Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-11-2022 09:39
Behavioral task
behavioral1
Sample
quasar_clean.exe
Resource
win7-20220812-en
General
-
Target
quasar_clean.exe
-
Size
376KB
-
MD5
1e9ac0b5547b0fa980e4ee8529677be5
-
SHA1
c25c80b4325218cd8e4f4ca11e404293829963f2
-
SHA256
191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8
-
SHA512
e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5
-
SSDEEP
6144:B8NHXf500M+4EFC4KQk7lKxbvY67CACSerymKtwe:6d50yAQlbCjSerymmwe
Malware Config
Extracted
quasar
1.3.0.0
top
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_NKzsG6279pND1MmPDw
-
encryption_key
6c7zzdS2IXrGaCb9wrMU
-
install_name
tors.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
tdm
-
subdirectory
tilk
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-54-0x0000000000380000-0x00000000003DE000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\tilk\tors.exe family_quasar C:\Users\Admin\AppData\Roaming\tilk\tors.exe family_quasar C:\Users\Admin\AppData\Roaming\tilk\tors.exe family_quasar behavioral1/memory/992-61-0x0000000000BC0000-0x0000000000C1E000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
tors.exepid process 992 tors.exe -
Loads dropped DLL 1 IoCs
Processes:
quasar_clean.exepid process 1956 quasar_clean.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1156 schtasks.exe 1676 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
quasar_clean.exetors.exedescription pid process Token: SeDebugPrivilege 1956 quasar_clean.exe Token: SeDebugPrivilege 992 tors.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
quasar_clean.exetors.exedescription pid process target process PID 1956 wrote to memory of 1156 1956 quasar_clean.exe schtasks.exe PID 1956 wrote to memory of 1156 1956 quasar_clean.exe schtasks.exe PID 1956 wrote to memory of 1156 1956 quasar_clean.exe schtasks.exe PID 1956 wrote to memory of 1156 1956 quasar_clean.exe schtasks.exe PID 1956 wrote to memory of 992 1956 quasar_clean.exe tors.exe PID 1956 wrote to memory of 992 1956 quasar_clean.exe tors.exe PID 1956 wrote to memory of 992 1956 quasar_clean.exe tors.exe PID 1956 wrote to memory of 992 1956 quasar_clean.exe tors.exe PID 992 wrote to memory of 1676 992 tors.exe schtasks.exe PID 992 wrote to memory of 1676 992 tors.exe schtasks.exe PID 992 wrote to memory of 1676 992 tors.exe schtasks.exe PID 992 wrote to memory of 1676 992 tors.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\quasar_clean.exe"C:\Users\Admin\AppData\Local\Temp\quasar_clean.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\quasar_clean.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exe"C:\Users\Admin\AppData\Roaming\tilk\tors.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\tilk\tors.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
376KB
MD51e9ac0b5547b0fa980e4ee8529677be5
SHA1c25c80b4325218cd8e4f4ca11e404293829963f2
SHA256191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8
SHA512e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5
-
C:\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
376KB
MD51e9ac0b5547b0fa980e4ee8529677be5
SHA1c25c80b4325218cd8e4f4ca11e404293829963f2
SHA256191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8
SHA512e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5
-
\Users\Admin\AppData\Roaming\tilk\tors.exeFilesize
376KB
MD51e9ac0b5547b0fa980e4ee8529677be5
SHA1c25c80b4325218cd8e4f4ca11e404293829963f2
SHA256191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8
SHA512e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5
-
memory/992-58-0x0000000000000000-mapping.dmp
-
memory/992-61-0x0000000000BC0000-0x0000000000C1E000-memory.dmpFilesize
376KB
-
memory/1156-56-0x0000000000000000-mapping.dmp
-
memory/1676-63-0x0000000000000000-mapping.dmp
-
memory/1956-54-0x0000000000380000-0x00000000003DE000-memory.dmpFilesize
376KB
-
memory/1956-55-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB