Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/01/2023, 07:26
Static task
static1
Behavioral task
behavioral1
Sample
ce9dbb3a5ca2777c073c0e1c6900e027.exe
Resource
win7-20220812-en
General
-
Target
ce9dbb3a5ca2777c073c0e1c6900e027.exe
-
Size
836KB
-
MD5
ce9dbb3a5ca2777c073c0e1c6900e027
-
SHA1
693fca63059c8b9d462512d83da87fba48cb7d5a
-
SHA256
4a181732e82bac9de2926c6982ff94b2f513e8751a76f6eb3bb9eba4f7634f3d
-
SHA512
4818fa9a25e5a8c73e146aea3db0c20cdbdd026120e1d246887138da43a98d90d8c381413803b887a5d230ea6a072cba35f100917d38982cfb1046edf5420f7a
-
SSDEEP
24576:DWxUa9DVRtT/VocrrfCD6prOOM40gCbuBAjO:DTa9FJvW6p3M4NAj
Malware Config
Extracted
quasar
1.4.0
Office04
45.138.16.40:4782
24c78a87-92d6-451f-a83f-8c6ef78bf528
-
encryption_key
79B37357B4158ED84F18F4E85B7713CF2D04A0D9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 6 IoCs
resource yara_rule behavioral1/memory/1160-73-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar behavioral1/memory/1160-74-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar behavioral1/memory/1160-75-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar behavioral1/memory/1160-76-0x000000000047E7AE-mapping.dmp family_quasar behavioral1/memory/1160-78-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar behavioral1/memory/1160-80-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1292 systemx888.exe -
Loads dropped DLL 1 IoCs
pid Process 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1292 set thread context of 1160 1292 systemx888.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 896 schtasks.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\sln_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\sln_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.sln\ = "sln_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\sln_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\sln_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\sln_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.sln rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\sln_auto_file\shell\Read\command rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1160 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1160 vbc.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1160 vbc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 828 AcroRd32.exe 828 AcroRd32.exe 1160 vbc.exe 828 AcroRd32.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 992 wrote to memory of 820 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 28 PID 992 wrote to memory of 820 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 28 PID 992 wrote to memory of 820 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 28 PID 992 wrote to memory of 820 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 28 PID 992 wrote to memory of 820 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 28 PID 992 wrote to memory of 820 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 28 PID 992 wrote to memory of 820 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 28 PID 992 wrote to memory of 1292 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 29 PID 992 wrote to memory of 1292 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 29 PID 992 wrote to memory of 1292 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 29 PID 992 wrote to memory of 1292 992 ce9dbb3a5ca2777c073c0e1c6900e027.exe 29 PID 1292 wrote to memory of 1196 1292 systemx888.exe 30 PID 1292 wrote to memory of 1196 1292 systemx888.exe 30 PID 1292 wrote to memory of 1196 1292 systemx888.exe 30 PID 1292 wrote to memory of 1196 1292 systemx888.exe 30 PID 1196 wrote to memory of 896 1196 cmd.exe 32 PID 1196 wrote to memory of 896 1196 cmd.exe 32 PID 1196 wrote to memory of 896 1196 cmd.exe 32 PID 1196 wrote to memory of 896 1196 cmd.exe 32 PID 820 wrote to memory of 828 820 rundll32.exe 33 PID 820 wrote to memory of 828 820 rundll32.exe 33 PID 820 wrote to memory of 828 820 rundll32.exe 33 PID 820 wrote to memory of 828 820 rundll32.exe 33 PID 1292 wrote to memory of 1160 1292 systemx888.exe 36 PID 1292 wrote to memory of 1160 1292 systemx888.exe 36 PID 1292 wrote to memory of 1160 1292 systemx888.exe 36 PID 1292 wrote to memory of 1160 1292 systemx888.exe 36 PID 1292 wrote to memory of 1160 1292 systemx888.exe 36 PID 1292 wrote to memory of 1160 1292 systemx888.exe 36 PID 1292 wrote to memory of 1160 1292 systemx888.exe 36 PID 1292 wrote to memory of 1160 1292 systemx888.exe 36 PID 1292 wrote to memory of 1160 1292 systemx888.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce9dbb3a5ca2777c073c0e1c6900e027.exe"C:\Users\Admin\AppData\Local\Temp\ce9dbb3a5ca2777c073c0e1c6900e027.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\project.sln2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\project.sln"3⤵
- Suspicious use of SetWindowsHookEx
PID:828
-
-
-
C:\Users\Admin\AppData\Roaming\systemx888.exe"C:\Users\Admin\AppData\Roaming\systemx888.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \pGLCR /tr "C:\Users\Admin\AppData\Roaming\systemx888.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f3⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \pGLCR /tr "C:\Users\Admin\AppData\Roaming\systemx888.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f4⤵
- Creates scheduled task(s)
PID:896
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5bcddd763c8b71b8e2f0cffed40d9d346
SHA166ca272298710c520624648ff30e72cda8c2725c
SHA256e6047eabd547f48e36fefe59fcd5049910a5af9aec74e1255195a13ada20bb25
SHA5127efd8db6ade644d558229e39f365775a4bbdc4a8940c2884d7fef6f52f913d3cc7c9f4bd28c70d94351ddf3f6cf30e101e5fcc28b68094aa2c9d56c8f2896f40
-
Filesize
2.0MB
MD5d561a17252e9cbb698307f1142f4b524
SHA189490ef9113cad42253894332fb3efe033ca0ad3
SHA2569599d3f669b050eda2ca52cf249766c0103d5d4ae3519e09bdeb6944cff31a0f
SHA512da595d699140110db0614b104d53c8ba71f59ac510ef54f6f8a93fe70c7ac1825acc280d60bdb873544e164cfdcdb0adf1922a216c19a0f0aabaef8eb7a43264
-
Filesize
2.0MB
MD5d561a17252e9cbb698307f1142f4b524
SHA189490ef9113cad42253894332fb3efe033ca0ad3
SHA2569599d3f669b050eda2ca52cf249766c0103d5d4ae3519e09bdeb6944cff31a0f
SHA512da595d699140110db0614b104d53c8ba71f59ac510ef54f6f8a93fe70c7ac1825acc280d60bdb873544e164cfdcdb0adf1922a216c19a0f0aabaef8eb7a43264
-
Filesize
2.0MB
MD5d561a17252e9cbb698307f1142f4b524
SHA189490ef9113cad42253894332fb3efe033ca0ad3
SHA2569599d3f669b050eda2ca52cf249766c0103d5d4ae3519e09bdeb6944cff31a0f
SHA512da595d699140110db0614b104d53c8ba71f59ac510ef54f6f8a93fe70c7ac1825acc280d60bdb873544e164cfdcdb0adf1922a216c19a0f0aabaef8eb7a43264