Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 17:16
Behavioral task
behavioral1
Sample
Estado de cuenta.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Estado de cuenta.xls
Resource
win10v2004-20220812-en
General
-
Target
Estado de cuenta.xls
-
Size
369KB
-
MD5
f5a8b72709235c68196a397174152660
-
SHA1
ab863a70358f150e3f0da53c330f7226d46037f4
-
SHA256
858963fa777ab0af515f7a81ff5ce29ffdda5361c67137cf0be35095bc7f1d9b
-
SHA512
f3b247cbec98ea8423358b589dde1fb5ea17b66efe169e68536cf901f9309e34c3f9883125fd153908150ae680292987b286ede90b461875ac0557ba368579f1
-
SSDEEP
6144:exEtjPOtioVjDGUU1qfDlavx+W2QnAbwYqzklWhUPheJl7Gpe8Kg2nOQcSRWQSSL:GwYqzklavDiknOfySloh16I
Malware Config
Extracted
quasar
1.3.0.0
hop
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_gKkre5ge46OKHHYV4m
-
encryption_key
MWS1P9A8h60dOGbuRmwt
-
install_name
hvc.exe
-
log_directory
Logs
-
reconnect_delay
4000
-
startup_key
hrr
-
subdirectory
hik
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4304-146-0x0000000000000000-mapping.dmp family_quasar behavioral2/memory/4304-147-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral2/memory/628-157-0x0000000000000000-mapping.dmp family_quasar -
Executes dropped EXE 4 IoCs
Processes:
CYIGRD.exeCYIGRD.exehvc.exehvc.exepid process 4248 CYIGRD.exe 4304 CYIGRD.exe 4184 hvc.exe 628 hvc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CYIGRD.exehvc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CYIGRD.exe\"" CYIGRD.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrr = "\"C:\\Users\\Admin\\AppData\\Roaming\\hik\\hvc.exe\"" hvc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 58 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
CYIGRD.exehvc.exedescription pid process target process PID 4248 set thread context of 4304 4248 CYIGRD.exe CYIGRD.exe PID 4184 set thread context of 628 4184 hvc.exe hvc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4532 schtasks.exe 2300 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2164 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
CYIGRD.exeCYIGRD.exehvc.exehvc.exedescription pid process Token: SeDebugPrivilege 4248 CYIGRD.exe Token: SeDebugPrivilege 4304 CYIGRD.exe Token: SeDebugPrivilege 4184 hvc.exe Token: SeDebugPrivilege 628 hvc.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE 2164 EXCEL.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EXCEL.EXECYIGRD.exeCYIGRD.exehvc.exehvc.exedescription pid process target process PID 2164 wrote to memory of 4248 2164 EXCEL.EXE CYIGRD.exe PID 2164 wrote to memory of 4248 2164 EXCEL.EXE CYIGRD.exe PID 2164 wrote to memory of 4248 2164 EXCEL.EXE CYIGRD.exe PID 4248 wrote to memory of 4304 4248 CYIGRD.exe CYIGRD.exe PID 4248 wrote to memory of 4304 4248 CYIGRD.exe CYIGRD.exe PID 4248 wrote to memory of 4304 4248 CYIGRD.exe CYIGRD.exe PID 4248 wrote to memory of 4304 4248 CYIGRD.exe CYIGRD.exe PID 4248 wrote to memory of 4304 4248 CYIGRD.exe CYIGRD.exe PID 4248 wrote to memory of 4304 4248 CYIGRD.exe CYIGRD.exe PID 4248 wrote to memory of 4304 4248 CYIGRD.exe CYIGRD.exe PID 4248 wrote to memory of 4304 4248 CYIGRD.exe CYIGRD.exe PID 4304 wrote to memory of 4532 4304 CYIGRD.exe schtasks.exe PID 4304 wrote to memory of 4532 4304 CYIGRD.exe schtasks.exe PID 4304 wrote to memory of 4532 4304 CYIGRD.exe schtasks.exe PID 4304 wrote to memory of 4184 4304 CYIGRD.exe hvc.exe PID 4304 wrote to memory of 4184 4304 CYIGRD.exe hvc.exe PID 4304 wrote to memory of 4184 4304 CYIGRD.exe hvc.exe PID 4184 wrote to memory of 628 4184 hvc.exe hvc.exe PID 4184 wrote to memory of 628 4184 hvc.exe hvc.exe PID 4184 wrote to memory of 628 4184 hvc.exe hvc.exe PID 4184 wrote to memory of 628 4184 hvc.exe hvc.exe PID 4184 wrote to memory of 628 4184 hvc.exe hvc.exe PID 4184 wrote to memory of 628 4184 hvc.exe hvc.exe PID 4184 wrote to memory of 628 4184 hvc.exe hvc.exe PID 4184 wrote to memory of 628 4184 hvc.exe hvc.exe PID 628 wrote to memory of 2300 628 hvc.exe schtasks.exe PID 628 wrote to memory of 2300 628 hvc.exe schtasks.exe PID 628 wrote to memory of 2300 628 hvc.exe schtasks.