Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-03-2023 17:11
Behavioral task
behavioral1
Sample
02f7467c0a07153c0c9fec745a96f819.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
02f7467c0a07153c0c9fec745a96f819.exe
Resource
win10v2004-20230220-en
General
-
Target
02f7467c0a07153c0c9fec745a96f819.exe
-
Size
347KB
-
MD5
02f7467c0a07153c0c9fec745a96f819
-
SHA1
1f3b662f4597a97182134c542718a09ac14dbe53
-
SHA256
00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
-
SHA512
13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
-
SSDEEP
6144:T7L+PQIshf4BnYow5U7b7rSMauoLQF1I89lA:3issWUnShLQF1I89lA
Malware Config
Extracted
quasar
1.3.0.0
---trens--
qassar1122.ddns.net:2007
QSR_MUTEX_MnRnXGbvBvn8Tkxj0A
-
encryption_key
i4DXiO929iCJdpvsIcV3
-
install_name
Update service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
service update
-
subdirectory
microsofte
Extracted
darkcomet
office2010
darck111.ddns.net:2006
DCMIN_MUTEX-6C5K0B1
-
gencode
v30h5qiY2jCx
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
M2kZrx0Y7oeB.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\L4PNd7cQoiGt.exe\",explorer.exe" M2kZrx0Y7oeB.exe -
Quasar payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-54-0x0000000000C60000-0x0000000000CBE000-memory.dmp family_quasar behavioral1/memory/1992-55-0x000000001A910000-0x000000001A990000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe family_quasar C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe family_quasar behavioral1/memory/1736-61-0x00000000002D0000-0x000000000032E000-memory.dmp family_quasar behavioral1/memory/1736-62-0x000000001AF70000-0x000000001AFF0000-memory.dmp family_quasar behavioral1/memory/1736-64-0x000000001AF70000-0x000000001AFF0000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Update service.exeM2kZrx0Y7oeB.exepid process 1736 Update service.exe 1828 M2kZrx0Y7oeB.exe -
Processes:
resource yara_rule behavioral1/memory/1184-81-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-84-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-86-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-87-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-102-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-103-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-104-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-105-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-106-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1184-108-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
M2kZrx0Y7oeB.exedescription pid process target process PID 1828 set thread context of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 set thread context of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 set thread context of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
M2kZrx0Y7oeB.exepid process 1828 M2kZrx0Y7oeB.exe 1828 M2kZrx0Y7oeB.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
02f7467c0a07153c0c9fec745a96f819.exeUpdate service.exeM2kZrx0Y7oeB.exevbc.exedescription pid process Token: SeDebugPrivilege 1992 02f7467c0a07153c0c9fec745a96f819.exe Token: SeDebugPrivilege 1736 Update service.exe Token: SeDebugPrivilege 1828 M2kZrx0Y7oeB.exe Token: SeDebugPrivilege 1828 M2kZrx0Y7oeB.exe Token: SeIncreaseQuotaPrivilege 1184 vbc.exe Token: SeSecurityPrivilege 1184 vbc.exe Token: SeTakeOwnershipPrivilege 1184 vbc.exe Token: SeLoadDriverPrivilege 1184 vbc.exe Token: SeSystemProfilePrivilege 1184 vbc.exe Token: SeSystemtimePrivilege 1184 vbc.exe Token: SeProfSingleProcessPrivilege 1184 vbc.exe Token: SeIncBasePriorityPrivilege 1184 vbc.exe Token: SeCreatePagefilePrivilege 1184 vbc.exe Token: SeBackupPrivilege 1184 vbc.exe Token: SeRestorePrivilege 1184 vbc.exe Token: SeShutdownPrivilege 1184 vbc.exe Token: SeDebugPrivilege 1184 vbc.exe Token: SeSystemEnvironmentPrivilege 1184 vbc.exe Token: SeChangeNotifyPrivilege 1184 vbc.exe Token: SeRemoteShutdownPrivilege 1184 vbc.exe Token: SeUndockPrivilege 1184 vbc.exe Token: SeManageVolumePrivilege 1184 vbc.exe Token: SeImpersonatePrivilege 1184 vbc.exe Token: SeCreateGlobalPrivilege 1184 vbc.exe Token: 33 1184 vbc.exe Token: 34 1184 vbc.exe Token: 35 1184 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Update service.exevbc.exepid process 1736 Update service.exe 1184 vbc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
