Analysis
-
max time kernel
169s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 09:00
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
1.0MB
-
MD5
fd9cbccbd2803786c5ea2bf54b22d693
-
SHA1
97b675207f5679503f89096e7ae99b38b1bea382
-
SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
-
SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
SSDEEP
24576:1LY5kMJDyGouUqg75HVDBvdJ9x5LESqRel+kvujSZGp:x4kMJDyGouUqg75HVDBvdzESqRelDvuc
Malware Config
Extracted
quasar
2.7.0.0
1877
overthinker1877.duckdns.org:4545
xiBqon3YI4gHicsPTt
-
encryption_key
IshCdNN3oYnjATmMydkq
-
install_name
1877.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1384-132-0x00000000007A0000-0x00000000008B0000-memory.dmp family_quasar -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 46 ip-api.com 68 api.ipify.org -
Drops file in Program Files directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Program Files (x86)\1877.exe tmp.exe File opened for modification C:\Program Files (x86)\1877.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 1384 tmp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
tmp.exedescription pid process target process PID 1384 wrote to memory of 4948 1384 tmp.exe schtasks.exe PID 1384 wrote to memory of 4948 1384 tmp.exe schtasks.exe PID 1384 wrote to memory of 4948 1384 tmp.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1384-132-0x00000000007A0000-0x00000000008B0000-memory.dmpFilesize
1.1MB
-
memory/1384-133-0x0000000005780000-0x0000000005D24000-memory.dmpFilesize
5.6MB
-
memory/1384-134-0x00000000051D0000-0x0000000005262000-memory.dmpFilesize
584KB
-
memory/1384-135-0x0000000005610000-0x0000000005676000-memory.dmpFilesize
408KB
-
memory/1384-136-0x00000000055E0000-0x00000000055F2000-memory.dmpFilesize
72KB
-
memory/4948-137-0x0000000000000000-mapping.dmp