Overview

overview

10

Static

static

1

105B3E33E3...3C.exe

windows7-x64

10

105B3E33E3...3C.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 20:26

Sharing

Copy URL
Twitter E-mail

General

  • Target

    105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe

  • Size

    2MB

  • MD5

    b162ab57ef8877c9ab873932e3025039

  • SHA1

    f7f290cf666bc4e8877a5ef09b8ed1ab8291638f

  • SHA256

    105b3e33e393c9d0ccdaae95ffcbb9eff9a946f79683ca932a11d0fc674c64e2

  • SHA512

    13927b2df2e9aeaf601def099b7f006383937f2984344571150a45aad034a85cd13832874c8382a76a8725600cb8439820fb8d691af90f7bf8ce859b8fe1e51d

  • SSDEEP

    24576:EMRpqU3LsGw9tDW06PHAHHeO4ElrkWUZlDd09H7YgngNXN4dXh5nfr2Sd5+ZiTt+:lu95k+X/nT2SdQat/cM7Zcm2

Score
10/10
quasarpure____1evasionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Pure____1

C2

sabifati.linkpc.net:4784

deli.mywire.org:4784

Attributes
  • encryption_key

    78BC50021362B61652204981B13FE17E053A03F1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Nirsoft 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
    "C:\Users\Admin\AppData\Local\Temp\105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe"
    Modifies WinLogon for persistence
    Checks computer location settings
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbABlAGEAcwBlAA==
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\system32\ipconfig.exe" /release
        Gathers network information
        PID:1636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgA1AA==
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbgBlAHcA
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\system32\ipconfig.exe" /renew
        Gathers network information
        PID:1440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAuADUA
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5044
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" stop WinDefend
        Launches sc.exe
        PID:4208
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:2864
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Executes dropped EXE
      PID:4236
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2192
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Suspicious use of NtCreateUserProcessOtherParentProcess
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3620

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Execution

Command-Line Interface

1
T1059

Exfiltration

Impact

Service Stop

1
T1489

Initial Access

Lateral Movement

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    33b19d75aa77114216dbc23f43b195e3

    SHA1

    36a6c3975e619e0c5232aa4f5b7dc1fec9525535

    SHA256

    b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

    SHA512

    676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    06ad34f9739c5159b4d92d702545bd49

    SHA1

    9152a0d4f153f3f40f7e606be75f81b582ee0c17

    SHA256

    474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

    SHA512

    c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    8d2bfb474c8c19ad64c08ff5269579c4

    SHA1

    feba7a1b11e0de7ebccb281bf3f5435c7720e34c

    SHA256

    ff6c49e200f7cf2c49d09483f5e0798a7626ce99a00d1a9d7879d7ecb190a08a

    SHA512

    b5e720d6b94451a563fdfa34f7dd6716c26c36ed1eb4b608009eba8364e5989182d5b409492d7b6814180d1dcb24dcea64ac8496c2e3406df3dc5570bb579f43

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    d6036ee2d579fe8234989c131e61328c

    SHA1

    2a3b8711a5bd126982b3c936bd35610a8301b461

    SHA256

    ecddc608d81f66ba771cd01cabcf283988908b647653a9ca5cd8851467b82b36

    SHA512

    62fe8f9e04905471324743618b670982473b49e4389885b99800b4e158c2a7e113eb6e527f16da71c2a68ac22c19eb8e8d88c3be5eaf83b5bf79bcc025755ed7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    a27ac102c8cdd39e29d1323cb333a32c

    SHA1

    8f53ea81db8799af61770b1a2c855ab745b16cfa

    SHA256

    f2f9f44e9de8c2e27045239d757479e2c6e498fff5f4be31270c08a76205c197

    SHA512

    138b6973fef7d1ff97b45675718a77f893f93b663784fa6c1e5c6e3f9f66347b877f9354426f5583f402cabf86d0bf6a261bb45819cc28d4c78d1606c00c1644

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    Filesize

    88KB

    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    Filesize

    88KB

    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit
  • memory/1440-148-0x0000000000000000-mapping.dmp
    Download
  • memory/1636-140-0x0000000000000000-mapping.dmp
    Download
  • memory/2192-170-0x0000000006800000-0x0000000006E18000-memory.dmp
    Filesize

    6MB

    Download
  • memory/2192-169-0x0000000005540000-0x000000000554A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2192-168-0x0000000005C30000-0x00000000061D4000-memory.dmp
    Filesize

    5MB

    Download
  • memory/2192-171-0x0000000005AA0000-0x0000000005AF0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2192-172-0x00000000062C0000-0x0000000006372000-memory.dmp
    Filesize

    712KB

    Download
  • memory/2192-165-0x0000000000400000-0x0000000000484000-memory.dmp
    Filesize

    528KB

    Download
  • memory/2192-163-0x0000000000000000-mapping.dmp
    Download
  • memory/2536-155-0x0000000000000000-mapping.dmp
    Download
  • memory/2828-145-0x00000000066A0000-0x00000000066BA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2828-144-0x0000000007AB0000-0x000000000812A000-memory.dmp
    Filesize

    6MB

    Download
  • memory/2828-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2864-164-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp
    Filesize

    10MB

    Download
  • memory/2864-159-0x00007FFB80140000-0x00007FFB80C01000-memory.dmp
    Filesize

    10MB

    Download
  • memory/2864-157-0x0000000000000000-mapping.dmp
    Download
  • memory/2864-158-0x000002B94C340000-0x000002B94C362000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2868-152-0x0000000000000000-mapping.dmp
    Download
  • memory/4208-154-0x0000000000000000-mapping.dmp
    Download
  • memory/4236-161-0x0000000000000000-mapping.dmp
    Download
  • memory/4664-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4664-139-0x0000000006650000-0x000000000666E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4664-134-0x0000000002D20000-0x0000000002D56000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4664-137-0x0000000005850000-0x00000000058B6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4664-135-0x00000000058E0000-0x0000000005F08000-memory.dmp
    Filesize

    6MB

    Download
  • memory/4664-136-0x00000000057B0000-0x00000000057D2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4664-138-0x0000000005FC0000-0x0000000006026000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4876-160-0x0000000000D00000-0x0000000000D92000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4876-132-0x0000000000560000-0x00000000007AE000-memory.dmp
    Filesize

    2MB

    Download
  • memory/4984-146-0x0000000000000000-mapping.dmp
    Download
  • memory/5044-149-0x0000000000000000-mapping.dmp
    Download