Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-01-2023 11:35
Behavioral task
behavioral1
Sample
2.exe
Resource
win7-20220812-en
General
-
Target
2.exe
-
Size
2.7MB
-
MD5
654a5edfc6d36d1d475c50a8c852f2fc
-
SHA1
48c4da32b00cfcaed25486b9494ec515a1773b40
-
SHA256
14df5d1e4b0be12a769c1c8ba950c4c2a192cc4f145dbe9decec59bf2706788b
-
SHA512
9ade8e74584193ddc1f853201b87fb86ba160bf3cc197d17e51109d3b6b46ba1ea658b0a161b2fc321fa12b6ff5466747cc2c0ec71f9fabdacbb356f510752ab
-
SSDEEP
49152:c0xDDQQGj33SmdY5sKfLeG2QRaLaOUaO1kcQu79tlTXCyza32ehyfTAm:c0RQQGj33SGmsKfLeG2QRaGOUaO1kcQ6
Malware Config
Extracted
quasar
1.4.0
Office04
161.97.148.204:1604
dabdfe29-55de-460b-9c36-9570f2b03a88
-
encryption_key
4795EB97A05AE5F4E669D4B7FFF6608D94FC9027
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1916-54-0x0000000000B70000-0x0000000000E30000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2.exedescription pid process Token: SeDebugPrivilege 1916 2.exe