quasar | 09051ade3d7c8bc6be358107b584eba08fdec0214cfd7c99e4b56f3e1e66d2b5

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pendientes.xls
Size

314KB
MD5

3b4985250d19c9a0d4aa1e772b247075
SHA1

243077c6c342ebbfe77b43ae91da534f9b509f9a
SHA256

09051ade3d7c8bc6be358107b584eba08fdec0214cfd7c99e4b56f3e1e66d2b5
SHA512

8d665cbf861751de50a71e52c4d80baaaaaff15233ea1c4256d85b1d3842625d16287310dea09231b7c1b7915c2adf8e4df25c87a83a367b662b01263e1a2930
SSDEEP

6144:dxEtjPOtioVjDGUU1qfDlavx+W2QnAWIsfKxxOJCSynWqqVP4qk9U6gKfBfUzYKN:QanWqGPdURh2FMCd

Score

10^/10

quasar yop spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

yop

dnuocc.com:64594

www.dnuocc.com:64594

Mutex

QSR_MUTEX_OyCjWKeFudCMEKYeJX

Attributes

encryption_key
In08tDaU6GKdLZ8HdsU1
install_name
yors.exe
log_directory
Logs
reconnect_delay
7000
startup_key
crdm
subdirectory
yilk

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4680-157-0x0000000000000000-mapping.dmp	family_quasar
behavioral2/memory/4680-158-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral2/memory/1584-168-0x0000000000000000-mapping.dmp	family_quasar

Executes dropped EXE 6 IoCs

Processes:

LMWLNUZK.exehggfb.sfx.exehggfb.exehggfb.exeyors.exeyors.exe

pid process

3880 LMWLNUZK.exe
3988 hggfb.sfx.exe
1700 hggfb.exe
4680 hggfb.exe
2796 yors.exe
1584 yors.exe

pid	process
3880	LMWLNUZK.exe
3988	hggfb.sfx.exe
1700	hggfb.exe
4680	hggfb.exe
2796	yors.exe
1584	yors.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LMWLNUZK.exehggfb.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	LMWLNUZK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	hggfb.sfx.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

99 ip-api.com
Suspicious use of SetThreadContext 2 IoCs

Processes:

hggfb.exeyors.exe

description pid process target process

PID 1700 set thread context of 4680 1700 hggfb.exe hggfb.exe
PID 2796 set thread context of 1584 2796 yors.exe yors.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
99	ip-api.com

description	pid	process	target process
PID 1700 set thread context of 4680	1700	hggfb.exe	hggfb.exe
PID 2796 set thread context of 1584	2796	yors.exe	yors.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2260 schtasks.exe
2648 schtasks.exe

pid	process
2260	schtasks.exe
2648	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1296 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

hggfb.exehggfb.exeyors.exeyors.exe

description	pid	process
Token: SeDebugPrivilege	1700	hggfb.exe
Token: SeDebugPrivilege	4680	hggfb.exe
Token: SeDebugPrivilege	2796	yors.exe
Token: SeDebugPrivilege	1584	yors.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXE

pid	process
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE
1296	EXCEL.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

