Analysis
-
max time kernel
53s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
18/01/2023, 12:18
General
-
Target
3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe
-
Size
348KB
-
MD5
3227a70d123b9da999bf150fdf605036
-
SHA1
1b959876c589dc17b0d7084a8f3017123e8568af
-
SHA256
3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87
-
SHA512
1c75060b544047c0a6d39822014c85bb5bba8e14b4432b2a291bc9e2b8e55c156f9736d1483f8f8f226961aa663a9fc20919e6d2812faf38ceb2f262e31ae8ae
-
SSDEEP
6144:8uwb/c2L0tBYYOtUEbtZTl8MNtX2MwE+:bH2Ll5tVZeMNtX2M7+
Malware Config
Extracted
quasar
1.3.0.0
Office04
188.119.45.143:9896
microsoftstolewindows.duckdns.org:9896
192.168.1.52:9896
QSR_MUTEX_ZhL1p5SiHTlBKUYEsI
-
encryption_key
sBg2G8lxZ2VaMwfKc6V3
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/4936-148-0x0000000000E30000-0x0000000000E8E000-memory.dmp family_quasar behavioral1/files/0x000900000001ac2b-218.dat family_quasar behavioral1/files/0x000900000001ac2b-244.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1720 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\SubDir\svchost.exe 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe File opened for modification C:\Windows\SysWOW64\SubDir\svchost.exe 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe File opened for modification C:\Windows\SysWOW64\SubDir\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\SubDir svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5108 schtasks.exe 696 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4936 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe Token: SeDebugPrivilege 1720 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1720 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4936 wrote to memory of 5108 4936 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe 68 PID 4936 wrote to memory of 5108 4936 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe 68 PID 4936 wrote to memory of 5108 4936 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe 68 PID 4936 wrote to memory of 1720 4936 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe 70 PID 4936 wrote to memory of 1720 4936 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe 70 PID 4936 wrote to memory of 1720 4936 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe 70 PID 1720 wrote to memory of 696 1720 svchost.exe 71 PID 1720 wrote to memory of 696 1720 svchost.exe 71 PID 1720 wrote to memory of 696 1720 svchost.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe"C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:5108
-
-
C:\Windows\SysWOW64\SubDir\svchost.exe"C:\Windows\SysWOW64\SubDir\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\svchost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:696
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD53227a70d123b9da999bf150fdf605036
SHA11b959876c589dc17b0d7084a8f3017123e8568af
SHA2563ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87
SHA5121c75060b544047c0a6d39822014c85bb5bba8e14b4432b2a291bc9e2b8e55c156f9736d1483f8f8f226961aa663a9fc20919e6d2812faf38ceb2f262e31ae8ae
-
Filesize
348KB
MD53227a70d123b9da999bf150fdf605036
SHA11b959876c589dc17b0d7084a8f3017123e8568af
SHA2563ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87
SHA5121c75060b544047c0a6d39822014c85bb5bba8e14b4432b2a291bc9e2b8e55c156f9736d1483f8f8f226961aa663a9fc20919e6d2812faf38ceb2f262e31ae8ae