quasar | 858963fa777ab0af515f7a81ff5ce29ffdda5361c67137cf0be35095bc7f1d9b

General

Target

Estado de cuenta.xls
Size

369KB
MD5

f5a8b72709235c68196a397174152660
SHA1

ab863a70358f150e3f0da53c330f7226d46037f4
SHA256

858963fa777ab0af515f7a81ff5ce29ffdda5361c67137cf0be35095bc7f1d9b
SHA512

f3b247cbec98ea8423358b589dde1fb5ea17b66efe169e68536cf901f9309e34c3f9883125fd153908150ae680292987b286ede90b461875ac0557ba368579f1
SSDEEP

6144:exEtjPOtioVjDGUU1qfDlavx+W2QnAbwYqzklWhUPheJl7Gpe8Kg2nOQcSRWQSSL:GwYqzklavDiknOfySloh16I

Score

10^/10

quasar hop persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

hop

C2

dnuocc.com:64594

www.dnuocc.com:64594

Mutex

QSR_MUTEX_gKkre5ge46OKHHYV4m

Attributes

encryption_key
MWS1P9A8h60dOGbuRmwt
install_name
hvc.exe
log_directory
Logs
reconnect_delay
4000
startup_key
hrr
subdirectory
hik

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4304-146-0x0000000000000000-mapping.dmp	family_quasar
behavioral2/memory/4304-147-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral2/memory/628-157-0x0000000000000000-mapping.dmp	family_quasar

Executes dropped EXE 4 IoCs

Processes:

CYIGRD.exeCYIGRD.exehvc.exehvc.exe

pid process

4248 CYIGRD.exe
4304 CYIGRD.exe
4184 hvc.exe
628 hvc.exe

pid	process
4248	CYIGRD.exe
4304	CYIGRD.exe
4184	hvc.exe
628	hvc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CYIGRD.exehvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CYIGRD.exe\""	CYIGRD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrr = "\"C:\\Users\\Admin\\AppData\\Roaming\\hik\\hvc.exe\""	hvc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 ip-api.com
Suspicious use of SetThreadContext 2 IoCs

Processes:

CYIGRD.exehvc.exe

description pid process target process

PID 4248 set thread context of 4304 4248 CYIGRD.exe CYIGRD.exe
PID 4184 set thread context of 628 4184 hvc.exe hvc.exe

flow	ioc
58	ip-api.com

description	pid	process	target process
PID 4248 set thread context of 4304	4248	CYIGRD.exe	CYIGRD.exe
PID 4184 set thread context of 628	4184	hvc.exe	hvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4532 schtasks.exe
2300 schtasks.exe

pid	process
4532	schtasks.exe
2300	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2164 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CYIGRD.exeCYIGRD.exehvc.exehvc.exe

description	pid	process
Token: SeDebugPrivilege	4248	CYIGRD.exe
Token: SeDebugPrivilege	4304	CYIGRD.exe
Token: SeDebugPrivilege	4184	hvc.exe
Token: SeDebugPrivilege	628	hvc.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EXCEL.EXECYIGRD.exeCYIGRD.exehvc.exehvc.exe

description	pid	process	target process
PID 2164 wrote to memory of 4248	2164	EXCEL.EXE	CYIGRD.exe
PID 2164 wrote to memory of 4248	2164	EXCEL.EXE	CYIGRD.exe
PID 2164 wrote to memory of 4248	2164	EXCEL.EXE	CYIGRD.exe
PID 4248 wrote to memory of 4304	4248	CYIGRD.exe	CYIGRD.exe
PID 4248 wrote to memory of 4304	4248	CYIGRD.exe	CYIGRD.exe
PID 4248 wrote to memory of 4304	4248	CYIGRD.exe	CYIGRD.exe
PID 4248 wrote to memory of 4304	4248	CYIGRD.exe	CYIGRD.exe
PID 4248 wrote to memory of 4304	4248	CYIGRD.exe	CYIGRD.exe
PID 4248 wrote to memory of 4304	4248	CYIGRD.exe	CYIGRD.exe
PID 4248 wrote to memory of 4304	4248	CYIGRD.exe	CYIGRD.exe
PID 4248 wrote to memory of 4304	4248	CYIGRD.exe	CYIGRD.exe
PID 4304 wrote to memory of 4532	4304	CYIGRD.exe	schtasks.exe
PID 4304 wrote to memory of 4532	4304	CYIGRD.exe	schtasks.exe
PID 4304 wrote to memory of 4532	4304	CYIGRD.exe	schtasks.exe
PID 4304 wrote to memory of 4184	4304	CYIGRD.exe	hvc.exe
PID 4304 wrote to memory of 4184	4304	CYIGRD.exe	hvc.exe
PID 4304 wrote to memory of 4184	4304	CYIGRD.exe	hvc.exe
PID 4184 wrote to memory of 628	4184	hvc.exe	hvc.exe
PID 4184 wrote to memory of 628	4184	hvc.exe	hvc.exe
PID 4184 wrote to memory of 628	4184	hvc.exe	hvc.exe
PID 4184 wrote to memory of 628	4184	hvc.exe	hvc.exe
PID 4184 wrote to memory of 628	4184	hvc.exe	hvc.exe
PID 4184 wrote to memory of 628	4184	hvc.exe	hvc.exe
PID 4184 wrote to memory of 628	4184	hvc.exe	hvc.exe
PID 4184 wrote to memory of 628	4184	hvc.exe	hvc.exe
PID 628 wrote to memory of 2300	628	hvc.exe	schtasks.exe
PID 628 wrote to memory of 2300	628	hvc.exe	schtasks.exe
PID 628 wrote to memory of 2300	628	hvc.exe	schtasks.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Estado de cuenta.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "hrr" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4532