EXCEL.EXELMWLNUZK.execmd.exehggfb.sfx.exehggfb.exehggfb.exeyors.exeyors.exe

description	pid	process	target process
PID 1296 wrote to memory of 3880	1296	EXCEL.EXE	LMWLNUZK.exe
PID 1296 wrote to memory of 3880	1296	EXCEL.EXE	LMWLNUZK.exe
PID 1296 wrote to memory of 3880	1296	EXCEL.EXE	LMWLNUZK.exe
PID 3880 wrote to memory of 4764	3880	LMWLNUZK.exe	cmd.exe
PID 3880 wrote to memory of 4764	3880	LMWLNUZK.exe	cmd.exe
PID 3880 wrote to memory of 4764	3880	LMWLNUZK.exe	cmd.exe
PID 4764 wrote to memory of 3988	4764	cmd.exe	hggfb.sfx.exe
PID 4764 wrote to memory of 3988	4764	cmd.exe	hggfb.sfx.exe
PID 4764 wrote to memory of 3988	4764	cmd.exe	hggfb.sfx.exe
PID 3988 wrote to memory of 1700	3988	hggfb.sfx.exe	hggfb.exe
PID 3988 wrote to memory of 1700	3988	hggfb.sfx.exe	hggfb.exe
PID 3988 wrote to memory of 1700	3988	hggfb.sfx.exe	hggfb.exe
PID 1700 wrote to memory of 4680	1700	hggfb.exe	hggfb.exe
PID 1700 wrote to memory of 4680	1700	hggfb.exe	hggfb.exe
PID 1700 wrote to memory of 4680	1700	hggfb.exe	hggfb.exe
PID 1700 wrote to memory of 4680	1700	hggfb.exe	hggfb.exe
PID 1700 wrote to memory of 4680	1700	hggfb.exe	hggfb.exe
PID 1700 wrote to memory of 4680	1700	hggfb.exe	hggfb.exe
PID 1700 wrote to memory of 4680	1700	hggfb.exe	hggfb.exe
PID 1700 wrote to memory of 4680	1700	hggfb.exe	hggfb.exe
PID 4680 wrote to memory of 2260	4680	hggfb.exe	schtasks.exe
PID 4680 wrote to memory of 2260	4680	hggfb.exe	schtasks.exe
PID 4680 wrote to memory of 2260	4680	hggfb.exe	schtasks.exe
PID 4680 wrote to memory of 2796	4680	hggfb.exe	yors.exe
PID 4680 wrote to memory of 2796	4680	hggfb.exe	yors.exe
PID 4680 wrote to memory of 2796	4680	hggfb.exe	yors.exe
PID 2796 wrote to memory of 1584	2796	yors.exe	yors.exe
PID 2796 wrote to memory of 1584	2796	yors.exe	yors.exe
PID 2796 wrote to memory of 1584	2796	yors.exe	yors.exe
PID 2796 wrote to memory of 1584	2796	yors.exe	yors.exe
PID 2796 wrote to memory of 1584	2796	yors.exe	yors.exe
PID 2796 wrote to memory of 1584	2796	yors.exe	yors.exe
PID 2796 wrote to memory of 1584	2796	yors.exe	yors.exe
PID 2796 wrote to memory of 1584	2796	yors.exe	yors.exe
PID 1584 wrote to memory of 2648	1584	yors.exe	schtasks.exe
PID 1584 wrote to memory of 2648	1584	yors.exe	schtasks.exe
PID 1584 wrote to memory of 2648	1584	yors.exe	schtasks.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\pendientes.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\LMWLNUZK.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\LMWLNUZK.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\hggfb.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Roaming\hggfb.sfx.exe
hggfb.sfx.exe -pzycGfhfjmfgkfukjvcghjfmfcgjhfjmvzgdbwvhlnbmgunyngbncgdpodHghkffiqewhkenjumcjufionJjggvoGgcjfimaabihqmkSKrgqdkfgfgjkfbfknnsracnc -dC:\Users\Admin\AppData\Roaming
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Roaming\hggfb.exe
"C:\Users\Admin\AppData\Roaming\hggfb.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\hggfb.exe
C:\Users\Admin\AppData\Roaming\hggfb.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "crdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\hggfb.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2260

C:\Users\Admin\AppData\Roaming\yilk\yors.exe
"C:\Users\Admin\AppData\Roaming\yilk\yors.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Roaming\yilk\yors.exe
C:\Users\Admin\AppData\Roaming\yilk\yors.exe
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "crdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\yilk\yors.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hggfb.exe.log

Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\LMWLNUZK.exe

Filesize
1.3MB

MD5
83f9a3a9ceb1341d09d6f2b062db2942

SHA1
b13c5a3425c788d92f88e28897864bdfa8061e0c

SHA256
fc59a736bdcb8725ac257500a7548408b909925719b0025665a851ce1419cc30

SHA512
f8bd2c886fa938ed06cb6b843419ebdc77f5177c69b2f92f6cf168ff4606b9535c72f8b31d77236c5ef78d2cf14b4480eb2c5bc07a9430657d1a0efad32b31b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\LMWLNUZK.exe

Filesize
1.3MB

MD5
83f9a3a9ceb1341d09d6f2b062db2942

SHA1
b13c5a3425c788d92f88e28897864bdfa8061e0c

SHA256
fc59a736bdcb8725ac257500a7548408b909925719b0025665a851ce1419cc30

SHA512
f8bd2c886fa938ed06cb6b843419ebdc77f5177c69b2f92f6cf168ff4606b9535c72f8b31d77236c5ef78d2cf14b4480eb2c5bc07a9430657d1a0efad32b31b0

