Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2023 17:11
Behavioral task
behavioral1
Sample
02f7467c0a07153c0c9fec745a96f819.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
02f7467c0a07153c0c9fec745a96f819.exe
Resource
win10v2004-20230220-en
General
-
Target
02f7467c0a07153c0c9fec745a96f819.exe
-
Size
347KB
-
MD5
02f7467c0a07153c0c9fec745a96f819
-
SHA1
1f3b662f4597a97182134c542718a09ac14dbe53
-
SHA256
00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
-
SHA512
13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
-
SSDEEP
6144:T7L+PQIshf4BnYow5U7b7rSMauoLQF1I89lA:3issWUnShLQF1I89lA
Malware Config
Extracted
quasar
1.3.0.0
---trens--
qassar1122.ddns.net:2007
QSR_MUTEX_MnRnXGbvBvn8Tkxj0A
-
encryption_key
i4DXiO929iCJdpvsIcV3
-
install_name
Update service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
service update
-
subdirectory
microsofte
Extracted
darkcomet
office2010
darck111.ddns.net:2006
DCMIN_MUTEX-6C5K0B1
-
gencode
v30h5qiY2jCx
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
nhVFeVcr7qtf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\iErRwYnFSDYb.exe\",explorer.exe" nhVFeVcr7qtf.exe -
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-133-0x0000000000CB0000-0x0000000000D0E000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe family_quasar C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Update service.exenhVFeVcr7qtf.exepid process 3364 Update service.exe 5104 nhVFeVcr7qtf.exe -
Processes:
resource yara_rule behavioral2/memory/3120-164-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-165-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-166-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-171-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-172-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-173-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-174-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-175-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-177-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-180-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
nhVFeVcr7qtf.exedescription pid process target process PID 5104 set thread context of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 set thread context of 3120 5104 nhVFeVcr7qtf.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
nhVFeVcr7qtf.exepid process 5104 nhVFeVcr7qtf.exe 5104 nhVFeVcr7qtf.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
02f7467c0a07153c0c9fec745a96f819.exeUpdate service.exenhVFeVcr7qtf.exevbc.exedescription pid process Token: SeDebugPrivilege 1492 02f7467c0a07153c0c9fec745a96f819.exe Token: SeDebugPrivilege 3364 Update service.exe Token: SeDebugPrivilege 5104 nhVFeVcr7qtf.exe Token: SeDebugPrivilege 5104 nhVFeVcr7qtf.exe Token: SeIncreaseQuotaPrivilege 3120 vbc.exe Token: SeSecurityPrivilege 3120 vbc.exe Token: SeTakeOwnershipPrivilege 3120 vbc.exe Token: SeLoadDriverPrivilege 3120 vbc.exe Token: SeSystemProfilePrivilege 3120 vbc.exe Token: SeSystemtimePrivilege 3120 vbc.exe Token: SeProfSingleProcessPrivilege 3120 vbc.exe Token: SeIncBasePriorityPrivilege 3120 vbc.exe Token: SeCreatePagefilePrivilege 3120 vbc.exe Token: SeBackupPrivilege 3120 vbc.exe Token: SeRestorePrivilege 3120 vbc.exe Token: SeShutdownPrivilege 3120 vbc.exe Token: SeDebugPrivilege 3120 vbc.exe Token: SeSystemEnvironmentPrivilege 3120 vbc.exe Token: SeChangeNotifyPrivilege 3120 vbc.exe Token: SeRemoteShutdownPrivilege 3120 vbc.exe Token: SeUndockPrivilege 3120 vbc.exe Token: SeManageVolumePrivilege 3120 vbc.exe Token: SeImpersonatePrivilege 3120 vbc.exe Token: SeCreateGlobalPrivilege 3120 vbc.exe Token: 33 3120 vbc.exe Token: 34 3120 vbc.exe Token: 35 3120 vbc.exe Token: 36 3120 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Update service.exevbc.exepid process 3364 Update service.exe 3120 vbc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