C:\Users\Admin\AppData\Roaming\hik\hvc.exe
"C:\Users\Admin\AppData\Roaming\hik\hvc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Roaming\hik\hvc.exe
C:\Users\Admin\AppData\Roaming\hik\hvc.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "hrr" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\hik\hvc.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CYIGRD.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe
Filesize
917KB

MD5
66c608ebad371c4ba492b284f7a80411

SHA1
8bc9f6aa4c94407f0da697f3c7ff44fb02d29497

SHA256
136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c

SHA512
641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe
Filesize
917KB

MD5
66c608ebad371c4ba492b284f7a80411

SHA1
8bc9f6aa4c94407f0da697f3c7ff44fb02d29497

SHA256
136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c

SHA512
641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CYIGRD.exe
Filesize
917KB

MD5
66c608ebad371c4ba492b284f7a80411

SHA1
8bc9f6aa4c94407f0da697f3c7ff44fb02d29497

SHA256
136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c

SHA512
641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e

Download Submit
C:\Users\Admin\AppData\Roaming\hik\hvc.exe
Filesize
917KB

MD5
66c608ebad371c4ba492b284f7a80411

SHA1
8bc9f6aa4c94407f0da697f3c7ff44fb02d29497

SHA256
136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c

SHA512
641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e

Download Submit
C:\Users\Admin\AppData\Roaming\hik\hvc.exe
Filesize
917KB

MD5
66c608ebad371c4ba492b284f7a80411

SHA1
8bc9f6aa4c94407f0da697f3c7ff44fb02d29497

SHA256
136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c

SHA512
641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e

Download Submit
C:\Users\Admin\AppData\Roaming\hik\hvc.exe
Filesize
917KB

MD5
66c608ebad371c4ba492b284f7a80411

SHA1
8bc9f6aa4c94407f0da697f3c7ff44fb02d29497

SHA256
136eb98aff2b23e84a6c07c1bf90ac429183ffb04e108560448410335699342c

SHA512
641aad97ab54381e18a4d74b0f95863876063e037d8c74155b67ccde2f0666f1bba6330264a90ff8715fd3a2f7832264f9128fd1a95002c44b6084edfa11678e

Download Submit
memory/628-161-0x0000000006630000-0x000000000663A000-memory.dmp

Filesize
40KB

Download
memory/628-157-0x0000000000000000-mapping.dmp

Download
memory/2164-132-0x00007FFA45370000-0x00007FFA45380000-memory.dmp

Filesize
64KB

Download
memory/2164-138-0x00007FFA42FA0000-0x00007FFA42FB0000-memory.dmp

Filesize
64KB

Download
memory/2164-137-0x00007FFA42FA0000-0x00007FFA42FB0000-memory.dmp

Filesize
64KB

Download
memory/2164-136-0x00007FFA45370000-0x00007FFA45380000-memory.dmp

Filesize
64KB

Download
memory/2164-135-0x00007FFA45370000-0x00007FFA45380000-memory.dmp

Filesize
64KB

Download
memory/2164-133-0x00007FFA45370000-0x00007FFA45380000-memory.dmp

Filesize
64KB

Download
memory/2164-134-0x00007FFA45370000-0x00007FFA45380000-memory.dmp

Filesize
64KB

Download
memory/2300-160-0x0000000000000000-mapping.dmp

Download
memory/4184-153-0x0000000000000000-mapping.dmp

Download
memory/4248-139-0x0000000000000000-mapping.dmp

Download
memory/4248-145-0x000000000E1B0000-0x000000000E242000-memory.dmp

Filesize
584KB

Download
memory/4248-144-0x000000000E6C0000-0x000000000EC64000-memory.dmp

Filesize
5.6MB

Download
memory/4248-143-0x000000000E070000-0x000000000E10C000-memory.dmp

Filesize
624KB

Download
memory/4248-142-0x00000000008E0000-0x00000000009CE000-memory.dmp

Filesize
952KB

Download
memory/4304-151-0x0000000006580000-0x00000000065BC000-memory.dmp

Filesize
240KB

Download
memory/4304-150-0x0000000006020000-0x0000000006032000-memory.dmp

Filesize
72KB

Download
memory/4304-149-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/4304-147-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4304-146-0x0000000000000000-mapping.dmp

Download
memory/4532-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads