Analysis
-
max time kernel
190s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 04:24
Behavioral task
behavioral1
Sample
fd9cbccbd2803786c5ea2bf54b22d693.exe
Resource
win7-20221111-en
General
-
Target
fd9cbccbd2803786c5ea2bf54b22d693.exe
-
Size
1.0MB
-
MD5
fd9cbccbd2803786c5ea2bf54b22d693
-
SHA1
97b675207f5679503f89096e7ae99b38b1bea382
-
SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
-
SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
SSDEEP
24576:1LY5kMJDyGouUqg75HVDBvdJ9x5LESqRel+kvujSZGp:x4kMJDyGouUqg75HVDBvdzESqRelDvuc
Malware Config
Extracted
quasar
2.7.0.0
1877
overthinker1877.duckdns.org:4545
xiBqon3YI4gHicsPTt
-
encryption_key
IshCdNN3oYnjATmMydkq
-
install_name
1877.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4576-132-0x0000000000AA0000-0x0000000000BB0000-memory.dmp family_quasar C:\Program Files (x86)\1877.exe family_quasar C:\Program Files (x86)\1877.exe family_quasar C:\Program Files (x86)\1877.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
1877.exepid process 4832 1877.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fd9cbccbd2803786c5ea2bf54b22d693.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation fd9cbccbd2803786c5ea2bf54b22d693.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 45 ip-api.com 96 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
fd9cbccbd2803786c5ea2bf54b22d693.exefd9cbccbd2803786c5ea2bf54b22d693.exedescription ioc process File created C:\Program Files (x86)\1877.exe fd9cbccbd2803786c5ea2bf54b22d693.exe File opened for modification C:\Program Files (x86)\1877.exe fd9cbccbd2803786c5ea2bf54b22d693.exe File created C:\Program Files (x86)\1877.exe fd9cbccbd2803786c5ea2bf54b22d693.exe File opened for modification C:\Program Files (x86)\1877.exe fd9cbccbd2803786c5ea2bf54b22d693.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2260 schtasks.exe 4428 schtasks.exe 1568 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
fd9cbccbd2803786c5ea2bf54b22d693.exefd9cbccbd2803786c5ea2bf54b22d693.exe1877.exedescription pid process Token: SeDebugPrivilege 4576 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeDebugPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeDebugPrivilege 4832 1877.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeSecurityPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe Token: SeBackupPrivilege 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
fd9cbccbd2803786c5ea2bf54b22d693.execmd.exefd9cbccbd2803786c5ea2bf54b22d693.exe1877.exedescription pid process target process PID 4576 wrote to memory of 2260 4576 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 4576 wrote to memory of 2260 4576 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 4576 wrote to memory of 2260 4576 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 4576 wrote to memory of 1260 4576 fd9cbccbd2803786c5ea2bf54b22d693.exe cmd.exe PID 4576 wrote to memory of 1260 4576 fd9cbccbd2803786c5ea2bf54b22d693.exe cmd.exe PID 4576 wrote to memory of 1260 4576 fd9cbccbd2803786c5ea2bf54b22d693.exe cmd.exe PID 1260 wrote to memory of 3152 1260 cmd.exe chcp.com PID 1260 wrote to memory of 3152 1260 cmd.exe chcp.com PID 1260 wrote to memory of 3152 1260 cmd.exe chcp.com PID 1260 wrote to memory of 2128 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 2128 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 2128 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 1008 1260 cmd.exe fd9cbccbd2803786c5ea2bf54b22d693.exe PID 1260 wrote to memory of 1008 1260 cmd.exe fd9cbccbd2803786c5ea2bf54b22d693.exe PID 1260 wrote to memory of 1008 1260 cmd.exe fd9cbccbd2803786c5ea2bf54b22d693.exe PID 1008 wrote to memory of 4428 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 1008 wrote to memory of 4428 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 1008 wrote to memory of 4428 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe schtasks.exe PID 1008 wrote to memory of 4832 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe 1877.exe PID 1008 wrote to memory of 4832 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe 1877.exe PID 1008 wrote to memory of 4832 1008 fd9cbccbd2803786c5ea2bf54b22d693.exe 1877.exe PID 4832 wrote to memory of 1568 4832 1877.exe schtasks.exe PID 4832 wrote to memory of 1568 4832 1877.exe schtasks.exe PID 4832 wrote to memory of 1568 4832 1877.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ponWCq7XIqaf.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\1877.exe"C:\Program Files (x86)\1877.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\1877.exeFilesize
1.0MB
MD5fd9cbccbd2803786c5ea2bf54b22d693
SHA197b675207f5679503f89096e7ae99b38b1bea382
SHA2560e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
SHA512900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
C:\Program Files (x86)\1877.exeFilesize
1.0MB
MD5fd9cbccbd2803786c5ea2bf54b22d693
SHA197b675207f5679503f89096e7ae99b38b1bea382
SHA2560e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
SHA512900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
C:\Program Files (x86)\1877.exeFilesize
1.0MB
MD5fd9cbccbd2803786c5ea2bf54b22d693
SHA197b675207f5679503f89096e7ae99b38b1bea382
SHA2560e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
SHA512900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fd9cbccbd2803786c5ea2bf54b22d693.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Temp\ponWCq7XIqaf.batFilesize
229B
MD52832ab38b1a9d2d8191467f1afbbf11e
SHA1ebb73bb7228073ee1218226dd0ef4b8e99414afa
SHA2561306bed9ae2a970671239ded78f07188d227df1979df1d47c8714a7f97d8e1d3
SHA5128a72afe5d69f50f521fb1dd780d16d41730e9abaf9766d743871d6763b709710967ffeb1a0e71b65860f6ccacc3796ec104f4c397988e27923f5961f04f5d3fb
-
memory/1008-150-0x0000000006BE0000-0x0000000006C7C000-memory.dmpFilesize
624KB
-
memory/1008-143-0x0000000000000000-mapping.dmp
-
memory/1260-139-0x0000000000000000-mapping.dmp
-
memory/1568-151-0x0000000000000000-mapping.dmp
-
memory/2128-142-0x0000000000000000-mapping.dmp
-
memory/2260-138-0x0000000000000000-mapping.dmp
-
memory/3152-141-0x0000000000000000-mapping.dmp
-
memory/4428-146-0x0000000000000000-mapping.dmp
-
memory/4576-137-0x00000000067D0000-0x000000000680C000-memory.dmpFilesize
240KB
-
memory/4576-132-0x0000000000AA0000-0x0000000000BB0000-memory.dmpFilesize
1.1MB
-
memory/4576-136-0x0000000005AB0000-0x0000000005AC2000-memory.dmpFilesize
72KB
-
memory/4576-135-0x0000000005780000-0x00000000057E6000-memory.dmpFilesize
408KB
-
memory/4576-134-0x0000000005670000-0x0000000005702000-memory.dmpFilesize
584KB
-
memory/4576-133-0x0000000005AE0000-0x0000000006084000-memory.dmpFilesize
5.6MB
-
memory/4832-147-0x0000000000000000-mapping.dmp