Analysis
-
max time kernel
56s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26/01/2023, 06:38
General
-
Target
Client-built.exe
-
Size
502KB
-
MD5
550176cfb9383aa88118ac710a2c6ec2
-
SHA1
d2811a584bcfbaab1a288151f635cc04d43591c3
-
SHA256
c42aab483df3e41b9c4e006cba50655b35606b565c80750637c5fe6aad3f90a6
-
SHA512
a7d9f0f690724b0e385ffd518e9006c6d360f8e68ceec0226ce1ada746daceecf29ee2c79c873bbba2d96fd114fc4e502f004ce4c8e2b1d46249379818c6cf96
-
SSDEEP
6144:VTEgdc0YvXAGbgiIN2RSBnnN+mKRv2F5Etqj+yw4YUcEnOb8F9h9t6QcPcTR32:VTEgdfYnbgDN+gk4KywyXpr9kQcPcd2
Malware Config
Extracted
Family
quasar
Version
1.4.0
Botnet
Office04
C2
192.168.0.195:1604
Mutex
fffd6dc4-1f37-4e65-b7aa-0102dd3decf4
Attributes
-
encryption_key
894D60DF1A73A828E12DB9DF734CD59FBE6522AB
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/1216-54-0x0000000000F70000-0x0000000000FF4000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1216 Client-built.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1216 Client-built.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1216 Client-built.exe