Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
18/01/2023, 12:11
General
-
Target
1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe
-
Size
348KB
-
MD5
99a2e914bbf4c8410c8c57bf24901919
-
SHA1
8af5cc6ebba0bd365fa8accd92610c71380d93f7
-
SHA256
1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616
-
SHA512
f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc
-
SSDEEP
6144:+uwb/c2L0tR/i/3d96vxbh+fy3+ExETXWg3WKwt4d:hH2L+ive3r+0EqgmK24d
Malware Config
Extracted
quasar
1.3.0.0
Office04
188.119.45.143:9896
microsoftstolewindows.duckdns.org:9896
192.168.1.52:9896
QSR_MUTEX_cXyKUgoh2Hpnny6zAV
-
encryption_key
GTemocnTKzZZHIqpqBGg
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2700-148-0x0000000000A10000-0x0000000000A6E000-memory.dmp family_quasar behavioral1/files/0x000a00000001ac15-218.dat family_quasar behavioral1/files/0x000a00000001ac15-244.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4824 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\SubDir\svchost.exe 1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe File opened for modification C:\Windows\SysWOW64\SubDir\svchost.exe 1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe File opened for modification C:\Windows\SysWOW64\SubDir\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\SubDir svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2852 schtasks.exe 3900 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2700 1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe Token: SeDebugPrivilege 4824 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4824 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2852 2700 1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe 67 PID 2700 wrote to memory of 2852 2700 1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe 67 PID 2700 wrote to memory of 2852 2700 1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe 67 PID 2700 wrote to memory of 4824 2700 1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe 69 PID 2700 wrote to memory of 4824 2700 1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe 69 PID 2700 wrote to memory of 4824 2700 1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe 69 PID 4824 wrote to memory of 3900 4824 svchost.exe 70 PID 4824 wrote to memory of 3900 4824 svchost.exe 70 PID 4824 wrote to memory of 3900 4824 svchost.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe"C:\Users\Admin\AppData\Local\Temp\1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2852
-
-
C:\Windows\SysWOW64\SubDir\svchost.exe"C:\Windows\SysWOW64\SubDir\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\svchost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3900
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD599a2e914bbf4c8410c8c57bf24901919
SHA18af5cc6ebba0bd365fa8accd92610c71380d93f7
SHA2561fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616
SHA512f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc
-
Filesize
348KB
MD599a2e914bbf4c8410c8c57bf24901919
SHA18af5cc6ebba0bd365fa8accd92610c71380d93f7
SHA2561fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616
SHA512f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc