Overview

overview

10

Static

static

1

105B3E33E3...3C.exe

windows7-x64

10

105B3E33E3...3C.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe

  • Size

    2.3MB

  • MD5

    b162ab57ef8877c9ab873932e3025039

  • SHA1

    f7f290cf666bc4e8877a5ef09b8ed1ab8291638f

  • SHA256

    105b3e33e393c9d0ccdaae95ffcbb9eff9a946f79683ca932a11d0fc674c64e2

  • SHA512

    13927b2df2e9aeaf601def099b7f006383937f2984344571150a45aad034a85cd13832874c8382a76a8725600cb8439820fb8d691af90f7bf8ce859b8fe1e51d

  • SSDEEP

    24576:EMRpqU3LsGw9tDW06PHAHHeO4ElrkWUZlDd09H7YgngNXN4dXh5nfr2Sd5+ZiTt+:lu95k+X/nT2SdQat/cM7Zcm2

Score
10/10
quasarpure____1evasionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Pure____1

C2

sabifati.linkpc.net:4784

deli.mywire.org:4784
Mutex

3a359e52-00bd-4e3d-8201-985b53b0c176

Attributes
  • encryption_key

    78BC50021362B61652204981B13FE17E053A03F1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Nirsoft 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
    "C:\Users\Admin\AppData\Local\Temp\105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbABlAGEAcwBlAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\system32\ipconfig.exe" /release
        3⤵
        • Gathers network information
        PID:4840
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgA1AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbgBlAHcA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\system32\ipconfig.exe" /renew
        3⤵
        • Gathers network information
        PID:4496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAuADUA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4452
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3556
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" stop WinDefend
        3⤵
        • Launches sc.exe
        PID:1564
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1320
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      2⤵
      • Executes dropped EXE
      PID:4020
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3972
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    33b19d75aa77114216dbc23f43b195e3

    SHA1

    36a6c3975e619e0c5232aa4f5b7dc1fec9525535

    SHA256

    b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

    SHA512

    676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    06ad34f9739c5159b4d92d702545bd49

    SHA1

    9152a0d4f153f3f40f7e606be75f81b582ee0c17

    SHA256

    474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

    SHA512

    c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    5d63e96594a2c7bd167eb408180bf6d6

    SHA1

    f168aeb7afd4fab4b8d1f8b32b88e4c4803d68ae

    SHA256

    529f95ce89214b6ba7ecaecd86a1c7f9edf15964eedc0c3579aaa69dca4346aa

    SHA512

    87e1e3b416844ce8e979a73ad73931e3da0925fdd8555ddb89680db2b121923da7c5eb04861b5d597803317c0d1e283e055ccfcdf026691c63d9e76eda9194d9

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    66512790a5f0e2f04f287c3d6c5eb479

    SHA1

    0a234afc3b4bdbd1e85df3f778cc86ea94980fe9

    SHA256

    8c214b37c1e28ea3e9da9f856c02d6587de97aa361f03dce2ffe8187cb1350a7

    SHA512

    dfd283eb9263194f346e9ab67910947abc170642da29b35f9abe9d8e67e67c1d1baf01322ddf2c4fd88e23f3c64fa0af967b825f1d322433f206a9261a649f1f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    76d544b5f248f8c39b63e0ef5c9f42a2

    SHA1

    5c312b4829c7b74788239007e936d50d7cb4030c

    SHA256

    8cd0b5dac88886c360025b45358f6df62bd32ce3ac7ab69768f976b1c0930694

    SHA512

    7894e0d653ee16892a3154670a9f225a43fda5b0e48f92ee3a5b682d553666be1eb470b279f5416026736735ded8f78300c2eb361e2c357997f35eab9c04e183

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    Filesize

    88KB

    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    Filesize

    88KB

    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit
  • memory/1148-169-0x00007FFEB04F0000-0x00007FFEB0FB1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1148-167-0x00007FFEB04F0000-0x00007FFEB0FB1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1148-158-0x000002E6A7A60000-0x000002E6A7A82000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1148-157-0x0000000000000000-mapping.dmp
    Download
  • memory/1320-155-0x0000000000000000-mapping.dmp
    Download
  • memory/1564-154-0x0000000000000000-mapping.dmp
    Download
  • memory/3512-134-0x0000000004FB0000-0x0000000004FE6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3512-135-0x0000000005620000-0x0000000005C48000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3512-136-0x00000000055C0000-0x00000000055E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3512-139-0x0000000006490000-0x00000000064AE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3512-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3512-138-0x0000000005F60000-0x0000000005FC6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3512-137-0x0000000005DC0000-0x0000000005E26000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3556-152-0x0000000000000000-mapping.dmp
    Download
  • memory/3972-163-0x0000000000400000-0x0000000000484000-memory.dmp
    Filesize

    528KB

    Download
  • memory/3972-172-0x0000000006050000-0x0000000006102000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3972-171-0x0000000005DE0000-0x0000000005E30000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3972-170-0x0000000006400000-0x0000000006A18000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3972-168-0x00000000052E0000-0x00000000052EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3972-166-0x0000000005830000-0x0000000005DD4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3972-162-0x0000000000000000-mapping.dmp
    Download
  • memory/4020-160-0x0000000000000000-mapping.dmp
    Download
  • memory/4300-132-0x00000000006B0000-0x00000000008FE000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/4300-159-0x00000000011C0000-0x0000000001252000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4452-149-0x0000000000000000-mapping.dmp
    Download
  • memory/4496-148-0x0000000000000000-mapping.dmp
    Download
  • memory/4840-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4940-145-0x0000000006E00000-0x0000000006E1A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4940-144-0x0000000008230000-0x00000000088AA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4940-141-0x0000000000000000-mapping.dmp
    Download
  • memory/5060-146-0x0000000000000000-mapping.dmp
    Download