Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-01-2023 08:27
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220901-en
General
-
Target
tmp.exe
-
Size
17KB
-
MD5
f6f83ba3f1e87503941e50b3e50d390f
-
SHA1
6983d00bc9cda93f0da126504d99a851ffef6cea
-
SHA256
3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8
-
SHA512
d9afb2024c16229d1245d1c8faf1a5fb7b1c2a4c2e379078e0c70493c8dedc7fb76be3233c4e9757168382b27b8ae4f17726209af893297fe67838472443e3d4
-
SSDEEP
384:O0CqWx4t+dWNzuY7/aAygucwhb6v/uFi:O0CL4sBTguJmei
Malware Config
Extracted
quasar
1.4.0.0
Office04
51.89.157.248:4782
MvfU8Y7jQptTEqcSWG
-
encryption_key
gfcyUhYEMEq5BWNn8aVX
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1732-73-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/1732-72-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/1732-74-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/1732-75-0x000000000044943E-mapping.dmp family_quasar behavioral1/memory/1732-79-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/1732-77-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\DriverHelp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\DriverHelp.exe\"" tmp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1744 set thread context of 1732 1744 tmp.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exetmp.exepid process 1464 powershell.exe 1568 powershell.exe 1744 tmp.exe 1744 tmp.exe 1744 tmp.exe 1744 tmp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
tmp.exepowershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1744 tmp.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 1732 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1732 RegAsm.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
tmp.execmd.exedescription pid process target process PID 1744 wrote to memory of 1464 1744 tmp.exe powershell.exe PID 1744 wrote to memory of 1464 1744 tmp.exe powershell.exe PID 1744 wrote to memory of 1464 1744 tmp.exe powershell.exe PID 1744 wrote to memory of 1464 1744 tmp.exe powershell.exe PID 1744 wrote to memory of 808 1744 tmp.exe cmd.exe PID 1744 wrote to memory of 808 1744 tmp.exe cmd.exe PID 1744 wrote to memory of 808 1744 tmp.exe cmd.exe PID 1744 wrote to memory of 808 1744 tmp.exe cmd.exe PID 808 wrote to memory of 1568 808 cmd.exe powershell.exe PID 808 wrote to memory of 1568 808 cmd.exe powershell.exe PID 808 wrote to memory of 1568 808 cmd.exe powershell.exe PID 808 wrote to memory of 1568 808 cmd.exe powershell.exe PID 1744 wrote to memory of 1524 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1524 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1524 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1524 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1524 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1524 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1524 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 844 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 844 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 844 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 844 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 844 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 844 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 844 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe PID 1744 wrote to memory of 1732 1744 tmp.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5286e0c9841f4a0fe8798dfaf632e0a4d
SHA144555f9b7f7e1813f538492450dd9492ebc1b3f4
SHA25694d3ad3197360a9bd9c4d7c5520b63b9c9acb3ffb28e94cb7b8e5c3178d9b20f
SHA512658f43ba6872ea95af3191256ba08d8a9f320c26018f218c8e7835c94e91d5971296ba2b0c68aca8a6e3e6b247b30b9884941108d5baeae3e95a4612c46984b3
-
memory/808-63-0x0000000000000000-mapping.dmp
-
memory/1464-60-0x000000006F800000-0x000000006FDAB000-memory.dmpFilesize
5.7MB
-
memory/1464-61-0x000000006F800000-0x000000006FDAB000-memory.dmpFilesize
5.7MB
-
memory/1464-58-0x0000000000000000-mapping.dmp
-
memory/1464-62-0x000000006F800000-0x000000006FDAB000-memory.dmpFilesize
5.7MB
-
memory/1568-67-0x000000006F7C0000-0x000000006FD6B000-memory.dmpFilesize
5.7MB
-
memory/1568-64-0x0000000000000000-mapping.dmp
-
memory/1732-72-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1732-69-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1732-70-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1732-73-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1732-74-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1732-75-0x000000000044943E-mapping.dmp
-
memory/1732-79-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1732-77-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1744-56-0x0000000005950000-0x0000000005AC6000-memory.dmpFilesize
1.5MB
-
memory/1744-55-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1744-57-0x0000000005370000-0x0000000005402000-memory.dmpFilesize
584KB
-
memory/1744-68-0x0000000004EA0000-0x0000000004EFC000-memory.dmpFilesize
368KB
-
memory/1744-54-0x00000000002B0000-0x00000000002BA000-memory.dmpFilesize
40KB