Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
23-03-2023 23:10
General
-
Target
tmp.exe
-
Size
6.7MB
-
MD5
82792ba7124ecaa06893c3a6989bc70a
-
SHA1
c7caa0f4f696e38f4adb20a3efa2334f8a18675c
-
SHA256
7a6d23d9845bb08f5f50a89a909fc5dfc865cb77a9e44f370b56fd22d7a7f74f
-
SHA512
907d19656886883c6c4fe10657bef9d7380be3b7c16a23d448924d33577df8f552e6c4feca379bbf14bfc4d5c390114e8ad84965bb03d97d0cad5a046371e9b0
-
SSDEEP
196608:SdpVzj3zsdu95DsmQDzgnxUd9B0IETkQHXrjAYaUxHfl:eVzjjsdAsNzt9OIETkSXrj9txHfl
Malware Config
Extracted
quasar
1.3.0.0
HEU_A
hacker.548848.xyz:4000
QSR_MUTEX_y7qRPJXwrKoCCGjifB
-
encryption_key
zOtqF7XIGfeSwK3tze2l
-
install_name
IntelServiceUpdate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Intel Service Update
-
subdirectory
IntelServiceUpdate
Extracted
quasar
1.3.0.0
HEU_T
81.68.120.79:4000
QSR_MUTEX_kWiUJRAFspPTbob5of
-
encryption_key
7GHKJ6ZgFY9nVhHS7b4U
-
install_name
IntelService.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Intel Service
-
subdirectory
IntelService
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 11 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Themida packer 20 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exeHEU_A.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel Service Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe"C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel Service Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exeHEU_T.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\IntelService\IntelService.exe"C:\Program Files (x86)\IntelService\IntelService.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel Service" /sc ONLOGON /tr "C:\Program Files (x86)\IntelService\IntelService.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\IntelService\IntelService.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Program Files (x86)\IntelService\IntelService.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Program Files (x86)\IntelService\IntelService.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.batFilesize
38B
MD56c394f46eece6a9afe232492a2c8c2fa
SHA1339a7e4dad0caa1c73af8c2425e64a4181ab9715
SHA256f18ee7b9e8d4edca7b374a468ef076f5172f57bb4b26a3f5acfbe9d53e5fc201
SHA5126a0ac3022ef4b98203badc24f2239c76012ba59704c333057dde6a29fd6db0137a9999c61c1ca086c5ff6404b2e3bbb12ddd56c17ea45871e976d44d640f3913
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.vbsFilesize
75B
MD5a1bb86ecdb375e144840f6c94ddbd20c
SHA17d12aca5e928a4558e417cf69f958ca5b8acd39e
SHA2568e814c00551b5b7e811528d270a962f65980c34dd39d2b964324448c6860a797
SHA512f95693e623afb2e5b588cdf018a53ab58fbdd8cbd015946f289edb58679b7fb4df6a0437d372a52421c69d8bbc071859b69525fe31aa570a072abd4ccb70a9da
-
C:\Users\Admin\AppData\Roaming\Logs\03-24-2023Filesize
224B
MD5e901815a70ecaab36a630bb854ee3e3e
SHA14186eca2683338184d14deacfa6cf13ed7758b36
SHA256f26ed7c29f37307147fb576ec50362d94a41c4e6218f3d297ed7caf25a4d4ac3
SHA512d75b3a41ca6c1444252ff547a40a79c08c908b50b682b60a68a8f2b933d296928f0f1ddff72a5998f6cf57f462037b09ed97d7b7d39d742961e1ad49c5451189
-
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
memory/1064-195-0x0000000000840000-0x00000000010CC000-memory.dmpFilesize
8.5MB
-
memory/1064-188-0x0000000000840000-0x00000000010CC000-memory.dmpFilesize
8.5MB
-
memory/1064-198-0x0000000000840000-0x00000000010CC000-memory.dmpFilesize
8.5MB
-
memory/1064-200-0x0000000005BE0000-0x0000000005BF0000-memory.dmpFilesize
64KB
-
memory/1064-205-0x00000000072B0000-0x00000000072BA000-memory.dmpFilesize
40KB
-
memory/1064-211-0x0000000000840000-0x00000000010CC000-memory.dmpFilesize
8.5MB
-
memory/1064-212-0x0000000005BE0000-0x0000000005BF0000-memory.dmpFilesize
64KB
-
memory/1676-177-0x0000000000040000-0x00000000008CC000-memory.dmpFilesize
8.5MB
-
memory/1676-187-0x0000000000040000-0x00000000008CC000-memory.dmpFilesize
8.5MB
-
memory/1676-179-0x00000000056E0000-0x00000000056F0000-memory.dmpFilesize
64KB
-
memory/1676-173-0x0000000000040000-0x00000000008CC000-memory.dmpFilesize
8.5MB
-
memory/1676-178-0x0000000000040000-0x00000000008CC000-memory.dmpFilesize
8.5MB
-
memory/4660-197-0x0000000000330000-0x0000000000BBA000-memory.dmpFilesize
8.5MB
-
memory/4660-172-0x0000000000330000-0x0000000000BBA000-memory.dmpFilesize
8.5MB
-
memory/4660-213-0x0000000005A20000-0x0000000005A30000-memory.dmpFilesize
64KB
-
memory/4660-202-0x0000000005A20000-0x0000000005A30000-memory.dmpFilesize
64KB
-
memory/4660-196-0x0000000000330000-0x0000000000BBA000-memory.dmpFilesize
8.5MB
-
memory/4660-201-0x0000000000330000-0x0000000000BBA000-memory.dmpFilesize
8.5MB
-
memory/4864-159-0x0000000006200000-0x0000000006212000-memory.dmpFilesize
72KB
-
memory/4864-157-0x0000000005EB0000-0x0000000005F16000-memory.dmpFilesize
408KB
-
memory/4864-169-0x0000000000810000-0x000000000109A000-memory.dmpFilesize
8.5MB
-
memory/4864-160-0x0000000006EE0000-0x0000000006F1C000-memory.dmpFilesize
240KB
-
memory/4864-156-0x0000000005D90000-0x0000000005DA0000-memory.dmpFilesize
64KB
-
memory/4864-155-0x0000000005DA0000-0x0000000005E32000-memory.dmpFilesize
584KB
-
memory/4864-154-0x0000000006230000-0x00000000067D4000-memory.dmpFilesize
5.6MB
-
memory/4864-152-0x0000000000810000-0x000000000109A000-memory.dmpFilesize
8.5MB
-
memory/4864-151-0x0000000000810000-0x000000000109A000-memory.dmpFilesize
8.5MB
-
memory/4864-147-0x0000000000810000-0x000000000109A000-memory.dmpFilesize
8.5MB
-
memory/4864-163-0x0000000000810000-0x000000000109A000-memory.dmpFilesize
8.5MB