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Estado de cuenta.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "hrr" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\hik\hvc.exe"C:\Users\Admin\AppData\Roaming\hik\hvc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hik\hvc.exeC:\Users\Admin\AppData\Roaming\hik\hvc.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "hrr" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\hik\hvc.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CYIGRD.exe.logFilesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exeFilesize
917KB
MD566c608ebad371c4ba492b284f7a80411
SHA18bc9f6aa4c94407f0da697f3c7ff44fb02d29497
SHA256136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c
SHA512641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exeFilesize
917KB
MD566c608ebad371c4ba492b284f7a80411
SHA18bc9f6aa4c94407f0da697f3c7ff44fb02d29497
SHA256136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c
SHA512641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exeFilesize
917KB
MD566c608ebad371c4ba492b284f7a80411
SHA18bc9f6aa4c94407f0da697f3c7ff44fb02d29497
SHA256136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c
SHA512641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e
-
C:\Users\Admin\AppData\Roaming\hik\hvc.exeFilesize
917KB
MD566c608ebad371c4ba492b284f7a80411
SHA18bc9f6aa4c94407f0da697f3c7ff44fb02d29497
SHA256136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c
SHA512641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e
-
C:\Users\Admin\AppData\Roaming\hik\hvc.exeFilesize
917KB
MD566c608ebad371c4ba492b284f7a80411
SHA18bc9f6aa4c94407f0da697f3c7ff44fb02d29497
SHA256136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c
SHA512641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e
-
C:\Users\Admin\AppData\Roaming\hik\hvc.exeFilesize
917KB
MD566c608ebad371c4ba492b284f7a80411
SHA18bc9f6aa4c94407f0da697f3c7ff44fb02d29497
SHA256136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c
SHA512641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e
-
memory/628-161-0x0000000006630000-0x000000000663A000-memory.dmpFilesize
40KB
-
memory/628-157-0x0000000000000000-mapping.dmp
-
memory/2164-132-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/2164-138-0x00007FFA42FA0000-0x00007FFA42FB0000-memory.dmpFilesize
64KB
-
memory/2164-137-0x00007FFA42FA0000-0x00007FFA42FB0000-memory.dmpFilesize
64KB
-
memory/2164-136-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/2164-135-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/2164-133-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/2164-134-0x00007FFA45370000-0x00007FFA45380000-memory.dmpFilesize
64KB
-
memory/2300-160-0x0000000000000000-mapping.dmp
-
memory/4184-153-0x0000000000000000-mapping.dmp
-
memory/4248-139-0x0000000000000000-mapping.dmp
-
memory/4248-145-0x000000000E1B0000-0x000000000E242000-memory.dmpFilesize
584KB
-
memory/4248-144-0x000000000E6C0000-0x000000000EC64000-memory.dmpFilesize
5.6MB
-
memory/4248-143-0x000000000E070000-0x000000000E10C000-memory.dmpFilesize
624KB
-
memory/4248-142-0x00000000008E0000-0x00000000009CE000-memory.dmpFilesize
952KB
-
memory/4304-151-0x0000000006580000-0x00000000065BC000-memory.dmpFilesize
240KB
-
memory/4304-150-0x0000000006020000-0x0000000006032000-memory.dmpFilesize
72KB
-
memory/4304-149-0x0000000004FF0000-0x0000000005056000-memory.dmpFilesize
408KB
-
memory/4304-147-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4304-146-0x0000000000000000-mapping.dmp
-
memory/4532-152-0x0000000000000000-mapping.dmp