Analysis
-
max time kernel
71s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2023 17:28
Behavioral task
behavioral1
Sample
Heart Sender V5.0.exe
Resource
win7-20230220-en
General
-
Target
Heart Sender V5.0.exe
-
Size
439KB
-
MD5
8f808bb54b422500304dfc68b87198fc
-
SHA1
24ebeb615f0bdcaa3980722100d6fc42111b62ec
-
SHA256
680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75
-
SHA512
46ce4cde81607819e360b0efc424c4b5602c7515661a88e6a0d66cd9e88dcc68219f0a85200e6c40cc34bcac0e5ab652e6db4b4b1c1b913ad351061dae880e99
-
SSDEEP
6144:vwLRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB8:v/4AZrg7g9zVGkllbko
Malware Config
Extracted
quasar
1.4.0.0
Office04
67.213.221.18:7812
KFoYp486ql6lO6U0qI
-
encryption_key
OtItMK9boIZNOQTejUzg
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Services
Signatures
-
Quasar payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Security.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows Security.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows Security.exe family_quasar behavioral2/memory/3436-146-0x0000000000270000-0x00000000002BE000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe family_quasar C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Heart Sender V5.0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Heart Sender V5.0.exe -
Executes dropped EXE 2 IoCs
Processes:
Windows Security.exeWindows Security.exepid process 3436 Windows Security.exe 1060 Windows Security.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Windows Security.exeWindows Security.exedescription pid process Token: SeDebugPrivilege 3436 Windows Security.exe Token: SeDebugPrivilege 1060 Windows Security.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Security.exepid process 1060 Windows Security.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Heart Sender V5.0.exeWindows Security.exeWindows Security.exedescription pid process target process PID 1348 wrote to memory of 3436 1348 Heart Sender V5.0.exe Windows Security.exe PID 1348 wrote to memory of 3436 1348 Heart Sender V5.0.exe Windows Security.exe PID 1348 wrote to memory of 3436 1348 Heart Sender V5.0.exe Windows Security.exe PID 3436 wrote to memory of 324 3436 Windows Security.exe schtasks.exe PID 3436 wrote to memory of 324 3436 Windows Security.exe schtasks.exe PID 3436 wrote to memory of 324 3436 Windows Security.exe schtasks.exe PID 3436 wrote to memory of 1060 3436 Windows Security.exe Windows Security.exe PID 3436 wrote to memory of 1060 3436 Windows Security.exe Windows Security.exe PID 3436 wrote to memory of 1060 3436 Windows Security.exe Windows Security.exe PID 1060 wrote to memory of 4988 1060 Windows Security.exe schtasks.exe PID 1060 wrote to memory of 4988 1060 Windows Security.exe schtasks.exe PID 1060 wrote to memory of 4988 1060 Windows Security.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Heart Sender V5.0.exe"C:\Users\Admin\AppData\Local\Temp\Heart Sender V5.0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Roaming\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
C:\Users\Admin\AppData\Roaming\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
C:\Users\Admin\AppData\Roaming\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
C:\Users\Admin\AppData\Roaming\Windows Services\Windows Security.exeFilesize
289KB
MD59ed927a589ceb0eb1cd72036f72b65ac
SHA1b48d9257d0c902736c897a4d0cdf430939ff47af
SHA256ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a
SHA512282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675
-
memory/1060-163-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/1060-162-0x0000000006250000-0x000000000625A000-memory.dmpFilesize
40KB
-
memory/1060-160-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/1348-133-0x00000000010E0000-0x00000000010F0000-memory.dmpFilesize
64KB
-
memory/3436-146-0x0000000000270000-0x00000000002BE000-memory.dmpFilesize
312KB
-
memory/3436-152-0x00000000060B0000-0x00000000060EC000-memory.dmpFilesize
240KB
-
memory/3436-151-0x0000000005C90000-0x0000000005CA2000-memory.dmpFilesize
72KB
-
memory/3436-150-0x0000000005030000-0x0000000005096000-memory.dmpFilesize
408KB
-
memory/3436-149-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/3436-148-0x0000000004C90000-0x0000000004D22000-memory.dmpFilesize
584KB
-
memory/3436-147-0x0000000005180000-0x0000000005724000-memory.dmpFilesize
5.6MB