Analysis
-
max time kernel
187s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
02-06-2023 20:35
General
-
Target
pack.exe
-
Size
500.1MB
-
MD5
e893801ca83e49f84dca107d6e1162b4
-
SHA1
3122871288ac44693324194b793fc40347360bd4
-
SHA256
ca86561805b0e4184479159a552c05becbbad6f209b03df0819cbb0a47d75fe7
-
SHA512
94f5ca28aedbc2e32383e10ed354a7e8d135f234dae6f1b6f2e1e6f703e4323ae1f3d0f5cb23d57aa85ebe319e59709429837666a7e96234bcabe6b4b851a719
-
SSDEEP
384:ogPThofsksm2/HMLntRBSlwy/VpREaEhAqDjbY2QuzDf+m9xgJJt/V4568OwXpkD:tIXxOn6ZDn7d21448OKpkBC5ZF/i1
Malware Config
Extracted
purecrypter
http://95.214.24.37/SystemEnv/uploads/programme_Hdayjetq.jpg
Extracted
quasar
1.4.0.0
Office04
45.83.122.111:5557
p337SdjNpEb5aKmAPc
-
encryption_key
JzZjeR51DHpipyQ3lm91
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pack.exe"C:\Users\Admin\AppData\Local\Temp\pack.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwADAA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\pkxrgk.exe"C:\Windows\System32\pkxrgk.exe"1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResetCheckpoint.mov"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
500.1MB
MD5e893801ca83e49f84dca107d6e1162b4
SHA13122871288ac44693324194b793fc40347360bd4
SHA256ca86561805b0e4184479159a552c05becbbad6f209b03df0819cbb0a47d75fe7
SHA51294f5ca28aedbc2e32383e10ed354a7e8d135f234dae6f1b6f2e1e6f703e4323ae1f3d0f5cb23d57aa85ebe319e59709429837666a7e96234bcabe6b4b851a719
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
312KB
-
Filesize
64KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
116KB
-
Filesize
144KB
-
Filesize
2.7MB
-
Filesize
96KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
992KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
2.0MB
-
Filesize
16.7MB
-
Filesize
252KB
-
Filesize
96KB
-
Filesize
132KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
108KB
-
Filesize
68KB
-
Filesize
192KB
-
Filesize
96KB
-
Filesize
412KB
-
Filesize
444KB
-
Filesize
68KB
-
Filesize
344KB
-
Filesize
160KB
-
Filesize
208KB
-
Filesize
140KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
72KB
-
Filesize
132KB
-
Filesize
76KB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
176KB
-
Filesize
1.7MB
-
Filesize
368KB
-
Filesize
68KB
-
Filesize
604KB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
1.1MB
-
Filesize
212KB
-
Filesize
148KB
-
Filesize
388KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
76KB
-
Filesize
72KB
-
Filesize
992KB
-
Filesize
208KB