Download Submit
C:\Users\Admin\AppData\Roaming\hggfb.bat

Filesize
155B

MD5
36b087380a7b43cdbee57d069d47acfa

SHA1
e4da07054b9b48016e0b352063fb2bccbdfbc903

SHA256
24256e7e40064a35e24fb5f7b00b6d2bb9b1f104b80c1ef0d744e1c4a8ed4f98

SHA512
43b579077b354bd364e775bf0c369a9052d5ecd0fb8751012aafb9a4b4bdc9489b6f24a55e94381f4c833fbcb9ac35c324b0a89d1f51237e5a9daa56b43c0c15

Download Submit
C:\Users\Admin\AppData\Roaming\hggfb.exe

Filesize
920KB

MD5
697f91e4f23ddc1075d8f23da5403707

SHA1
bdf6f5bbc3009fbb77b93af129040fd92557f156

SHA256
c7d8eeae8c8ef8035d2212be37a62e9cbf5ad1939f0c2e4633cf4afa7b2fb05b

SHA512
a13fdd27b844b094c3d42202e865ecb23900607ddd764030e0f5840d38e190c969075b192945d9e059c6456ed5e2c622473047cfe4f2118219c485ba3b86f154

Download Submit
C:\Users\Admin\AppData\Roaming\hggfb.exe

Filesize
920KB

MD5
697f91e4f23ddc1075d8f23da5403707

SHA1
bdf6f5bbc3009fbb77b93af129040fd92557f156

SHA256
c7d8eeae8c8ef8035d2212be37a62e9cbf5ad1939f0c2e4633cf4afa7b2fb05b

SHA512
a13fdd27b844b094c3d42202e865ecb23900607ddd764030e0f5840d38e190c969075b192945d9e059c6456ed5e2c622473047cfe4f2118219c485ba3b86f154

Download Submit
C:\Users\Admin\AppData\Roaming\hggfb.exe

Filesize
920KB

MD5
697f91e4f23ddc1075d8f23da5403707

SHA1
bdf6f5bbc3009fbb77b93af129040fd92557f156

SHA256
c7d8eeae8c8ef8035d2212be37a62e9cbf5ad1939f0c2e4633cf4afa7b2fb05b

SHA512
a13fdd27b844b094c3d42202e865ecb23900607ddd764030e0f5840d38e190c969075b192945d9e059c6456ed5e2c622473047cfe4f2118219c485ba3b86f154

Download Submit
C:\Users\Admin\AppData\Roaming\hggfb.sfx.exe

Filesize
1.1MB

MD5
d8826dc3cdab837bddf1cdac6070481a

SHA1
807aac5aaf57764f495199f4b3d67a736f999638

SHA256
cb5e44a55e42d31f8764d154dca8cfad0f03adcbffae7cab50032b7cd938257f

SHA512
8a06d8f54d916d4246fb538286c553f750de5c47ec48033001eeb7c8235778a2c26f933ffc40e1a6e62baa150647ee77bdc89fd15ca8fc3c0b2c4995117d9c6c

Download Submit
C:\Users\Admin\AppData\Roaming\hggfb.sfx.exe

Filesize
1.1MB

MD5
d8826dc3cdab837bddf1cdac6070481a

SHA1
807aac5aaf57764f495199f4b3d67a736f999638

SHA256
cb5e44a55e42d31f8764d154dca8cfad0f03adcbffae7cab50032b7cd938257f

SHA512
8a06d8f54d916d4246fb538286c553f750de5c47ec48033001eeb7c8235778a2c26f933ffc40e1a6e62baa150647ee77bdc89fd15ca8fc3c0b2c4995117d9c6c

Download Submit
C:\Users\Admin\AppData\Roaming\yilk\yors.exe

Filesize
920KB

MD5
697f91e4f23ddc1075d8f23da5403707

SHA1
bdf6f5bbc3009fbb77b93af129040fd92557f156

SHA256
c7d8eeae8c8ef8035d2212be37a62e9cbf5ad1939f0c2e4633cf4afa7b2fb05b

SHA512
a13fdd27b844b094c3d42202e865ecb23900607ddd764030e0f5840d38e190c969075b192945d9e059c6456ed5e2c622473047cfe4f2118219c485ba3b86f154

