Analysis
-
max time kernel
45s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03/01/2023, 23:11
Behavioral task
behavioral1
Sample
Win64Sys.exe
Resource
win7-20220901-en
General
-
Target
Win64Sys.exe
-
Size
378KB
-
MD5
361ee66ffa93eda7d78eb4a5d14bfd57
-
SHA1
e8157e8283a3f8eb7390d45b98ae4d32c53ce273
-
SHA256
8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
-
SHA512
19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
SSDEEP
6144:+KMJx4pweP7kJS3irzPchzCSfj654xCbjj0P4MkV45M9TP:+KoSckh9765EAj0NHM9TP
Malware Config
Extracted
quasar
1.3.0.0
Office04
stuhowe.ddns.net:4782
QSR_MUTEX_X4mfjPTkLaQEdjHzYF
-
encryption_key
9FBvOmlVpI0GOzCn9KhI
-
install_name
Win64Sys.exe
-
log_directory
Keys
-
reconnect_delay
3000
-
startup_key
Windows x64 System Client
-
subdirectory
Micosoft
Signatures
-
Quasar payload 11 IoCs
resource yara_rule behavioral1/memory/1496-54-0x0000000000370000-0x00000000003D4000-memory.dmp family_quasar behavioral1/files/0x000a0000000126c8-57.dat family_quasar behavioral1/files/0x000a0000000126c8-59.dat family_quasar behavioral1/files/0x000a0000000126c8-60.dat family_quasar behavioral1/memory/524-61-0x00000000003F0000-0x0000000000454000-memory.dmp family_quasar behavioral1/files/0x000a0000000126c8-67.dat family_quasar behavioral1/files/0x000a0000000126c8-68.dat family_quasar behavioral1/files/0x000a0000000126c8-70.dat family_quasar behavioral1/files/0x000a0000000126c8-71.dat family_quasar behavioral1/files/0x000a0000000126c8-73.dat family_quasar behavioral1/files/0x000a0000000126c8-75.dat family_quasar -
Executes dropped EXE 2 IoCs
pid Process 524 Win64Sys.exe 1960 Win64Sys.exe -
Loads dropped DLL 6 IoCs
pid Process 1496 Win64Sys.exe 1220 WerFault.exe 1220 WerFault.exe 1220 WerFault.exe 1220 WerFault.exe 1220 WerFault.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1220 524 WerFault.exe 30 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1648 schtasks.exe 1640 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2040 PING.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1496 Win64Sys.exe Token: SeDebugPrivilege 524 Win64Sys.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 524 Win64Sys.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1648 1496 Win64Sys.exe 28 PID 1496 wrote to memory of 1648 1496 Win64Sys.exe 28 PID 1496 wrote to memory of 1648 1496 Win64Sys.exe 28 PID 1496 wrote to memory of 1648 1496 Win64Sys.exe 28 PID 1496 wrote to memory of 524 1496 Win64Sys.exe 30 PID 1496 wrote to memory of 524 1496 Win64Sys.exe 30 PID 1496 wrote to memory of 524 1496 Win64Sys.exe 30 PID 1496 wrote to memory of 524 1496 Win64Sys.exe 30 PID 524 wrote to memory of 1640 524 Win64Sys.exe 31 PID 524 wrote to memory of 1640 524 Win64Sys.exe 31 PID 524 wrote to memory of 1640 524 Win64Sys.exe 31 PID 524 wrote to memory of 1640 524 Win64Sys.exe 31 PID 524 wrote to memory of 1336 524 Win64Sys.exe 33 PID 524 wrote to memory of 1336 524 Win64Sys.exe 33 PID 524 wrote to memory of 1336 524 Win64Sys.exe 33 PID 524 wrote to memory of 1336 524 Win64Sys.exe 33 PID 524 wrote to memory of 1220 524 Win64Sys.exe 35 PID 524 wrote to memory of 1220 524 Win64Sys.exe 35 PID 524 wrote to memory of 1220 524 Win64Sys.exe 35 PID 524 wrote to memory of 1220 524 Win64Sys.exe 35 PID 1336 wrote to memory of 2004 1336 cmd.exe 36 PID 1336 wrote to memory of 2004 1336 cmd.exe 36 PID 1336 wrote to memory of 2004 1336 cmd.exe 36 PID 1336 wrote to memory of 2004 1336 cmd.exe 36 PID 1336 wrote to memory of 2040 1336 cmd.exe 37 PID 1336 wrote to memory of 2040 1336 cmd.exe 37 PID 1336 wrote to memory of 2040 1336 cmd.exe 37 PID 1336 wrote to memory of 2040 1336 cmd.exe 37 PID 1336 wrote to memory of 1960 1336 cmd.exe 38 PID 1336 wrote to memory of 1960 1336 cmd.exe 38 PID 1336 wrote to memory of 1960 1336 cmd.exe 38 PID 1336 wrote to memory of 1960 1336 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1648
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1640
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LHDWie8J9eNQ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2004
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:2040
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"4⤵
- Executes dropped EXE
PID:1960
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 14803⤵
- Loads dropped DLL
- Program crash
PID:1220
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD57b49c3185933f598d25cab7834210b37
SHA17d9f46db0bce6fb89329e1065c509ff601f50cde
SHA2565b76d5be3de5f26f42326d13c70e17a499ec7973b02b977e87b0b657229317c1
SHA512c71acc7e28ca385152aa88f97c5842cbbf2a075435b8c59345ca6adadf452c4cecae2ed3f57d549d5930e12acbf660f831b22d36ef67098d5717a15682455a79
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6