Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/01/2023, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe
Resource
win10v2004-20220812-en
General
-
Target
0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe
-
Size
2.0MB
-
MD5
a1ef07a2b47cd13ec724585a65a0054f
-
SHA1
aea02fd36e9951ef5c30ed91151f6edb3b7520e0
-
SHA256
0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549
-
SHA512
a3941f85e28a0ce48246ef5211afc147b3f552b1108eb7416d532f517a79f4e81f8b7dfceea70032582fa76afb3acd7f1a49ccefc9ab9a2b27b3fdabb01690eb
-
SSDEEP
49152:29M4dWzbZTOJDoWTV5+gBzqpUp3D50c9mcPNa1v:2q4dYZTARTf+gB2pUp3DnlMv
Malware Config
Extracted
quasar
1.4.0
Office04
192.168.0.56:4782
192.168.0.161:4782
d74dcb52-13c2-402c-ac26-e19c2dffc945
-
encryption_key
B8ADACB1E9DA8032365BACEF7F44C43740E0CE17
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/1496-67-0x0000000027F80000-0x0000000028004000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 860 sg.tmp 1496 loader.exe -
Loads dropped DLL 3 IoCs
pid Process 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeBackupPrivilege 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeRestorePrivilege 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: 33 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeIncBasePriorityPrivilege 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeCreateGlobalPrivilege 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: 33 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeIncBasePriorityPrivilege 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: 33 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeIncBasePriorityPrivilege 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeRestorePrivilege 860 sg.tmp Token: 35 860 sg.tmp Token: SeSecurityPrivilege 860 sg.tmp Token: SeSecurityPrivilege 860 sg.tmp Token: 33 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeIncBasePriorityPrivilege 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe Token: SeDebugPrivilege 1496 loader.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1496 loader.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1496 loader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1992 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 28 PID 2032 wrote to memory of 1992 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 28 PID 2032 wrote to memory of 1992 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 28 PID 2032 wrote to memory of 1992 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 28 PID 2032 wrote to memory of 860 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 30 PID 2032 wrote to memory of 860 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 30 PID 2032 wrote to memory of 860 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 30 PID 2032 wrote to memory of 860 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 30 PID 2032 wrote to memory of 1496 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 32 PID 2032 wrote to memory of 1496 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 32 PID 2032 wrote to memory of 1496 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 32 PID 2032 wrote to memory of 1496 2032 0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe"C:\Users\Admin\AppData\Local\Temp\0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\cmd.execmd.exe /c set2⤵PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\~5601255605575869330~\sg.tmp7zG_exe x "C:\Users\Admin\AppData\Local\Temp\0490dda2fe186588483066df7218d19ab4406e462911a4fa4d9ae45c1829a549.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~3450487590977295312"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\~3450487590977295312\loader.exe"C:\Users\Admin\AppData\Local\Temp\~3450487590977295312\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1496
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5632db56ddfc587812da2cb482ab430c6
SHA100ef4c88ce9c920998885c98f1d636b241389531
SHA25694c93329954c37a0cb402c733bd24b8057837fa98d5361bfc0d54536490f3c46
SHA512a1c712bf7ffc4065ae5bf6a1471c116d86590ae4a08999e23020c42b9e781065882a8ced24f78be9a5fcd2080fa873c52ec1e92d9057b631554b5bbd8e3b3705
-
Filesize
1.5MB
MD53f9c08c6ac811c44e9342ad3df4d2948
SHA1b05e04558d24251c0e3a34fc022e4121d276543b
SHA256026af6d40ae1d1bb5a948180d0d45c691abe8d5b8165f744586af8ae4d9d774b
SHA512cc8e4e21e4213e8c616b37b03711ac22c0ef17d2c666f8ff1429f0936eb486d5c14c73d6ea2bf6d4240bf65823e4ab99db1a5f6f3ab500ba435db9880efc7072
-
Filesize
1.5MB
MD53f9c08c6ac811c44e9342ad3df4d2948
SHA1b05e04558d24251c0e3a34fc022e4121d276543b
SHA256026af6d40ae1d1bb5a948180d0d45c691abe8d5b8165f744586af8ae4d9d774b
SHA512cc8e4e21e4213e8c616b37b03711ac22c0ef17d2c666f8ff1429f0936eb486d5c14c73d6ea2bf6d4240bf65823e4ab99db1a5f6f3ab500ba435db9880efc7072
-
Filesize
715KB
MD57c4718943bd3f66ebdb47ccca72c7b1e
SHA1f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA2564cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516
-
Filesize
1.5MB
MD53f9c08c6ac811c44e9342ad3df4d2948
SHA1b05e04558d24251c0e3a34fc022e4121d276543b
SHA256026af6d40ae1d1bb5a948180d0d45c691abe8d5b8165f744586af8ae4d9d774b
SHA512cc8e4e21e4213e8c616b37b03711ac22c0ef17d2c666f8ff1429f0936eb486d5c14c73d6ea2bf6d4240bf65823e4ab99db1a5f6f3ab500ba435db9880efc7072
-
Filesize
1.5MB
MD53f9c08c6ac811c44e9342ad3df4d2948
SHA1b05e04558d24251c0e3a34fc022e4121d276543b
SHA256026af6d40ae1d1bb5a948180d0d45c691abe8d5b8165f744586af8ae4d9d774b
SHA512cc8e4e21e4213e8c616b37b03711ac22c0ef17d2c666f8ff1429f0936eb486d5c14c73d6ea2bf6d4240bf65823e4ab99db1a5f6f3ab500ba435db9880efc7072
-
Filesize
715KB
MD57c4718943bd3f66ebdb47ccca72c7b1e
SHA1f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA2564cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516