Analysis
-
max time kernel
141s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07/01/2023, 15:38
Behavioral task
behavioral1
Sample
b5b0a0a082b9f9ed7e1216805dce73dc.exe
Resource
win7-20221111-en
General
-
Target
b5b0a0a082b9f9ed7e1216805dce73dc.exe
-
Size
502KB
-
MD5
b5b0a0a082b9f9ed7e1216805dce73dc
-
SHA1
ebc4c036a30a003a399c6c1a6fd96fbd60cbbf35
-
SHA256
486a7709a844ef4a1770299b51b3bdd519c8881ea3190705ab7890780998e84a
-
SHA512
4c025030525fcbb0de7b7890ccf8c9b9c9e09bb25e1adbdc9f8e5e49097531c7bf4ebde85ec36409e743c3b079133d9527aae70c6bb5dc733aa2a671889b4158
-
SSDEEP
6144:ITEgdc0YYXAGbgiIN2RSBMUZz6wudTEDQK6DkQfocEgOb8F9vWlM3lBi0U3vLcTQ:ITEgdfYqbgjqDkwp9WCY0UfLcdm
Malware Config
Extracted
quasar
1.4.0
Office04
xsaz3412.duckdns.org:4782
339a0ca9-655c-474f-ae0b-8b93c0a5acb0
-
encryption_key
5BA53C22C08AF30F643D1CE3AEA974DFD7C76979
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 6 IoCs
resource yara_rule behavioral1/memory/1704-54-0x0000000000B10000-0x0000000000B94000-memory.dmp family_quasar behavioral1/memory/1112-61-0x0000000000FD0000-0x0000000001054000-memory.dmp family_quasar behavioral1/memory/1308-74-0x00000000002D0000-0x0000000000354000-memory.dmp family_quasar behavioral1/memory/1668-82-0x00000000012A0000-0x0000000001324000-memory.dmp family_quasar behavioral1/memory/960-108-0x0000000000200000-0x0000000000284000-memory.dmp family_quasar behavioral1/memory/1712-116-0x0000000001270000-0x00000000012F4000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 10 IoCs
pid Process 2008 PING.EXE 1752 PING.EXE 528 PING.EXE 1352 PING.EXE 472 PING.EXE 1616 PING.EXE 1780 PING.EXE 1788 PING.EXE 1924 PING.EXE 1020 PING.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1704 b5b0a0a082b9f9ed7e1216805dce73dc.exe Token: SeDebugPrivilege 1112 b5b0a0a082b9f9ed7e1216805dce73dc.exe Token: SeDebugPrivilege 1608 b5b0a0a082b9f9ed7e1216805dce73dc.exe Token: SeDebugPrivilege 1308 b5b0a0a082b9f9ed7e1216805dce73dc.exe Token: SeDebugPrivilege 1668 b5b0a0a082b9f9ed7e1216805dce73dc.exe Token: SeDebugPrivilege 316 b5b0a0a082b9f9ed7e1216805dce73dc.exe Token: SeDebugPrivilege 360 b5b0a0a082b9f9ed7e1216805dce73dc.exe Token: SeDebugPrivilege 1192 b5b0a0a082b9f9ed7e1216805dce73dc.exe Token: SeDebugPrivilege 960 b5b0a0a082b9f9ed7e1216805dce73dc.exe Token: SeDebugPrivilege 1712 b5b0a0a082b9f9ed7e1216805dce73dc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 856 1704 b5b0a0a082b9f9ed7e1216805dce73dc.exe 28 PID 1704 wrote to memory of 856 1704 b5b0a0a082b9f9ed7e1216805dce73dc.exe 28 PID 1704 wrote to memory of 856 1704 b5b0a0a082b9f9ed7e1216805dce73dc.exe 28 PID 856 wrote to memory of 1904 856 cmd.exe 30 PID 856 wrote to memory of 1904 856 cmd.exe 30 PID 856 wrote to memory of 1904 856 cmd.exe 30 PID 856 wrote to memory of 472 856 cmd.exe 31 PID 856 wrote to memory of 472 856 cmd.exe 31 PID 856 wrote to memory of 472 856 cmd.exe 31 PID 856 wrote to memory of 1112 856 cmd.exe 32 PID 856 wrote to memory of 1112 856 cmd.exe 32 PID 856 wrote to memory of 1112 856 cmd.exe 32 PID 1112 wrote to memory of 1364 1112 b5b0a0a082b9f9ed7e1216805dce73dc.exe 33 PID 1112 wrote to memory of 1364 1112 b5b0a0a082b9f9ed7e1216805dce73dc.exe 33 PID 1112 wrote to memory of 1364 1112 b5b0a0a082b9f9ed7e1216805dce73dc.exe 33 PID 1364 wrote to memory of 1856 1364 cmd.exe 35 PID 1364 wrote to memory of 1856 1364 cmd.exe 35 PID 1364 wrote to memory of 1856 1364 cmd.exe 35 PID 1364 wrote to memory of 1020 1364 cmd.exe 36 PID 1364 wrote to memory of 1020 1364 cmd.exe 36 PID 1364 wrote to memory of 1020 1364 cmd.exe 36 PID 1364 wrote to memory of 1608 1364 cmd.exe 37 PID 1364 wrote