ad534c3bef4664f4a5c4ff6310
SHA256

6b4ae1bde5c68bdc96647dc1154eeea23eda290a970f8ddd9991a67337ab3689
SHA512

47263631a93396d7f39257fc23a8fad7e48d3c2e37d75015b6de08c879ce78b10fe63cfc9e99733ef039bb4b22cf0e57a33f6e49ef2349d450f00a5cad4c3328
SSDEEP

24576:bqri8YEiqPPnGIR4bYjQqeCAWqaRyMyV3rRP0rioqOnYQb6VOk9Zv8qAgq:

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

rze6.sytes.net:5000

Mutex

QSR_MUTEX_nHkW3jdEs5SeHvgyZi

Attributes

encryption_key
sweOMvDPhbI7lawcCiiU
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/memory/1372-80-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/1372-79-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/1372-81-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/1372-82-0x00000000004581DE-mapping.dmp	family_quasar
behavioral1/memory/1372-85-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/1372-87-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
1752	Lrnssmklpicxdyutowowz.exe
1372	Lrnssmklpicxdyutowowz.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	Doc01201763000.exe
1752	Lrnssmklpicxdyutowowz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pnbqgkmb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Viqfrscsnha\\Pnbqgkmb.exe\""	Doc01201763000.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pnbqgkmb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Viqfrscsnha\\Pnbqgkmb.exe\""	Lrnssmklpicxdyutowowz.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1372	1752	Lrnssmklpicxdyutowowz.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1904	Doc01201763000.exe
704	powershell.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1752	Lrnssmklpicxdyutowowz.exe
588	powershell.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1904	Doc01201763000.exe
1752	Lrnssmklpicxdyutowowz.exe
1752	Lrnssmklpicxdyutowowz.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	Doc01201763000.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	1752	Lrnssmklpicxdyutowowz.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1372	Lrnssmklpicxdyutowowz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1372	Lrnssmklpicxdyutowowz.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 704	1904	Doc01201763000.exe	26
PID 1904 wrote to memory of 704	1904	Doc01201763000.exe	26
PID 1904 wrote to memory of 704	1904	Doc01201763000.exe	26
PID 1904 wrote to memory of 704	1904	Doc01201763000.exe	26
PID 1904 wrote to memory of 1752	1904	Doc01201763000.exe	28
PID 1904 wrote to memory of 1752	1904	Doc01201763000.exe	28
PID 1904 wrote to memory of 1752	1904	Doc01201763000.exe	28
PID 1904 wrote to memory of 1752	1904	Doc01201763000.exe	28
PID 1752 wrote to memory of 588	1752	Lrnssmklpicxdyutowowz.exe	29
PID 1752 wrote to memory of 588	1752	Lrnssmklpicxdyutowowz.exe	29
PID 1752 wrote to memory of 588	1752	Lrnssmklpicxdyutowowz.exe	29
PID 1752 wrote to memory of 588	1752	Lrnssmklpicxdyutowowz.exe	29
PID 1904 wrote to memory of 960	1904	Doc01201763000.exe	31
PID 1904 wrote to memory of 960	1904	Doc01201763000.exe	31
PID 1904 wrote to memory of 960	1904	Doc01201763000.exe	31
PID 1904 wrote to memory of 960	1904	Doc01201763000.exe	31
PID 1904 wrote to memory of 1576	1904	Doc01201763000.exe	33
PID 1904 wrote to memory of 1576	1904	Doc01201763000.exe	33
PID 1904 wrote to memory of 1576	1904	Doc01201763000.exe	33
PID 1904 wrote to memory of 1576	1904	Doc01201763000.exe	33
PID 1904 wrote to memory of 1080	1904	Doc01201763000.exe	32
PID 1904 wrote to memory of 1080	1904	Doc01201763000.exe	32
PID 1904 wrote to memory of 1080	1904	Doc01201763000.exe	32
PID 1904 wrote to memory of 1080	1904	Doc01201763000.exe	32
PID 1904 wrote to memory of 1276	1904	Doc01201763000.exe	34
PID 1904 wrote to memory of 1276	1904	Doc01201763000.exe	34
PID 1904 wrote to memory of 1276	1904	Doc01201763000.exe	34
PID 1904 wrote to memory of 1276	1904	Doc01201763000.exe	34
PID 1904 wrote to memory of 1900	1904	Doc01201763000.exe	35
PID 1904 wrote to memory of 1900	1904	Doc01201763000.exe	35
PID 1904 wrote to memory of 1900	1904	Doc01201763000.exe	35
PID 1904 wrote to memory of 1900	1904	Doc01201763000.exe	35
PID 1904 wrote to memory of 1600	1904	Doc01201763000.exe	36
PID 1904 wrote to memory of 1600	1904	Doc01201763000.exe	36
PID 1904 wrote to memory of 1600	1904	Doc01201763000.exe	36
PID 1904 wrote to memory of 1600	1904	Doc01201763000.exe	36
PID 1904 wrote to memory of 1008	1904	Doc01201763000.exe	37
PID 1904 wrote to memory of 1008	1904	Doc01201763000.exe	37
PID 1904 wrote to memory of 1008	1904	Doc01201763000.exe	37
PID 1904 wrote to memory of 1008	1904	Doc01201763000.exe	37
PID 1904 wrote to memory of 1324	1904	Doc01201763000.exe	39
PID 1904 wrote to memory of 1324	1904	Doc01201763000.exe	39
PID 1904 wrote to memory of 1324	1904	Doc01201763000.exe	39
PID 1904 wrote to memory of 1324	1904	Doc01201763000.exe	39
PID 1904 wrote to memory of 1996	1904	Doc01201763000.exe	38
PID 1904 wrote to memory of 1996	1904	Doc01201763000.exe	38
PID 1904 wrote to memory of 1996	1904	Doc01201763000.exe	38
PID 1904 wrote to memory of 1996	1904	Doc01201763000.exe	38
PID 1904 wrote to memory of 584	1904	Doc01201763000.exe	40
PID 1904 wrote to memory of 584	1904	Doc01201763000.exe	40
PID 1904 wrote to memory of 584	1904	Doc01201763000.exe	40
PID 1904 wrote to memory of 584	1904	Doc01201763000.exe	40
PID 1752 wrote to memory of 1372	1752	Lrnssmklpicxdyutowowz.exe	41
PID 1752 wrote to memory of 1372	1752	Lrnssmklpicxdyutowowz.exe	41
PID 1752 wrote to memory of 1372	1752	Lrnssmklpicxdyutowowz.exe	41
PID 1752 wrote to memory of 1372	1752	Lrnssmklpicxdyutowowz.exe	41
PID 1752 wrote to memory of 1372	1752	Lrnssmklpicxdyutowowz.exe	41
PID 1752 wrote to memory of 1372	1752	Lrnssmklpicxdyutowowz.exe	41
PID 1752 wrote to memory of 1372	1752	Lrnssmklpicxdyutowowz.exe	41
PID 1752 wrote to memory of 1372	1752	Lrnssmklpicxdyutowowz.exe	41
PID 1752 wrote to memory of 1372	1752	Lrnssmklpicxdyutowowz.exe	41

