Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2023 11:29
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
3.8MB
-
MD5
4693d917d5573d64bfd2a27e46e04504
-
SHA1
fb97fec5b335804929dc3c8fb7e69073467f4754
-
SHA256
2d24effcdf6f620d368752b0bba8f2b96b01b82d95c36b6d5b34ddbe7740362d
-
SHA512
05f08728f753b0c115f5e30163c08783d3e0dc68762d621bfd1887e8c41d746fba45f22fc10594f48a852222a432ca99bcfeadc2d83d316eb41c51c7f171749a
-
SSDEEP
49152:k6fBW2t1NiKOBFAzHpe64btMTabv3/LQOlFIpfllgqSBZ7rQ0kV8e:k6
Malware Config
Extracted
quasar
1.4.0.0
Office04
hostmeta.duckdns.org:3400
PCoa0XHES5x7Cr7a01
-
encryption_key
cH5E0mLkGfudyeRokQBJ
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/1328-182-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation file.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\serviceupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\serviceupdate.exe\"" file.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2196 set thread context of 1328 2196 file.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3436 ipconfig.exe 2272 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1832 powershell.exe 1832 powershell.exe 4780 powershell.exe 4780 powershell.exe 2196 file.exe 2196 file.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2196 file.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 4780 powershell.exe Token: SeDebugPrivilege 1328 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2196 wrote to memory of 3188 2196 file.exe 84 PID 2196 wrote to memory of 3188 2196 file.exe 84 PID 2196 wrote to memory of 3188 2196 file.exe 84 PID 3188 wrote to memory of 3436 3188 cmd.exe 86 PID 3188 wrote to memory of 3436 3188 cmd.exe 86 PID 3188 wrote to memory of 3436 3188 cmd.exe 86 PID 2196 wrote to memory of 1832 2196 file.exe 87 PID 2196 wrote to memory of 1832 2196 file.exe 87 PID 2196 wrote to memory of 1832 2196 file.exe 87 PID 2196 wrote to memory of 996 2196 file.exe 96 PID 2196 wrote to memory of 996 2196 file.exe 96 PID 2196 wrote to memory of 996 2196 file.exe 96 PID 996 wrote to memory of 4780 996 cmd.exe 98 PID 996 wrote to memory of 4780 996 cmd.exe 98 PID 996 wrote to memory of 4780 996 cmd.exe 98 PID 2196 wrote to memory of 4668 2196 file.exe 99 PID 2196 wrote to memory of 4668 2196 file.exe 99 PID 2196 wrote to memory of 4668 2196 file.exe 99 PID 4668 wrote to memory of 2272 4668 cmd.exe 101 PID 4668 wrote to memory of 2272 4668 cmd.exe 101 PID 4668 wrote to memory of 2272 4668 cmd.exe 101 PID 2196 wrote to memory of 4824 2196 file.exe 102 PID 2196 wrote to memory of 4824 2196 file.exe 102 PID 2196 wrote to memory of 4824 2196 file.exe 102 PID 2196 wrote to memory of 1328 2196 file.exe 103 PID 2196 wrote to memory of 1328 2196 file.exe 103 PID 2196 wrote to memory of 1328 2196 file.exe 103 PID 2196 wrote to memory of 1328 2196 file.exe 103 PID 2196 wrote to memory of 1328 2196 file.exe 103 PID 2196 wrote to memory of 1328 2196 file.exe 103 PID 2196 wrote to memory of 1328 2196 file.exe 103 PID 2196 wrote to memory of 1328 2196 file.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:3436
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:2272
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe2⤵PID:4824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD5a99462049eb87294fb8fcb7fc0df1622
SHA1f7d45096a04130f6ef74550db93f375a53d6b6eb
SHA2564b2360b3f4f59ede4fe3d5f397d795763df0989d855d463f955702c4b5cddcbc
SHA512b12ab0a970f8df582d3b8eea6b7265e6016d5c14ad22667c59edf1d406196126ee4c7e035a0c311e0e01c268c7a75a309bee23ebb79346e4cfe0678339a470cb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82