Analysis
-
max time kernel
31s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/01/2023, 23:51
Behavioral task
behavioral1
Sample
Win64Sys.exe
Resource
win7-20221111-en
General
-
Target
Win64Sys.exe
-
Size
378KB
-
MD5
361ee66ffa93eda7d78eb4a5d14bfd57
-
SHA1
e8157e8283a3f8eb7390d45b98ae4d32c53ce273
-
SHA256
8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
-
SHA512
19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
SSDEEP
6144:+KMJx4pweP7kJS3irzPchzCSfj654xCbjj0P4MkV45M9TP:+KoSckh9765EAj0NHM9TP
Malware Config
Extracted
quasar
1.3.0.0
Office04
stuhowe.ddns.net:4782
QSR_MUTEX_X4mfjPTkLaQEdjHzYF
-
encryption_key
9FBvOmlVpI0GOzCn9KhI
-
install_name
Win64Sys.exe
-
log_directory
Keys
-
reconnect_delay
3000
-
startup_key
Windows x64 System Client
-
subdirectory
Micosoft
Signatures
-
Quasar payload 11 IoCs
resource yara_rule behavioral1/memory/1232-54-0x0000000001020000-0x0000000001084000-memory.dmp family_quasar behavioral1/files/0x000900000001313d-57.dat family_quasar behavioral1/files/0x000900000001313d-59.dat family_quasar behavioral1/files/0x000900000001313d-60.dat family_quasar behavioral1/memory/560-61-0x0000000000C90000-0x0000000000CF4000-memory.dmp family_quasar behavioral1/files/0x000900000001313d-68.dat family_quasar behavioral1/files/0x000900000001313d-69.dat family_quasar behavioral1/files/0x000900000001313d-70.dat family_quasar behavioral1/files/0x000900000001313d-71.dat family_quasar behavioral1/files/0x000900000001313d-73.dat family_quasar behavioral1/files/0x000900000001313d-75.dat family_quasar -
Executes dropped EXE 2 IoCs
pid Process 560 Win64Sys.exe 1460 Win64Sys.exe -
Loads dropped DLL 6 IoCs
pid Process 1232 Win64Sys.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1416 560 WerFault.exe 31 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 780 schtasks.exe 1264 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1736 PING.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1232 Win64Sys.exe Token: SeDebugPrivilege 560 Win64Sys.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 560 Win64Sys.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1232 wrote to memory of 780 1232 Win64Sys.exe 29 PID 1232 wrote to memory of 780 1232 Win64Sys.exe 29 PID 1232 wrote to memory of 780 1232 Win64Sys.exe 29 PID 1232 wrote to memory of 780 1232 Win64Sys.exe 29 PID 1232 wrote to memory of 560 1232 Win64Sys.exe 31 PID 1232 wrote to memory of 560 1232 Win64Sys.exe 31 PID 1232 wrote to memory of 560 1232 Win64Sys.exe 31 PID 1232 wrote to memory of 560 1232 Win64Sys.exe 31 PID 560 wrote to memory of 1264 560 Win64Sys.exe 32 PID 560 wrote to memory of 1264 560 Win64Sys.exe 32 PID 560 wrote to memory of 1264 560 Win64Sys.exe 32 PID 560 wrote to memory of 1264 560 Win64Sys.exe 32 PID 560 wrote to memory of 304 560 Win64Sys.exe 34 PID 560 wrote to memory of 304 560 Win64Sys.exe 34 PID 560 wrote to memory of 304 560 Win64Sys.exe 34 PID 560 wrote to memory of 304 560 Win64Sys.exe 34 PID 560 wrote to memory of 1416 560 Win64Sys.exe 36 PID 560 wrote to memory of 1416 560 Win64Sys.exe 36 PID 560 wrote to memory of 1416 560 Win64Sys.exe 36 PID 560 wrote to memory of 1416 560 Win64Sys.exe 36 PID 304 wrote to memory of 848 304 cmd.exe 37 PID 304 wrote to memory of 848 304 cmd.exe 37 PID 304 wrote to memory of 848 304 cmd.exe 37 PID 304 wrote to memory of 848 304 cmd.exe 37 PID 304 wrote to memory of 1736 304 cmd.exe 38 PID 304 wrote to memory of 1736 304 cmd.exe 38 PID 304 wrote to memory of 1736 304 cmd.exe 38 PID 304 wrote to memory of 1736 304 cmd.exe 38 PID 304 wrote to memory of 1460 304 cmd.exe 39 PID 304 wrote to memory of 1460 304 cmd.exe 39 PID 304 wrote to memory of 1460 304 cmd.exe 39 PID 304 wrote to memory of 1460 304 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:780
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1264
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\brbHepOetp3w.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:848
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1736
-
-
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"4⤵
- Executes dropped EXE
PID:1460
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 14803⤵
- Loads dropped DLL
- Program crash
PID:1416
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD56e7cc9dfd0cf89eebf293d791dc08556
SHA12a3a1dbb224621a48522f7ede541e3c95fd0a16f
SHA256eb8cc91ce29159d1fc3b0e137eea0d1df2a458e11d26b438f355c27a94ea30b1
SHA512daf7960c94f0a3729effe207b25ddc44335ca40bc8aa3d43541154d772bab882bebd7aaee0d7765132dc399e4da2f50a7f87f30f331b2dce88d0ff8dbc126bd4
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6
-
Filesize
378KB
MD5361ee66ffa93eda7d78eb4a5d14bfd57
SHA1e8157e8283a3f8eb7390d45b98ae4d32c53ce273
SHA2568f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
SHA51219fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6