Overview

overview

10

Static

static

3

pack.exe

windows7-x64

10

pack.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2023 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pack.exe

  • Size

    500.1MB

  • MD5

    e893801ca83e49f84dca107d6e1162b4

  • SHA1

    3122871288ac44693324194b793fc40347360bd4

  • SHA256

    ca86561805b0e4184479159a552c05becbbad6f209b03df0819cbb0a47d75fe7

  • SHA512

    94f5ca28aedbc2e32383e10ed354a7e8d135f234dae6f1b6f2e1e6f703e4323ae1f3d0f5cb23d57aa85ebe319e59709429837666a7e96234bcabe6b4b851a719

  • SSDEEP

    384:ogPThofsksm2/HMLntRBSlwy/VpREaEhAqDjbY2QuzDf+m9xgJJt/V4568OwXpkD:tIXxOn6ZDn7d21448OKpkBC5ZF/i1

Score
10/10
purecrypterquasaroffice04downloaderloaderpersistencespywaretrojan

Malware Config

Extracted

Family

purecrypter

C2

http://95.214.24.37/SystemEnv/uploads/programme_Hdayjetq.jpg

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

45.83.122.111:5557

Mutex

p337SdjNpEb5aKmAPc

Attributes
  • encryption_key

    JzZjeR51DHpipyQ3lm91

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pack.exe
    "C:\Users\Admin\AppData\Local\Temp\pack.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwADAA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3976
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3316
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1200
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4600
    • C:\Windows\System32\pkxrgk.exe
      "C:\Windows\System32\pkxrgk.exe"
      1⤵
        PID:1816
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResetCheckpoint.mov"
        1⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:5064

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yal4ijig.5ar.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsotf\Software.exe
        Filesize

        500.1MB

        MD5

        e893801ca83e49f84dca107d6e1162b4

        SHA1

        3122871288ac44693324194b793fc40347360bd4

        SHA256

        ca86561805b0e4184479159a552c05becbbad6f209b03df0819cbb0a47d75fe7

        SHA512

        94f5ca28aedbc2e32383e10ed354a7e8d135f234dae6f1b6f2e1e6f703e4323ae1f3d0f5cb23d57aa85ebe319e59709429837666a7e96234bcabe6b4b851a719

        Download Submit
      • memory/1200-171-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1200-163-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1200-164-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1200-165-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1200-169-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1200-170-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1200-175-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1200-174-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1200-173-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1200-172-0x0000025E34A20000-0x0000025E34A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3316-183-0x00000000062C0000-0x00000000062D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3316-186-0x00000000050F0000-0x0000000005100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3316-184-0x00000000066F0000-0x000000000672C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3316-180-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/3316-182-0x00000000050F0000-0x0000000005100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3976-156-0x0000000007DB0000-0x000000000842A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3976-154-0x0000000006550000-0x000000000656E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3976-160-0x00000000030B0000-0x00000000030C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3976-161-0x00000000030B0000-0x00000000030C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3976-140-0x0000000005770000-0x0000000005D98000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3976-159-0x00000000030B0000-0x00000000030C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3976-141-0x00000000030B0000-0x00000000030C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3976-142-0x00000000030B0000-0x00000000030C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3976-143-0x0000000005DA0000-0x0000000005E06000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3976-144-0x0000000005F00000-0x0000000005F66000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3976-157-0x0000000006A30000-0x0000000006A4A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3976-155-0x00000000030B0000-0x00000000030C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3976-139-0x0000000002F70000-0x0000000002FA6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4372-138-0x0000000008190000-0x00000000081B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4372-134-0x00000000059A0000-0x0000000005F44000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4372-133-0x0000000000A20000-0x0000000000A42000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4372-135-0x0000000005490000-0x0000000005522000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4372-136-0x0000000005410000-0x000000000541A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4372-137-0x0000000005600000-0x0000000005610000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4372-158-0x0000000005600000-0x0000000005610000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5064-201-0x00007FFBA35F0000-0x00007FFBA360D000-memory.dmp
        Filesize

        116KB

        Download
      • memory/5064-220-0x00007FFB94030000-0x00007FFB94054000-memory.dmp
        Filesize

        144KB

        Download
      • memory/5064-195-0x00007FFB909F0000-0x00007FFB90CA4000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/5064-196-0x00007FFBAA910000-0x00007FFBAA928000-memory.dmp
        Filesize

        96KB

        Download
      • memory/5064-199-0x00007FFBA7490000-0x00007FFBA74A7000-memory.dmp
        Filesize

        92KB

        Download
      • memory/5064-198-0x00007FFBA74B0000-0x00007FFBA74C1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-200-0x00007FFBA3610000-0x00007FFBA3621000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-193-0x00007FF6F7E80000-0x00007FF6F7F78000-memory.dmp
        Filesize

        992KB

        Download
      • memory/5064-197-0x00007FFBA9A60000-0x00007FFBA9A77000-memory.dmp
        Filesize

