Analysis
-
max time kernel
50s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26/01/2023, 06:47
General
-
Target
Client-built3.exe
-
Size
502KB
-
MD5
6b55f7d21263bb6aaa7fe11b99e837c1
-
SHA1
bb935e24278d9766a26e5955cdca903aebf25bbc
-
SHA256
02c09bb1b36334803c550b11e0886641a0861eecf07e39dacbe4d7d941a70a0b
-
SHA512
9317b2d8ed858eef173a809befc0ee5c0fcf73ee2853bde1bdcecf84930b36fc2ce4e5fd555df66fad715ed2daafc8aa7a92623c03cf5b0eefde267e0ba45b98
-
SSDEEP
6144:XTEgdc0YOXIX/ir/RKFrzdOwIOKZTR2b1zcEHtb8F94XPrxrRCTWPcTR37:XTEgdfYZ/iaznzXSerxGUcd7
Malware Config
Extracted
Family
quasar
Version
1.4.0
Botnet
Office04
C2
192.168.0.195:1604
192.168.0.1:1604
46.212.113.82:1604
127.0.0.1:1604
fe80::11bf:1ca6:fb14:329b%8 :1604
Mutex
fffd6dc4-1f37-4e65-b7aa-0102dd3decf4
Attributes
-
encryption_key
894D60DF1A73A828E12DB9DF734CD59FBE6522AB
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
100
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/1112-54-0x0000000000C60000-0x0000000000CE4000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1112 Client-built3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1112 Client-built3.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1112 Client-built3.exe