to memory of 1608 1364 cmd.exe 37 PID 1364 wrote to memory of 1608 1364 cmd.exe 37 PID 1608 wrote to memory of 1224 1608 b5b0a0a082b9f9ed7e1216805dce73dc.exe 38 PID 1608 wrote to memory of 1224 1608 b5b0a0a082b9f9ed7e1216805dce73dc.exe 38 PID 1608 wrote to memory of 1224 1608 b5b0a0a082b9f9ed7e1216805dce73dc.exe 38 PID 1224 wrote to memory of 1376 1224 cmd.exe 40 PID 1224 wrote to memory of 1376 1224 cmd.exe 40 PID 1224 wrote to memory of 1376 1224 cmd.exe 40 PID 1224 wrote to memory of 2008 1224 cmd.exe 41 PID 1224 wrote to memory of 2008 1224 cmd.exe 41 PID 1224 wrote to memory of 2008 1224 cmd.exe 41 PID 1224 wrote to memory of 1308 1224 cmd.exe 42 PID 1224 wrote to memory of 1308 1224 cmd.exe 42 PID 1224 wrote to memory of 1308 1224 cmd.exe 42 PID 1308 wrote to memory of 960 1308 b5b0a0a082b9f9ed7e1216805dce73dc.exe 43 PID 1308 wrote to memory of 960 1308 b5b0a0a082b9f9ed7e1216805dce73dc.exe 43 PID 1308 wrote to memory of 960 1308 b5b0a0a082b9f9ed7e1216805dce73dc.exe 43 PID 960 wrote to memory of 1560 960 cmd.exe 45 PID 960 wrote to memory of 1560 960 cmd.exe 45 PID 960 wrote to memory of 1560 960 cmd.exe 45 PID 960 wrote to memory of 1752 960 cmd.exe 46 PID 960 wrote to memory of 1752 960 cmd.exe 46 PID 960 wrote to memory of 1752 960 cmd.exe 46 PID 960 wrote to memory of 1668 960 cmd.exe 47 PID 960 wrote to memory of 1668 960 cmd.exe 47 PID 960 wrote to memory of 1668 960 cmd.exe 47 PID 1668 wrote to memory of 760 1668 b5b0a0a082b9f9ed7e1216805dce73dc.exe 48 PID 1668 wrote to memory of 760 1668 b5b0a0a082b9f9ed7e1216805dce73dc.exe 48 PID 1668 wrote to memory of 760 1668 b5b0a0a082b9f9ed7e1216805dce73dc.exe 48 PID 760 wrote to memory of 1716 760 cmd.exe 50 PID 760 wrote to memory of 1716 760 cmd.exe 50 PID 760 wrote to memory of 1716 760 cmd.exe 50 PID 760 wrote to memory of 1616 760 cmd.exe 51 PID 760 wrote to memory of 1616 760 cmd.exe 51 PID 760 wrote to memory of 1616 760 cmd.exe 51 PID 760 wrote to memory of 316 760 cmd.exe 52 PID 760 wrote to memory of 316 760 cmd.exe 52 PID 760 wrote to memory of 316 760 cmd.exe 52 PID 316 wrote to memory of 916 316 b5b0a0a082b9f9ed7e1216805dce73dc.exe 53 PID 316 wrote to memory of 916 316 b5b0a0a082b9f9ed7e1216805dce73dc.exe 53 PID 316 wrote to memory of 916 316 b5b0a0a082b9f9ed7e1216805dce73dc.exe 53 PID 916 wrote to memory of 616 916 cmd.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YkyHZXGv6TsR.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1904
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:472
-
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7VbLAAQpN2rk.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1856
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:1020
-
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0LY2d5Tiaab7.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xGOdG5JQRtBM.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1560
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Jfp5A4Gc3Wpd.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:1716
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\L8lAiZ6HXr4I.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:616
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"13⤵
- Suspicious use of AdjustPrivilegeToken
PID:360 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0d0OrJimuLju.bat" "14⤵PID:1608
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:852
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"15⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\f23xtBzx7SBw.bat" "16⤵PID:1764
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:1688
