Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 09:00
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
1.0MB
-
MD5
fd9cbccbd2803786c5ea2bf54b22d693
-
SHA1
97b675207f5679503f89096e7ae99b38b1bea382
-
SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
-
SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
SSDEEP
24576:1LY5kMJDyGouUqg75HVDBvdJ9x5LESqRel+kvujSZGp:x4kMJDyGouUqg75HVDBvdzESqRelDvuc
Malware Config
Extracted
quasar
2.7.0.0
1877
overthinker1877.duckdns.org:4545
xiBqon3YI4gHicsPTt
-
encryption_key
IshCdNN3oYnjATmMydkq
-
install_name
1877.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1656-54-0x0000000000320000-0x0000000000430000-memory.dmp family_quasar behavioral1/memory/1712-62-0x00000000013D0000-0x00000000014E0000-memory.dmp family_quasar C:\Program Files (x86)\1877.exe family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in Program Files directory 3 IoCs
Processes:
tmp.exetmp.exedescription ioc process File opened for modification C:\Program Files (x86)\1877.exe tmp.exe File created C:\Program Files (x86)\1877.exe tmp.exe File created C:\Program Files (x86)\1877.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.exetmp.exedescription pid process Token: SeDebugPrivilege 1656 tmp.exe Token: SeDebugPrivilege 1712 tmp.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
tmp.execmd.exedescription pid process target process PID 1656 wrote to memory of 1776 1656 tmp.exe schtasks.exe PID 1656 wrote to memory of 1776 1656 tmp.exe schtasks.exe PID 1656 wrote to memory of 1776 1656 tmp.exe schtasks.exe PID 1656 wrote to memory of 1776 1656 tmp.exe schtasks.exe PID 1656 wrote to memory of 1592 1656 tmp.exe cmd.exe PID 1656 wrote to memory of 1592 1656 tmp.exe cmd.exe PID 1656 wrote to memory of 1592 1656 tmp.exe cmd.exe PID 1656 wrote to memory of 1592 1656 tmp.exe cmd.exe PID 1592 wrote to memory of 556 1592 cmd.exe chcp.com PID 1592 wrote to memory of 556 1592 cmd.exe chcp.com PID 1592 wrote to memory of 556 1592 cmd.exe chcp.com PID 1592 wrote to memory of 556 1592 cmd.exe chcp.com PID 1592 wrote to memory of 1648 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 1648 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 1648 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 1648 1592 cmd.exe PING.EXE PID 1592 wrote to memory of 1712 1592 cmd.exe tmp.exe PID 1592 wrote to memory of 1712 1592 cmd.exe tmp.exe PID 1592 wrote to memory of 1712 1592 cmd.exe tmp.exe PID 1592 wrote to memory of 1712 1592 cmd.exe tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\O3ijUkpaqLrM.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\1877.exeFilesize
1.0MB
MD5fd9cbccbd2803786c5ea2bf54b22d693
SHA197b675207f5679503f89096e7ae99b38b1bea382
SHA2560e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
SHA512900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
C:\Users\Admin\AppData\Local\Temp\O3ijUkpaqLrM.batFilesize
200B
MD55ae06be692034cb6eabbf7a96e3edd42
SHA1d2ac8918df450937b0244eab4910c213db9c70a6
SHA2566857e7e978ed598d1f13a8eef9772a5f405d6b08a4ac438d7dc344864d6f684c
SHA512b569c1e40fb28aea76c010dc912508910dc4bbdd4d1c9d91362b4f43a73bfe5a77eda2cd51c536babcc42c15306a24aa22543f06b0f83f7e9ccebdaec8e6290e
-
memory/556-59-0x0000000000000000-mapping.dmp
-
memory/1592-57-0x0000000000000000-mapping.dmp
-
memory/1648-60-0x0000000000000000-mapping.dmp
-
memory/1656-54-0x0000000000320000-0x0000000000430000-memory.dmpFilesize
1.1MB
-
memory/1656-55-0x0000000076221000-0x0000000076223000-memory.dmpFilesize
8KB
-
memory/1712-61-0x0000000000000000-mapping.dmp
-
memory/1712-62-0x00000000013D0000-0x00000000014E0000-memory.dmpFilesize
1.1MB
-
memory/1776-56-0x0000000000000000-mapping.dmp