02f7467c0a07153c0c9fec745a96f819.exeUpdate service.exeM2kZrx0Y7oeB.exedescription pid process target process PID 1992 wrote to memory of 1736 1992 02f7467c0a07153c0c9fec745a96f819.exe Update service.exe PID 1992 wrote to memory of 1736 1992 02f7467c0a07153c0c9fec745a96f819.exe Update service.exe PID 1992 wrote to memory of 1736 1992 02f7467c0a07153c0c9fec745a96f819.exe Update service.exe PID 1736 wrote to memory of 1828 1736 Update service.exe M2kZrx0Y7oeB.exe PID 1736 wrote to memory of 1828 1736 Update service.exe M2kZrx0Y7oeB.exe PID 1736 wrote to memory of 1828 1736 Update service.exe M2kZrx0Y7oeB.exe PID 1736 wrote to memory of 1828 1736 Update service.exe M2kZrx0Y7oeB.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe PID 1828 wrote to memory of 1184 1828 M2kZrx0Y7oeB.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f7467c0a07153c0c9fec745a96f819.exe"C:\Users\Admin\AppData\Local\Temp\02f7467c0a07153c0c9fec745a96f819.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe"C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe"C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exeFilesize
319KB
MD5d169379916ed45abc121718178790513
SHA1c5b982c73df7dec5c5cfc1ee3acecafb379aa8bd
SHA25694afb32fa27d53f20922559b6008b7ec96dfd250f13033a7c8f8e4fb13a52f6d
SHA51216b12976d0c4951298c6568293163330bad09369934cb5f87a37a6b24d304d3f2008b7c14f8dc02fab6763095463bb5ed54509b1e1c3280347357fa0c230455d
-
C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exeFilesize
477KB
MD51fd62f0d8cb4161c12a24d77898d2765
SHA133987a52f38511d3224f37f1ecd21383741418b8
SHA25697312398386d457b935b24023b83c742f879874c2873c17efa34e3f79a185fc5
SHA512595fe25a614c6e8b9693b23895f0b324858e6d20b43bb4d651effef565a969430db4b7a85e706289fd1b49574ff7239aec96156b8c5e0883850927050e935077
-
C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exeFilesize
477KB
MD51fd62f0d8cb4161c12a24d77898d2765
SHA133987a52f38511d3224f37f1ecd21383741418b8
SHA25697312398386d457b935b24023b83c742f879874c2873c17efa34e3f79a185fc5
SHA512595fe25a614c6e8b9693b23895f0b324858e6d20b43bb4d651effef565a969430db4b7a85e706289fd1b49574ff7239aec96156b8c5e0883850927050e935077
-
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exeFilesize
347KB
MD502f7467c0a07153c0c9fec745a96f819
SHA11f3b662f4597a97182134c542718a09ac14dbe53
SHA25600c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
SHA51213d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
-
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exeFilesize
347KB
MD502f7467c0a07153c0c9fec745a96f819
SHA11f3b662f4597a97182134c542718a09ac14dbe53
SHA25600c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
SHA51213d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
-
memory/1184-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1184-86-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-108-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-107-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/1184-106-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-105-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-80-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-81-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-82-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-104-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-84-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-103-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-87-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1184-96-0x000000007EFA0000-0x000000007EFA1000-memory.dmpFilesize
4KB
-
memory/1184-92-0x000000007EFA0000-0x000000007EFA1000-memory.dmpFilesize
4KB
-
memory/1184-88-0x000000007EFA0000-0x000000007EFA1000-memory.dmpFilesize
4KB
-
memory/1184-102-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1736-64-0x000000001AF70000-0x000000001AFF0000-memory.dmpFilesize
512KB
-
memory/1736-61-0x00000000002D0000-0x000000000032E000-memory.dmpFilesize
376KB
-
memory/1736-62-0x000000001AF70000-0x000000001AFF0000-memory.dmpFilesize
512KB
-
memory/1828-77-0x0000000000360000-0x00000000003A0000-memory.dmpFilesize
256KB
-
memory/1828-109-0x0000000000360000-0x00000000003A0000-memory.dmpFilesize
256KB
-
memory/1992-54-0x0000000000C60000-0x0000000000CBE000-memory.dmpFilesize
376KB
-
memory/1992-55-0x000000001A910000-0x000000001A990000-memory.dmpFilesize
512KB