        92KB

        Download
      • memory/5064-202-0x00007FFBA35D0000-0x00007FFBA35E1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-203-0x00007FFB90090000-0x00007FFB90290000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/5064-204-0x00007FFB8EFE0000-0x00007FFB9008B000-memory.dmp
        Filesize

        16.7MB

        Download
      • memory/5064-205-0x00007FFBA2B30000-0x00007FFBA2B6F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/5064-207-0x00007FFBA29E0000-0x00007FFBA29F8000-memory.dmp
        Filesize

        96KB

        Download
      • memory/5064-206-0x00007FFBA35A0000-0x00007FFBA35C1000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5064-208-0x00007FFBA29C0000-0x00007FFBA29D1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-210-0x00007FFB9A2A0000-0x00007FFB9A2B1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-209-0x00007FFB9A900000-0x00007FFB9A911000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-211-0x00007FFB9A280000-0x00007FFB9A29B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/5064-212-0x00007FFB9A260000-0x00007FFB9A271000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-214-0x00007FFB94530000-0x00007FFB94560000-memory.dmp
        Filesize

        192KB

        Download
      • memory/5064-213-0x00007FFB99EE0000-0x00007FFB99EF8000-memory.dmp
        Filesize

        96KB

        Download
      • memory/5064-215-0x00007FFB943D0000-0x00007FFB94437000-memory.dmp
        Filesize

        412KB

        Download
      • memory/5064-216-0x00007FFB942B0000-0x00007FFB9431F000-memory.dmp
        Filesize

        444KB

        Download
      • memory/5064-217-0x00007FFB94510000-0x00007FFB94521000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-218-0x00007FFB94370000-0x00007FFB943C6000-memory.dmp
        Filesize

        344KB

        Download
      • memory/5064-219-0x00007FFB944E0000-0x00007FFB94508000-memory.dmp
        Filesize

        160KB

        Download
      • memory/5064-194-0x00007FFBAAA10000-0x00007FFBAAA44000-memory.dmp
        Filesize

        208KB

        Download
      • memory/5064-222-0x00007FFB94000000-0x00007FFB94023000-memory.dmp
        Filesize

        140KB

        Download
      • memory/5064-221-0x00007FFB94290000-0x00007FFB942A7000-memory.dmp
        Filesize

        92KB

        Download
      • memory/5064-223-0x00007FFB93FE0000-0x00007FFB93FF1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-224-0x00007FFB93FC0000-0x00007FFB93FD2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/5064-225-0x00007FFB93F90000-0x00007FFB93FB1000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5064-226-0x00007FFB93E70000-0x00007FFB93E83000-memory.dmp
        Filesize

        76KB

        Download
      • memory/5064-227-0x00007FFB93CA0000-0x00007FFB93CB2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/5064-228-0x00007FFB93420000-0x00007FFB9355B000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5064-229-0x00007FFB93C70000-0x00007FFB93C9C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/5064-230-0x00007FFB8EE20000-0x00007FFB8EFD2000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/5064-231-0x00007FFB93B70000-0x00007FFB93BCC000-memory.dmp
        Filesize

        368KB

        Download
      • memory/5064-232-0x00007FFB93C50000-0x00007FFB93C61000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-233-0x00007FFB93870000-0x00007FFB93907000-memory.dmp
        Filesize

        604KB

        Download
      • memory/5064-234-0x00007FFB93C30000-0x00007FFB93C42000-memory.dmp
        Filesize

        72KB

        Download
      • memory/5064-235-0x00007FFB8EBE0000-0x00007FFB8EE11000-memory.dmp
        Filesize

        2.2MB

        Download
      • memory/5064-236-0x00007FFB91510000-0x00007FFB91622000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/5064-237-0x00007FFB93B30000-0x00007FFB93B65000-memory.dmp
        Filesize

        212KB

        Download
      • memory/5064-238-0x00007FFB93B00000-0x00007FFB93B25000-memory.dmp
        Filesize

        148KB

        Download
      • memory/5064-241-0x00007FFB93730000-0x00007FFB93791000-memory.dmp
        Filesize

        388KB

        Download
      • memory/5064-239-0x00007FFB937A0000-0x00007FFB937B1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-247-0x00007FFB93710000-0x00007FFB93721000-memory.dmp
        Filesize

        68KB

        Download
      • memory/5064-249-0x00007FFB93400000-0x00007FFB93413000-memory.dmp
        Filesize

        76KB

        Download
      • memory/5064-248-0x00007FFB936F0000-0x00007FFB93702000-memory.dmp
        Filesize

        72KB

        Download
      • memory/5064-261-0x00007FF6F7E80000-0x00007FF6F7F78000-memory.dmp
        Filesize

        992KB

        Download
      • memory/5064-263-0x00007FFBAAA10000-0x00007FFBAAA44000-memory.dmp
        Filesize

        208KB

        Download