Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2023, 07:26
Static task
static1
Behavioral task
behavioral1
Sample
ce9dbb3a5ca2777c073c0e1c6900e027.exe
Resource
win7-20220812-en
General
-
Target
ce9dbb3a5ca2777c073c0e1c6900e027.exe
-
Size
836KB
-
MD5
ce9dbb3a5ca2777c073c0e1c6900e027
-
SHA1
693fca63059c8b9d462512d83da87fba48cb7d5a
-
SHA256
4a181732e82bac9de2926c6982ff94b2f513e8751a76f6eb3bb9eba4f7634f3d
-
SHA512
4818fa9a25e5a8c73e146aea3db0c20cdbdd026120e1d246887138da43a98d90d8c381413803b887a5d230ea6a072cba35f100917d38982cfb1046edf5420f7a
-
SSDEEP
24576:DWxUa9DVRtT/VocrrfCD6prOOM40gCbuBAjO:DTa9FJvW6p3M4NAj
Malware Config
Extracted
quasar
1.4.0
Office04
45.138.16.40:4782
24c78a87-92d6-451f-a83f-8c6ef78bf528
-
encryption_key
79B37357B4158ED84F18F4E85B7713CF2D04A0D9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/2028-141-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2432 systemx888.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ce9dbb3a5ca2777c073c0e1c6900e027.exe -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 41 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2432 set thread context of 2028 2432 systemx888.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 704 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings ce9dbb3a5ca2777c073c0e1c6900e027.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2028 vbc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2028 vbc.exe 2028 vbc.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2028 vbc.exe 2028 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4620 OpenWith.exe 2028 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2432 2248 ce9dbb3a5ca2777c073c0e1c6900e027.exe 80 PID 2248 wrote to memory of 2432 2248 ce9dbb3a5ca2777c073c0e1c6900e027.exe 80 PID 2248 wrote to memory of 2432 2248 ce9dbb3a5ca2777c073c0e1c6900e027.exe 80 PID 2432 wrote to memory of 1492 2432 systemx888.exe 81 PID 2432 wrote to memory of 1492 2432 systemx888.exe 81 PID 2432 wrote to memory of 1492 2432 systemx888.exe 81 PID 1492 wrote to memory of 704 1492 cmd.exe 84 PID 1492 wrote to memory of 704 1492 cmd.exe 84 PID 1492 wrote to memory of 704 1492 cmd.exe 84 PID 2432 wrote to memory of 2028 2432 systemx888.exe 86 PID 2432 wrote to memory of 2028 2432 systemx888.exe 86 PID 2432 wrote to memory of 2028 2432 systemx888.exe 86 PID 2432 wrote to memory of 2028 2432 systemx888.exe 86 PID 2432 wrote to memory of 2028 2432 systemx888.exe 86 PID 2432 wrote to memory of 2028 2432 systemx888.exe 86 PID 2432 wrote to memory of 2028 2432 systemx888.exe 86 PID 2432 wrote to memory of 2028 2432 systemx888.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce9dbb3a5ca2777c073c0e1c6900e027.exe"C:\Users\Admin\AppData\Local\Temp\ce9dbb3a5ca2777c073c0e1c6900e027.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Roaming\systemx888.exe"C:\Users\Admin\AppData\Roaming\systemx888.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \pGLCR /tr "C:\Users\Admin\AppData\Roaming\systemx888.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f3⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \pGLCR /tr "C:\Users\Admin\AppData\Roaming\systemx888.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f4⤵
- Creates scheduled task(s)
PID:704
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5d561a17252e9cbb698307f1142f4b524
SHA189490ef9113cad42253894332fb3efe033ca0ad3
SHA2569599d3f669b050eda2ca52cf249766c0103d5d4ae3519e09bdeb6944cff31a0f
SHA512da595d699140110db0614b104d53c8ba71f59ac510ef54f6f8a93fe70c7ac1825acc280d60bdb873544e164cfdcdb0adf1922a216c19a0f0aabaef8eb7a43264
-
Filesize
2.0MB
MD5d561a17252e9cbb698307f1142f4b524
SHA189490ef9113cad42253894332fb3efe033ca0ad3
SHA2569599d3f669b050eda2ca52cf249766c0103d5d4ae3519e09bdeb6944cff31a0f
SHA512da595d699140110db0614b104d53c8ba71f59ac510ef54f6f8a93fe70c7ac1825acc280d60bdb873544e164cfdcdb0adf1922a216c19a0f0aabaef8eb7a43264