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:528
-
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DU2rtXozgH2L.bat" "18⤵PID:1160
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:1716
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:1352
-
-
C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"19⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QzoNwL5GGTkQ.bat" "20⤵PID:1032
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:1760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:1924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229B
MD5380812886c3ab0761efeda0128ffb7e2
SHA1fb289352c8aafaadd7911a906db0c47cec1a064b
SHA2561f627971a27d8865483cbf2e76e70b6bf8b50416d2f84473ffa8dae35c4a36a2
SHA512c0fbce0ca1cd28a8b2f16c7116eb0a9a4ba4b521ede17bda51828bfab75cd2c7d6158aee3fe0714d17965c5b1ff1bace0ed83ed18876d4ff8772c4297d5353c4
-
Filesize
229B
MD5fc16046049e28a70616b7250c950e721
SHA1d9bdebe1a209067205d1899fd9e47f7e8927c437
SHA256639433c6119f8031e796654be8ec32eb1308bf437e7f5a96b677159e355d6dfc
SHA51256aca8ed785f08b4aef31cc11d20da1e9bec6a7b712aa380d5cb5048745e3b265a22f4dd01c3e6f997fa7b40edb3d496721b90f0bd7391d461df326bc6f87aa4
-
Filesize
229B
MD52cf6a76968c464a93424251299050c27
SHA1e8edc3c89689aa68368e19a2f781dbb5dc00789c
SHA256e54457cfabdc37b18a596cf6bd0a07a574b4ce8e5f152a2e00b6391e4a3b5b5d
SHA512bdd173a5ac84f1ef4791a259241dc5854b765c7c342e812b01146074d6e8f7670d9ebf64095e9098d38e7edee39417fe90a936d3a2a6d1e0853a5844763df55f
-
Filesize
229B
MD50061bef0579ad82c9464479b770e36ca
SHA1ff186a9595b1f3c819d0ae21905d8f9f43ad6f11
SHA256049868ebc586754a35d767cb9fc167a09ca2b39ef39cd26a527b99dfe0e5720a
SHA51202033856441d0289d2da90fa8bd501968a0af29ce8eb2f73fdd253a322380d2ab8e8b407f167ab3c58ff64bff9a60f07b5612ba6364b7cc221022dfc87a984f5
-
Filesize
229B
MD5b786555f80f1fc43d5ea9a1077cb3ccc
SHA149e2a771099adea53ea571845b71a46ce95d32d3
SHA256b5b7a8dfd063fea057e89004ed708dbeaea6d32a75a04b400cf2358416633e47
SHA51292c06123f42a3b21cb44e0cbab5adf597b426fb93b22468f3471c5c76fec543285384c4dba387dac4bd720a7658b3cf3667aa4f57d8effb3ef45c5191cdb144a
-
Filesize
229B
MD51e7f748b6bd6ab549c9290a0a100face
SHA11b53ead68e7ad676ae2284d7b76295da4d35913c
SHA25631c1fca669515d77804e1394096ee4133eb1673a62ab3d95090d22ba5a9cb613
SHA512b48a046c6dd08e9dd8435704ae407827ad7bd314af00dd2b1f2dbc9ef59237b429276af6951a42607998794b74e6583ade6f80fd44c3af812cc7d9b06557bb9d
-
Filesize
229B
MD5c1cd380e43107175b23b5a73396244ff
SHA1b8778e75f1f5eb329428fde45f3c240f81c3d537
SHA256efa152c728ab1237d6e911c5fdd767ddf9bad20fc7c1f8ce70e82d11bf8a702f
SHA5125cb15de29f1f65d83bb09788663acd466eb238374ac0c308bd72d1bf2398b7545e84718c0df7c046b7257d1ee0a50b84c41ce100da2be1e19e94dc0853715c27
-
Filesize
229B
MD55fa41d94434097a4877ced62f1560b7b
SHA1859cd2d711cf7f5051d44862cc49b5a6c6f274b9
SHA2566bd6afb90db6c381aaf7511f1af41a1b139172eb74eea2ed2123f49684df4487
SHA5126381bdadea3573cfa8065ee3c87d5246440a72a3f0869144e8942db9e3f5870a162ac3b32e52381869433765c74a87861f456bc2d8fbc56c83282314638a98aa
-
Filesize
229B
MD51edf9995ac0f9162d2395b39e1501983
SHA1b43f18c3781cb2237f4d2f1913968c6645136015
SHA2563e6d0d6d16b8fe15bfe5caa978dcf25d4f8b7e6fc96db11d601cce0f28a5b588
SHA512eb87f94bbaadbf93dd5a24095ca2aff284952fc9dda5b82f5143f73fb84ffaf1e632d065498965aa7297be0dc8b25e5c7f1790b7906f8c5beb3cb014b5d82f07
-
Filesize
229B
MD5cd55f74a62d556a87a61d5aebad8a1c1
SHA1296451e9a9ab89477bae557fd1888678dc270acf
SHA256aac4b080555a69fb77a1842459fe153f8a5ca583e5be1cce63afc93d288b4ba1
SHA512eaca5921be3222ea529a246a82e7afafa054b78c603bbae01a571fc29fb4a9c344ff902fc8c2be1383cf010d1684f8e0205d7c34425210e78e5ef96012a638b1