Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2022 09:38
Behavioral task
behavioral1
Sample
quasar_clean.exe
Resource
win7-20220901-en
General
-
Target
quasar_clean.exe
-
Size
376KB
-
MD5
1e9ac0b5547b0fa980e4ee8529677be5
-
SHA1
c25c80b4325218cd8e4f4ca11e404293829963f2
-
SHA256
191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8
-
SHA512
e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5
-
SSDEEP
6144:B8NHXf500M+4EFC4KQk7lKxbvY67CACSerymKtwe:6d50yAQlbCjSerymmwe
Malware Config
Extracted
quasar
1.3.0.0
top
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_NKzsG6279pND1MmPDw
-
encryption_key
6c7zzdS2IXrGaCb9wrMU
-
install_name
tors.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
tdm
-
subdirectory
tilk
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4304-132-0x00000000007E0000-0x000000000083E000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\tilk\tors.exe family_quasar C:\Users\Admin\AppData\Roaming\tilk\tors.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
tors.exepid process 4308 tors.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4588 schtasks.exe 3912 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
quasar_clean.exetors.exedescription pid process Token: SeDebugPrivilege 4304 quasar_clean.exe Token: SeDebugPrivilege 4308 tors.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
quasar_clean.exetors.exedescription pid process target process PID 4304 wrote to memory of 4588 4304 quasar_clean.exe schtasks.exe PID 4304 wrote to memory of 4588 4304 quasar_clean.exe schtasks.exe PID 4304 wrote to memory of 4588 4304 quasar_clean.exe schtasks.exe PID 4304 wrote to memory of 4308 4304 quasar_clean.exe tors.exe PID 4304 wrote to memory of 4308 4304 quasar_clean.exe tors.exe PID 4304 wrote to memory of 4308 4304 quasar_clean.exe tors.exe PID 4308 wrote to memory of 3912 4308 tors.exe schtasks.exe PID 4308 wrote to memory of 3912 4308 tors.exe schtasks.exe PID 4308 wrote to memory of 3912 4308 tors.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\quasar_clean.exe"C:\Users\Admin\AppData\Local\Temp\quasar_clean.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\quasar_clean.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exe"C:\Users\Admin\AppData\Roaming\tilk\tors.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\tilk\tors.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
376KB
MD51e9ac0b5547b0fa980e4ee8529677be5
SHA1c25c80b4325218cd8e4f4ca11e404293829963f2
SHA256191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8
SHA512e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
376KB
MD51e9ac0b5547b0fa980e4ee8529677be5
SHA1c25c80b4325218cd8e4f4ca11e404293829963f2
SHA256191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8
SHA512e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5
-
memory/3912-142-0x0000000000000000-mapping.dmp
-
memory/4304-132-0x00000000007E0000-0x000000000083E000-memory.dmpFilesize
376KB
-
memory/4304-133-0x0000000005740000-0x0000000005CE4000-memory.dmpFilesize
5.6MB
-
memory/4304-134-0x0000000005240000-0x00000000052D2000-memory.dmpFilesize
584KB
-
memory/4304-135-0x00000000053E0000-0x0000000005446000-memory.dmpFilesize
408KB
-
memory/4304-136-0x0000000006010000-0x0000000006022000-memory.dmpFilesize
72KB
-
memory/4304-137-0x0000000006440000-0x000000000647C000-memory.dmpFilesize
240KB
-
memory/4308-139-0x0000000000000000-mapping.dmp
-
memory/4308-143-0x0000000006D80000-0x0000000006D8A000-memory.dmpFilesize
40KB
-
memory/4588-138-0x0000000000000000-mapping.dmp