Download Submit
C:\Users\Admin\AppData\Roaming\yilk\yors.exe

Filesize
920KB

MD5
697f91e4f23ddc1075d8f23da5403707

SHA1
bdf6f5bbc3009fbb77b93af129040fd92557f156

SHA256
c7d8eeae8c8ef8035d2212be37a62e9cbf5ad1939f0c2e4633cf4afa7b2fb05b

SHA512
a13fdd27b844b094c3d42202e865ecb23900607ddd764030e0f5840d38e190c969075b192945d9e059c6456ed5e2c622473047cfe4f2118219c485ba3b86f154

Download Submit
C:\Users\Admin\AppData\Roaming\yilk\yors.exe

Filesize
920KB

MD5
697f91e4f23ddc1075d8f23da5403707

SHA1
bdf6f5bbc3009fbb77b93af129040fd92557f156

SHA256
c7d8eeae8c8ef8035d2212be37a62e9cbf5ad1939f0c2e4633cf4afa7b2fb05b

SHA512
a13fdd27b844b094c3d42202e865ecb23900607ddd764030e0f5840d38e190c969075b192945d9e059c6456ed5e2c622473047cfe4f2118219c485ba3b86f154

Download Submit
memory/1296-137-0x00007FF8AB690000-0x00007FF8AB6A0000-memory.dmp

Filesize
64KB

Download
memory/1296-135-0x00007FF8AD8B0000-0x00007FF8AD8C0000-memory.dmp

Filesize
64KB

Download
memory/1296-138-0x00007FF8AB690000-0x00007FF8AB6A0000-memory.dmp

Filesize
64KB

Download
memory/1296-136-0x00007FF8AD8B0000-0x00007FF8AD8C0000-memory.dmp

Filesize
64KB

Download
memory/1296-149-0x00000195A54FF000-0x00000195A5501000-memory.dmp

Filesize
8KB

Download
memory/1296-140-0x00000195A54FF000-0x00000195A5501000-memory.dmp

Filesize
8KB

Download
memory/1296-134-0x00007FF8AD8B0000-0x00007FF8AD8C0000-memory.dmp

Filesize
64KB

Download
memory/1296-132-0x00007FF8AD8B0000-0x00007FF8AD8C0000-memory.dmp

Filesize
64KB

Download
memory/1296-133-0x00007FF8AD8B0000-0x00007FF8AD8C0000-memory.dmp

Filesize
64KB

Download
memory/1296-139-0x00000195A54FF000-0x00000195A5501000-memory.dmp

Filesize
8KB

Download
memory/1584-172-0x0000000006830000-0x000000000683A000-memory.dmp

Filesize
40KB

Download
memory/1584-168-0x0000000000000000-mapping.dmp

Download
memory/1700-150-0x0000000000000000-mapping.dmp

Download
memory/1700-156-0x00000000081D0000-0x0000000008262000-memory.dmp

Filesize
584KB

Download
memory/1700-155-0x00000000086E0000-0x0000000008C84000-memory.dmp

Filesize
5.6MB

Download
memory/1700-154-0x0000000008090000-0x000000000812C000-memory.dmp

Filesize
624KB

Download
memory/1700-153-0x0000000000160000-0x000000000024E000-memory.dmp

Filesize
952KB

Download
memory/2260-164-0x0000000000000000-mapping.dmp

Download
memory/2648-171-0x0000000000000000-mapping.dmp

Download
memory/2796-165-0x0000000000000000-mapping.dmp

Download
memory/3880-141-0x0000000000000000-mapping.dmp

Download
memory/3988-146-0x0000000000000000-mapping.dmp

Download
memory/4680-163-0x0000000006D70000-0x0000000006DAC000-memory.dmp

Filesize
240KB

Download
memory/4680-162-0x0000000006810000-0x0000000006822000-memory.dmp

Filesize
72KB

Download
memory/4680-161-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/4680-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4680-157-0x0000000000000000-mapping.dmp

Download
memory/4764-144-0x0000000000000000-mapping.dmp

Download