Analysis
-
max time kernel
28s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-02-2023 17:28
Behavioral task
behavioral1
Sample
Heart Sender V5.0.exe
Resource
win7-20230220-en
General
-
Target
Heart Sender V5.0.exe
-
Size
439KB
-
MD5
8f808bb54b422500304dfc68b87198fc
-
SHA1
24ebeb615f0bdcaa3980722100d6fc42111b62ec
-
SHA256
680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75
-
SHA512
46ce4cde81607819e360b0efc424c4b5602c7515661a88e6a0d66cd9e88dcc68219f0a85200e6c40cc34bcac0e5ab652e6db4b4b1c1b913ad351061dae880e99
-
SSDEEP
6144:vwLRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB8:v/4AZrg7g9zVGkllbko
Malware Config
Extracted
quasar
1.4.0.0
Office04
67.213.221.18:7812
KFoYp486ql6lO6U0qI
-
encryption_key
OtItMK9boIZNOQTejUzg
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Services
Signatures
-
Quasar payload 12 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Security.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows Security.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows Security.exe family_quasar behavioral1/memory/2000-61-0x0000000000E90000-0x0000000000EDE000-memory.dmp family_quasar behavioral1/memory/2000-62-0x0000000000C50000-0x0000000000C90000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe family_quasar \Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe family_quasar behavioral1/memory/328-70-0x0000000000C40000-0x0000000000C8E000-memory.dmp family_quasar behavioral1/memory/328-71-0x0000000004900000-0x0000000004940000-memory.dmp family_quasar behavioral1/memory/328-73-0x0000000004900000-0x0000000004940000-memory.dmp family_quasar -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Executes dropped EXE 2 IoCs
Processes:
Windows Security.exeWindows Security.exepid process 2000 Windows Security.exe 328 Windows Security.exe -
Loads dropped DLL 2 IoCs
Processes:
Heart Sender V5.0.exeWindows Security.exepid process 1376 Heart Sender V5.0.exe 2000 Windows Security.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Windows Security.exeWindows Security.exedescription pid process Token: SeDebugPrivilege 2000 Windows Security.exe Token: SeDebugPrivilege 328 Windows Security.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Security.exepid process 328 Windows Security.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Heart Sender V5.0.exeWindows Security.exeWindows Security.exedescription pid process target process PID 1376 wrote to memory of 2000 1376 Heart Sender V5.0.exe Windows Security.exe PID 1376 wrote to memory of 2000 1376 Heart Sender V5.0.exe Windows Security.exe PID 1376 wrote to memory of 2000 1376 Heart Sender V5.0.exe Windows Security.exe PID 1376 wrote to memory of 2000 1376 Heart Sender V5.0.exe Windows Security.exe PID 2000 wrote to memory of 1880 2000 Windows Security.exe schtasks.exe PID 2000 wrote to memory of 1880 2000 Windows Security.exe schtasks.exe PID 2000 wrote to memory of 1880 2000 Windows Security.exe schtasks.exe PID 2000 wrote to memory of 1880 2000 Windows Security.exe schtasks.exe PID 2000 wrote to memory of 328 2000 Windows Security.exe Windows Security.exe PID 2000 wrote to memory of 328 2000 Windows Security.exe Windows Security.exe PID 2000 wrote to memory of 328 2000 Windows Security.exe Windows Security.exe PID 2000 wrote to memory of 328 2000 Windows Security.exe Windows Security.exe PID 328 wrote to memory of 688 328 Windows Security.exe schtasks.exe PID 328 wrote to memory of 688 328 Windows Security.exe schtasks.exe PID 328 wrote to memory of 688 328 Windows Security.exe schtasks.exe PID 328 wrote to memory of 688 328 Windows Security.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Heart Sender V5.0.exe"C:\Users\Admin\AppData\Local\Temp\Heart Sender V5.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
C:\Users\Admin\AppData\Roaming\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
\Users\Admin\AppData\Roaming\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
memory/328-70-0x0000000000C40000-0x0000000000C8E000-memory.dmpFilesize
312KB
-
memory/328-71-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/328-73-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2000-61-0x0000000000E90000-0x0000000000EDE000-memory.dmpFilesize
312KB
-
memory/2000-62-0x0000000000C50000-0x0000000000C90000-memory.dmpFilesize
256KB