Analysis
-
max time kernel
69s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-06-2023 11:29
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
3.8MB
-
MD5
4693d917d5573d64bfd2a27e46e04504
-
SHA1
fb97fec5b335804929dc3c8fb7e69073467f4754
-
SHA256
2d24effcdf6f620d368752b0bba8f2b96b01b82d95c36b6d5b34ddbe7740362d
-
SHA512
05f08728f753b0c115f5e30163c08783d3e0dc68762d621bfd1887e8c41d746fba45f22fc10594f48a852222a432ca99bcfeadc2d83d316eb41c51c7f171749a
-
SSDEEP
49152:k6fBW2t1NiKOBFAzHpe64btMTabv3/LQOlFIpfllgqSBZ7rQ0kV8e:k6
Malware Config
Extracted
quasar
1.4.0.0
Office04
hostmeta.duckdns.org:3400
PCoa0XHES5x7Cr7a01
-
encryption_key
cH5E0mLkGfudyeRokQBJ
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar payload 6 IoCs
resource yara_rule behavioral1/memory/1908-78-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/1908-81-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/1908-79-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/1908-83-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/1908-85-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral1/memory/1908-86-0x0000000004A90000-0x0000000004AD0000-memory.dmp family_quasar -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\serviceupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\serviceupdate.exe\"" file.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1264 set thread context of 1908 1264 file.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 592 ipconfig.exe 1728 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1444 powershell.exe 1560 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1264 file.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 1908 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1264 wrote to memory of 1080 1264 file.exe 27 PID 1264 wrote to memory of 1080 1264 file.exe 27 PID 1264 wrote to memory of 1080 1264 file.exe 27 PID 1264 wrote to memory of 1080 1264 file.exe 27 PID 1080 wrote to memory of 592 1080 cmd.exe 29 PID 1080 wrote to memory of 592 1080 cmd.exe 29 PID 1080 wrote to memory of 592 1080 cmd.exe 29 PID 1080 wrote to memory of 592 1080 cmd.exe 29 PID 1264 wrote to memory of 1444 1264 file.exe 30 PID 1264 wrote to memory of 1444 1264 file.exe 30 PID 1264 wrote to memory of 1444 1264 file.exe 30 PID 1264 wrote to memory of 1444 1264 file.exe 30 PID 1264 wrote to memory of 868 1264 file.exe 32 PID 1264 wrote to memory of 868 1264 file.exe 32 PID 1264 wrote to memory of 868 1264 file.exe 32 PID 1264 wrote to memory of 868 1264 file.exe 32 PID 868 wrote to memory of 1560 868 cmd.exe 34 PID 868 wrote to memory of 1560 868 cmd.exe 34 PID 868 wrote to memory of 1560 868 cmd.exe 34 PID 868 wrote to memory of 1560 868 cmd.exe 34 PID 1264 wrote to memory of 1484 1264 file.exe 35 PID 1264 wrote to memory of 1484 1264 file.exe 35 PID 1264 wrote to memory of 1484 1264 file.exe 35 PID 1264 wrote to memory of 1484 1264 file.exe 35 PID 1484 wrote to memory of 1728 1484 cmd.exe 37 PID 1484 wrote to memory of 1728 1484 cmd.exe 37 PID 1484 wrote to memory of 1728 1484 cmd.exe 37 PID 1484 wrote to memory of 1728 1484 cmd.exe 37 PID 1264 wrote to memory of 1908 1264 file.exe 38 PID 1264 wrote to memory of 1908 1264 file.exe 38 PID 1264 wrote to memory of 1908 1264 file.exe 38 PID 1264 wrote to memory of 1908 1264 file.exe 38 PID 1264 wrote to memory of 1908 1264 file.exe 38 PID 1264 wrote to memory of 1908 1264 file.exe 38 PID 1264 wrote to memory of 1908 1264 file.exe 38 PID 1264 wrote to memory of 1908 1264 file.exe 38 PID 1264 wrote to memory of 1908 1264 file.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:592
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:1728
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JTM05I0OIA8YM4WTF9EA.temp
Filesize7KB
MD5bd948ad37e15f4cbdd9077285d5f8563
SHA14dddffeb5524f32c11ecc8612dd398647062b5d8
SHA2561f38cfb1d964bb66ba1148e11364fa8de35de59aedf6e79ca4cc72272c954fce
SHA512bd48170c588bbdcd960dc4ad75ad727fde4a570274898004d3f49a478d371e8d498c801047dde78613d430f8d019295beb0108a2989436be2d18ffeec5cdd250
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5bd948ad37e15f4cbdd9077285d5f8563
SHA14dddffeb5524f32c11ecc8612dd398647062b5d8
SHA2561f38cfb1d964bb66ba1148e11364fa8de35de59aedf6e79ca4cc72272c954fce
SHA512bd48170c588bbdcd960dc4ad75ad727fde4a570274898004d3f49a478d371e8d498c801047dde78613d430f8d019295beb0108a2989436be2d18ffeec5cdd250