02f7467c0a07153c0c9fec745a96f819.exeUpdate service.exenhVFeVcr7qtf.exedescription pid process target process PID 1492 wrote to memory of 3364 1492 02f7467c0a07153c0c9fec745a96f819.exe Update service.exe PID 1492 wrote to memory of 3364 1492 02f7467c0a07153c0c9fec745a96f819.exe Update service.exe PID 3364 wrote to memory of 5104 3364 Update service.exe nhVFeVcr7qtf.exe PID 3364 wrote to memory of 5104 3364 Update service.exe nhVFeVcr7qtf.exe PID 3364 wrote to memory of 5104 3364 Update service.exe nhVFeVcr7qtf.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe PID 5104 wrote to memory of 3120 5104 nhVFeVcr7qtf.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f7467c0a07153c0c9fec745a96f819.exe"C:\Users\Admin\AppData\Local\Temp\02f7467c0a07153c0c9fec745a96f819.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe"C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exe"C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exeFilesize
319KB
MD5d169379916ed45abc121718178790513
SHA1c5b982c73df7dec5c5cfc1ee3acecafb379aa8bd
SHA25694afb32fa27d53f20922559b6008b7ec96dfd250f13033a7c8f8e4fb13a52f6d
SHA51216b12976d0c4951298c6568293163330bad09369934cb5f87a37a6b24d304d3f2008b7c14f8dc02fab6763095463bb5ed54509b1e1c3280347357fa0c230455d
-
C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exeFilesize
477KB
MD51fd62f0d8cb4161c12a24d77898d2765
SHA133987a52f38511d3224f37f1ecd21383741418b8
SHA25697312398386d457b935b24023b83c742f879874c2873c17efa34e3f79a185fc5
SHA512595fe25a614c6e8b9693b23895f0b324858e6d20b43bb4d651effef565a969430db4b7a85e706289fd1b49574ff7239aec96156b8c5e0883850927050e935077
-
C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exeFilesize
477KB
MD51fd62f0d8cb4161c12a24d77898d2765
SHA133987a52f38511d3224f37f1ecd21383741418b8
SHA25697312398386d457b935b24023b83c742f879874c2873c17efa34e3f79a185fc5
SHA512595fe25a614c6e8b9693b23895f0b324858e6d20b43bb4d651effef565a969430db4b7a85e706289fd1b49574ff7239aec96156b8c5e0883850927050e935077
-
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exeFilesize
347KB
MD502f7467c0a07153c0c9fec745a96f819
SHA11f3b662f4597a97182134c542718a09ac14dbe53
SHA25600c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
SHA51213d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
-
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exeFilesize
347KB
MD502f7467c0a07153c0c9fec745a96f819
SHA11f3b662f4597a97182134c542718a09ac14dbe53
SHA25600c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
SHA51213d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
-
memory/1492-134-0x000000001C5A0000-0x000000001C5B0000-memory.dmpFilesize
64KB
-
memory/1492-135-0x000000001C540000-0x000000001C552000-memory.dmpFilesize
72KB
-
memory/1492-136-0x000000001DC70000-0x000000001DCAC000-memory.dmpFilesize
240KB
-
memory/1492-143-0x000000001B770000-0x000000001B8BE000-memory.dmpFilesize
1.3MB
-
memory/1492-133-0x0000000000CB0000-0x0000000000D0E000-memory.dmpFilesize
376KB
-
memory/3120-176-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/3120-173-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3120-177-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3120-180-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3120-175-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3120-174-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3120-164-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3120-165-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3120-166-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3120-171-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3120-172-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3364-144-0x00000000021B0000-0x00000000021C0000-memory.dmpFilesize
64KB
-
memory/3364-161-0x000000001ACB0000-0x000000001ADFE000-memory.dmpFilesize
1.3MB
-
memory/3364-148-0x000000001ACB0000-0x000000001ADFE000-memory.dmpFilesize
1.3MB
-
memory/3364-147-0x00000000021B0000-0x00000000021C0000-memory.dmpFilesize
64KB
-
memory/3364-146-0x000000001ACB0000-0x000000001ADFE000-memory.dmpFilesize
1.3MB
-
memory/5104-160-0x0000000000CA0000-0x0000000000CB0000-memory.dmpFilesize
64KB
-
memory/5104-179-0x0000000000CA0000-0x0000000000CB0000-memory.dmpFilesize
64KB