C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
"C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe
  "C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe
    C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1372
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:960
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe
  2⤵
  PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe

Filesize
1.5MB

MD5
8173e9179a9a1f29d084e32ee3c30c65

SHA1
f4f6f60a59b6129045bc1ae18667eccb4787d651

SHA256
7ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730

SHA512
fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe

Filesize
1.5MB

MD5
8173e9179a9a1f29d084e32ee3c30c65

SHA1
f4f6f60a59b6129045bc1ae18667eccb4787d651

SHA256
7ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730

SHA512
fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe

Filesize
1.5MB

MD5
8173e9179a9a1f29d084e32ee3c30c65

SHA1
f4f6f60a59b6129045bc1ae18667eccb4787d651

SHA256
7ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730

SHA512
fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5ceebd642120c0af2b280142fdaf71cf

SHA1
58f5a71f2f9f5d725a812edcf4427a1c129922cc

SHA256
2ffa8f2ff6e545018d11150549ce65b386f717b5246261307e212d93e14573c9

SHA512
5601c82cb68b77ea8149c7852bb8f81d7816e3e2a96ec4d53c9a5924531357fa6e140fe20cc6441abce82be1eafc8ef37f58ecd1053c4ffae3ef056e014915b9

Download Submit
C:\Users\Admin\AppData\Roaming\Viqfrscsnha\Pnbqgkmb.exe

Filesize
1.5MB

MD5
8173e9179a9a1f29d084e32ee3c30c65

SHA1
f4f6f60a59b6129045bc1ae18667eccb4787d651

SHA256
7ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730

SHA512
fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9

Download Submit
\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe

Filesize
1.5MB

MD5
8173e9179a9a1f29d084e32ee3c30c65

SHA1
f4f6f60a59b6129045bc1ae18667eccb4787d651

SHA256
7ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730

SHA512
fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9

Download Submit
\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe

Filesize
1.5MB

MD5
8173e9179a9a1f29d084e32ee3c30c65

SHA1
f4f6f60a59b6129045bc1ae18667eccb4787d651

SHA256
7ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730

SHA512
fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9

Download Submit
memory/588-73-0x000000006F840000-0x000000006FDEB000-memory.dmp

Filesize
5.7MB

Download
memory/588-72-0x000000006F840000-0x000000006FDEB000-memory.dmp

Filesize
5.7MB

Download
memory/588-71-0x000000006F840000-0x000000006FDEB000-memory.dmp

Filesize
5.7MB

Download
memory/704-61-0x000000006F880000-0x000000006FE2B000-memory.dmp

Filesize
5.7MB

Download
memory/704-60-0x000000006F880000-0x000000006FE2B000-memory.dmp

Filesize
5.7MB

Download
memory/704-58-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/704-59-0x000000006F880000-0x000000006FE2B000-memory.dmp

Filesize
5.7MB

Download
memory/1372-79-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1372-87-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1372-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1372-81-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1372-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1372-77-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1372-80-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1752-66-0x0000000001120000-0x00000000012B0000-memory.dmp

Filesize
1.6MB

Download
memory/1752-67-0x0000000000AE0000-0x0000000000BAA000-memory.dmp

Filesize
808KB

Download
memory/1904-56-0x0000000004960000-0x00000000049F2000-memory.dmp

Filesize
584KB

Download
memory/1904-54-0x0000000000300000-0x00000000005EE000-memory.dmp

Filesize
2.9MB

Download
memory/1904-55-0x0000000004B30000-0x0000000004CA8000-memory.dmp

Filesize
1.5MB

Download