Analysis
-
max time kernel
130s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 21:28
Static task
static1
Behavioral task
behavioral1
Sample
b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe
Resource
win10v2004-20221111-en
General
-
Target
b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe
-
Size
983KB
-
MD5
d87b2ef3227b9fa712f51714bbe8e337
-
SHA1
a06b25c0cf16f967ef40c4832dd43bca88f2147d
-
SHA256
b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34
-
SHA512
66fb810ae7d5111a6da552fca4644370a367922583aba20c453d68ce74c6dba0216d418f03683ea50924149e4232d9d2a5708d305f7c5d611feb13b967170716
-
SSDEEP
24576:Q+tPSg5/YGpKxU8zx+uf8j4L/AlxNemsDSdGsr:XtPS9K8FbUjgAlxNfs+Z
Malware Config
Extracted
quasar
1.3.0.0
test 1
192.168.68.109:8080
QSR_MUTEX_mEw8e7d5JFnWElKx6H
-
encryption_key
sh96FHUHgXB5ZJsysAr5
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe family_quasar C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe family_quasar behavioral1/memory/1736-59-0x0000000000970000-0x00000000009CE000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/1160-66-0x00000000009B0000-0x0000000000A0E000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Ifdsjk.exeClient.exepid process 1736 Ifdsjk.exe 1160 Client.exe -
Loads dropped DLL 1 IoCs
Processes:
Ifdsjk.exepid process 1736 Ifdsjk.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1248 schtasks.exe 1960 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Ifdsjk.exeClient.exedescription pid process Token: SeDebugPrivilege 1736 Ifdsjk.exe Token: SeDebugPrivilege 1160 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1160 Client.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exeIfdsjk.exeClient.exedescription pid process target process PID 1516 wrote to memory of 1736 1516 b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe Ifdsjk.exe PID 1516 wrote to memory of 1736 1516 b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe Ifdsjk.exe PID 1516 wrote to memory of 1736 1516 b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe Ifdsjk.exe PID 1516 wrote to memory of 1736 1516 b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe Ifdsjk.exe PID 1736 wrote to memory of 1248 1736 Ifdsjk.exe schtasks.exe PID 1736 wrote to memory of 1248 1736 Ifdsjk.exe schtasks.exe PID 1736 wrote to memory of 1248 1736 Ifdsjk.exe schtasks.exe PID 1736 wrote to memory of 1248 1736 Ifdsjk.exe schtasks.exe PID 1736 wrote to memory of 1160 1736 Ifdsjk.exe Client.exe PID 1736 wrote to memory of 1160 1736 Ifdsjk.exe Client.exe PID 1736 wrote to memory of 1160 1736 Ifdsjk.exe Client.exe PID 1736 wrote to memory of 1160 1736 Ifdsjk.exe Client.exe PID 1160 wrote to memory of 1960 1160 Client.exe schtasks.exe PID 1160 wrote to memory of 1960 1160 Client.exe schtasks.exe PID 1160 wrote to memory of 1960 1160 Client.exe schtasks.exe PID 1160 wrote to memory of 1960 1160 Client.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe"C:\Users\Admin\AppData\Local\Temp\b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe"C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exeFilesize
348KB
MD5d9377c1894b735309457007cecd1fa92
SHA1e3e2409a2e1fdf260b22d5208bf51747f016f572
SHA2567815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4
SHA5121577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e
-
C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exeFilesize
348KB
MD5d9377c1894b735309457007cecd1fa92
SHA1e3e2409a2e1fdf260b22d5208bf51747f016f572
SHA2567815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4
SHA5121577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
348KB
MD5d9377c1894b735309457007cecd1fa92
SHA1e3e2409a2e1fdf260b22d5208bf51747f016f572
SHA2567815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4
SHA5121577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
348KB
MD5d9377c1894b735309457007cecd1fa92
SHA1e3e2409a2e1fdf260b22d5208bf51747f016f572
SHA2567815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4
SHA5121577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e
-
\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
348KB
MD5d9377c1894b735309457007cecd1fa92
SHA1e3e2409a2e1fdf260b22d5208bf51747f016f572
SHA2567815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4
SHA5121577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e
-
memory/1160-63-0x0000000000000000-mapping.dmp
-
memory/1160-66-0x00000000009B0000-0x0000000000A0E000-memory.dmpFilesize
376KB
-
memory/1248-61-0x0000000000000000-mapping.dmp
-
memory/1516-54-0x00000000000C0000-0x00000000001BC000-memory.dmpFilesize
1008KB
-
memory/1516-55-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmpFilesize
8KB
-
memory/1736-60-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB
-
memory/1736-59-0x0000000000970000-0x00000000009CE000-memory.dmpFilesize
376KB
-
memory/1736-56-0x0000000000000000-mapping.dmp
-
memory/1960-68-0x0000000000000000-mapping.dmp