Analysis
-
max time kernel
126s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2022, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
Doc01201763000.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Doc01201763000.exe
Resource
win10v2004-20220812-en
General
-
Target
Doc01201763000.exe
-
Size
2.9MB
-
MD5
6bdc2941aadda12fde04af72c227eadd
-
SHA1
7ad28b6c109ae7ad534c3bef4664f4a5c4ff6310
-
SHA256
6b4ae1bde5c68bdc96647dc1154eeea23eda290a970f8ddd9991a67337ab3689
-
SHA512
47263631a93396d7f39257fc23a8fad7e48d3c2e37d75015b6de08c879ce78b10fe63cfc9e99733ef039bb4b22cf0e57a33f6e49ef2349d450f00a5cad4c3328
-
SSDEEP
24576:bqri8YEiqPPnGIR4bYjQqeCAWqaRyMyV3rRP0rioqOnYQb6VOk9Zv8qAgq:
Malware Config
Extracted
agenttesla
http://195.178.120.72/ch1t/inc/c20966a2dd74ab.php
Extracted
quasar
1.3.0.0
Office04
rze6.sytes.net:5000
QSR_MUTEX_nHkW3jdEs5SeHvgyZi
-
encryption_key
sweOMvDPhbI7lawcCiiU
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/1704-160-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 3892 Lrnssmklpicxdyutowowz.exe 1704 Lrnssmklpicxdyutowowz.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Lrnssmklpicxdyutowowz.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Doc01201763000.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc01201763000.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc01201763000.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc01201763000.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pnbqgkmb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Viqfrscsnha\\Pnbqgkmb.exe\"" Doc01201763000.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pnbqgkmb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Viqfrscsnha\\Pnbqgkmb.exe\"" Lrnssmklpicxdyutowowz.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4876 set thread context of 1264 4876 Doc01201763000.exe 93 PID 3892 set thread context of 1704 3892 Lrnssmklpicxdyutowowz.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4876 Doc01201763000.exe 4692 powershell.exe 4692 powershell.exe 4876 Doc01201763000.exe 4876 Doc01201763000.exe 3892 Lrnssmklpicxdyutowowz.exe 1264 Doc01201763000.exe 1264 Doc01201763000.exe 4392 powershell.exe 4392 powershell.exe 3892 Lrnssmklpicxdyutowowz.exe 3892 Lrnssmklpicxdyutowowz.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4876 Doc01201763000.exe Token: SeDebugPrivilege 4692 powershell.exe Token: SeDebugPrivilege 3892 Lrnssmklpicxdyutowowz.exe Token: SeDebugPrivilege 1264 Doc01201763000.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 1704 Lrnssmklpicxdyutowowz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1264 Doc01201763000.exe 1704 Lrnssmklpicxdyutowowz.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4876 wrote to memory of 4692 4876 Doc01201763000.exe 83 PID 4876 wrote to memory of 4692 4876 Doc01201763000.exe 83 PID 4876 wrote to memory of 4692 4876 Doc01201763000.exe 83 PID 4876 wrote to memory of 3892 4876 Doc01201763000.exe 92 PID 4876 wrote to memory of 3892 4876 Doc01201763000.exe 92 PID 4876 wrote to memory of 3892 4876 Doc01201763000.exe 92 PID 4876 wrote to memory of 1264 4876 Doc01201763000.exe 93 PID 4876 wrote to memory of 1264 4876 Doc01201763000.exe 93 PID 4876 wrote to memory of 1264 4876 Doc01201763000.exe 93 PID 4876 wrote to memory of 1264 4876 Doc01201763000.exe 93 PID 4876 wrote to memory of 1264 4876 Doc01201763000.exe 93 PID 4876 wrote to memory of 1264 4876 Doc01201763000.exe 93 PID 4876 wrote to memory of 1264 4876 Doc01201763000.exe 93 PID 4876 wrote to memory of 1264 4876 Doc01201763000.exe 93 PID 3892 wrote to memory of 4392 3892 Lrnssmklpicxdyutowowz.exe 94 PID 3892 wrote to memory of 4392 3892 Lrnssmklpicxdyutowowz.exe 94 PID 3892 wrote to memory of 4392 3892 Lrnssmklpicxdyutowowz.exe 94 PID 3892 wrote to memory of 1704 3892 Lrnssmklpicxdyutowowz.exe 96 PID 3892 wrote to memory of 1704 3892 Lrnssmklpicxdyutowowz.exe 96 PID 3892 wrote to memory of 1704 3892 Lrnssmklpicxdyutowowz.exe 96 PID 3892 wrote to memory of 1704 3892 Lrnssmklpicxdyutowowz.exe 96 PID 3892 wrote to memory of 1704 3892 Lrnssmklpicxdyutowowz.exe 96 PID 3892 wrote to memory of 1704 3892 Lrnssmklpicxdyutowowz.exe 96 PID 3892 wrote to memory of 1704 3892 Lrnssmklpicxdyutowowz.exe 96 PID 3892 wrote to memory of 1704 3892 Lrnssmklpicxdyutowowz.exe 96 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc01201763000.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc01201763000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe"C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe"C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exeC:\Users\Admin\AppData\Local\Temp\Lrnssmklpicxdyutowowz.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
-
C:\Users\Admin\AppData\Local\Temp\Doc01201763000.exeC:\Users\Admin\AppData\Local\Temp\Doc01201763000.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1264
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57e88081fcf716d85992bb3af3d9b6454
SHA12153780fbc71061b0102a7a7b665349e1013e250
SHA2565ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2
SHA512ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7
-
Filesize
1KB
MD57e88081fcf716d85992bb3af3d9b6454
SHA12153780fbc71061b0102a7a7b665349e1013e250
SHA2565ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2
SHA512ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD5aefb1c8a8cef2fdfea229010328bb621
SHA13496fc20038d8917ae53248f3f8ff50e6c9f98f2
SHA256b2f47031d07fc3fbb19b4a71e571d84e5da0ad978ec9b89bfc53bdddb55904f0
SHA5121b6bdfb85202390157328d2c3a7afb3b7be495a0bc542f73b1df29e5ab60d200d5700ee2c75a324db2f563a1c1d7cc1f5064988f48b9f3b87e5db5136bce4abf
-
Filesize
1.5MB
MD58173e9179a9a1f29d084e32ee3c30c65
SHA1f4f6f60a59b6129045bc1ae18667eccb4787d651
SHA2567ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730
SHA512fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9
-
Filesize
1.5MB
MD58173e9179a9a1f29d084e32ee3c30c65
SHA1f4f6f60a59b6129045bc1ae18667eccb4787d651
SHA2567ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730
SHA512fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9
-
Filesize
1.5MB
MD58173e9179a9a1f29d084e32ee3c30c65
SHA1f4f6f60a59b6129045bc1ae18667eccb4787d651
SHA2567ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730
SHA512fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9
-
Filesize
1.5MB
MD58173e9179a9a1f29d084e32ee3c30c65
SHA1f4f6f60a59b6129045bc1ae18667eccb4787d651
SHA2567ada3fa6c166700d7d08cd4fd4503454f515df92d501c5b7ba306f71144b9730
SHA512fa1fbb733ef09ac7b9098ca533a131ef5fa24155285c4f5d7b10da36d8ed788e9d0bbc48a4af70b70d78578640634b252fc0c980a7b631f7ed8fe816252ccca9