Analysis
-
max time kernel
91s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:24
Behavioral task
behavioral1
Sample
fd9cbccbd2803786c5ea2bf54b22d693.exe
Resource
win7-20221111-en
General
-
Target
fd9cbccbd2803786c5ea2bf54b22d693.exe
-
Size
1.0MB
-
MD5
fd9cbccbd2803786c5ea2bf54b22d693
-
SHA1
97b675207f5679503f89096e7ae99b38b1bea382
-
SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
-
SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
SSDEEP
24576:1LY5kMJDyGouUqg75HVDBvdJ9x5LESqRel+kvujSZGp:x4kMJDyGouUqg75HVDBvdzESqRelDvuc
Malware Config
Extracted
quasar
2.7.0.0
1877
overthinker1877.duckdns.org:4545
xiBqon3YI4gHicsPTt
-
encryption_key
IshCdNN3oYnjATmMydkq
-
install_name
1877.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-54-0x0000000000A50000-0x0000000000B60000-memory.dmp family_quasar behavioral1/memory/1292-62-0x0000000000DA0000-0x0000000000EB0000-memory.dmp family_quasar C:\Program Files (x86)\1877.exe family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in Program Files directory 3 IoCs
Processes:
fd9cbccbd2803786c5ea2bf54b22d693.exefd9cbccbd2803786c5ea2bf54b22d693.exedescription ioc process File created C:\Program Files (x86)\1877.exe fd9cbccbd2803786c5ea2bf54b22d693.exe File opened for modification C:\Program Files (x86)\1877.exe fd9cbccbd2803786c5ea2bf54b22d693.exe File created C:\Program Files (x86)\1877.exe fd9cbccbd2803786c5ea2bf54b22d693.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fd9cbccbd2803786c5ea2bf54b22d693.exefd9cbccbd2803786c5ea2bf54b22d693.exedescription pid process Token: SeDebugPrivilege 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeDebugPrivilege 1292 fd9cbccbd2803786c5ea2bf54b22d693.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
fd9cbccbd2803786c5ea2bf54b22d693.execmd.exedescription pid process target process PID 1748 wrote to memory of 1116 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 1748 wrote to memory of 1116 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 1748 wrote to memory of 1116 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 1748 wrote to memory of 1116 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 1748 wrote to memory of 700 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe cmd.exe PID 1748 wrote to memory of 700 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe cmd.exe PID 1748 wrote to memory of 700 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe cmd.exe PID 1748 wrote to memory of 700 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe cmd.exe PID 700 wrote to memory of 1576 700 cmd.exe chcp.com PID 700 wrote to memory of 1576 700 cmd.exe chcp.com PID 700 wrote to memory of 1576 700 cmd.exe chcp.com PID 700 wrote to memory of 1576 700 cmd.exe chcp.com PID 700 wrote to memory of 316 700 cmd.exe PING.EXE PID 700 wrote to memory of 316 700 cmd.exe PING.EXE PID 700 wrote to memory of 316 700 cmd.exe PING.EXE PID 700 wrote to memory of 316 700 cmd.exe PING.EXE PID 700 wrote to memory of 1292 700 cmd.exe fd9cbccbd2803786c5ea2bf54b22d693.exe PID 700 wrote to memory of 1292 700 cmd.exe fd9cbccbd2803786c5ea2bf54b22d693.exe PID 700 wrote to memory of 1292 700 cmd.exe fd9cbccbd2803786c5ea2bf54b22d693.exe PID 700 wrote to memory of 1292 700 cmd.exe fd9cbccbd2803786c5ea2bf54b22d693.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MtYop1MxI3MZ.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\1877.exeFilesize
1.0MB
MD5fd9cbccbd2803786c5ea2bf54b22d693
SHA197b675207f5679503f89096e7ae99b38b1bea382
SHA2560e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
SHA512900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
C:\Users\Admin\AppData\Local\Temp\MtYop1MxI3MZ.batFilesize
229B
MD5b8b86733b944b25212f576554f15112f
SHA18591e58c395d2d8c826f59f322459bd69a98695a
SHA256286e70ce8893fa3831a7a81e9cd95bab91d6bd9a85376cc3c996e319ce36980c
SHA51218b6e360b655afd0aae8652631babd3c36cab34a04c62c2059ad28ecd704b68fbe7dd32fd85c87c23ec3db8c1301623b4588bccbcdfa8d477534384821c12a6d
-
memory/316-60-0x0000000000000000-mapping.dmp
-
memory/700-57-0x0000000000000000-mapping.dmp
-
memory/1116-56-0x0000000000000000-mapping.dmp
-
memory/1292-61-0x0000000000000000-mapping.dmp
-
memory/1292-62-0x0000000000DA0000-0x0000000000EB0000-memory.dmpFilesize
1.1MB
-
memory/1576-59-0x0000000000000000-mapping.dmp
-
memory/1748-54-0x0000000000A50000-0x0000000000B60000-memory.dmpFilesize
1.1MB
-
memory/1748-55-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB