Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17/01/2023, 17:09
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7-20221111-en
General
-
Target
svchost.exe
-
Size
348KB
-
MD5
99a2e914bbf4c8410c8c57bf24901919
-
SHA1
8af5cc6ebba0bd365fa8accd92610c71380d93f7
-
SHA256
1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616
-
SHA512
f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc
-
SSDEEP
6144:+uwb/c2L0tR/i/3d96vxbh+fy3+ExETXWg3WKwt4d:hH2L+ive3r+0EqgmK24d
Malware Config
Extracted
quasar
1.3.0.0
Office04
188.119.45.143:9896
microsoftstolewindows.duckdns.org:9896
192.168.1.52:9896
QSR_MUTEX_cXyKUgoh2Hpnny6zAV
-
encryption_key
GTemocnTKzZZHIqpqBGg
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 5 IoCs
resource yara_rule behavioral1/memory/1264-54-0x0000000000CF0000-0x0000000000D4E000-memory.dmp family_quasar behavioral1/files/0x00090000000122f6-57.dat family_quasar behavioral1/files/0x00090000000122f6-59.dat family_quasar behavioral1/files/0x00090000000122f6-60.dat family_quasar behavioral1/memory/540-61-0x00000000012A0000-0x00000000012FE000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 540 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 1264 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SubDir svchost.exe File created C:\Windows\SysWOW64\SubDir\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\SubDir\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\SubDir\svchost.exe svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 584 schtasks.exe 1728 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1264 svchost.exe Token: SeDebugPrivilege 540 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 540 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1264 wrote to memory of 584 1264 svchost.exe 29 PID 1264 wrote to memory of 584 1264 svchost.exe 29 PID 1264 wrote to memory of 584 1264 svchost.exe 29 PID 1264 wrote to memory of 584 1264 svchost.exe 29 PID 1264 wrote to memory of 540 1264 svchost.exe 31 PID 1264 wrote to memory of 540 1264 svchost.exe 31 PID 1264 wrote to memory of 540 1264 svchost.exe 31 PID 1264 wrote to memory of 540 1264 svchost.exe 31 PID 540 wrote to memory of 1728 540 svchost.exe 32 PID 540 wrote to memory of 1728 540 svchost.exe 32 PID 540 wrote to memory of 1728 540 svchost.exe 32 PID 540 wrote to memory of 1728 540 svchost.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:584
-
-
C:\Windows\SysWOW64\SubDir\svchost.exe"C:\Windows\SysWOW64\SubDir\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\svchost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1728
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD599a2e914bbf4c8410c8c57bf24901919
SHA18af5cc6ebba0bd365fa8accd92610c71380d93f7
SHA2561fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616
SHA512f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc
-
Filesize
348KB
MD599a2e914bbf4c8410c8c57bf24901919
SHA18af5cc6ebba0bd365fa8accd92610c71380d93f7
SHA2561fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616
SHA512f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc
-
Filesize
348KB
MD599a2e914bbf4c8410c8c57bf24901919
SHA18af5cc6ebba0bd365fa8accd92610c71380d93f7
SHA2561fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616
SHA512f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc