Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
26-06-2023 01:31
Behavioral task
behavioral1
Sample
6e5babe25aad66144dd2e15ab97bd38b.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
6e5babe25aad66144dd2e15ab97bd38b.exe
Resource
win10v2004-20230621-en
General
-
Target
6e5babe25aad66144dd2e15ab97bd38b.exe
-
Size
385KB
-
MD5
6e5babe25aad66144dd2e15ab97bd38b
-
SHA1
61d589a0814a1ef9a0b1a06454f9761fe81ddbff
-
SHA256
fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
-
SHA512
6547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
SSDEEP
6144:F8jlR5z3XxhxrL8rK/A0j1/zTzTLNozbLRpw34urkR10efUK0:FMlHzHxhV/Aqipw3XQztfK
Malware Config
Extracted
quasar
1.4.0.0
Down
simplmizer.duckdns.org:1337
rhoc35VS3mkrMtkPb1
-
encryption_key
AN1JmoUwwzfA1Metx4Ze
-
install_name
taskhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
EdgeBrowser
-
subdirectory
SubDir
Signatures
-
Quasar payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-54-0x0000000000E40000-0x0000000000EA6000-memory.dmp family_quasar \Windows\SysWOW64\SubDir\taskhost.exe family_quasar C:\Windows\SysWOW64\SubDir\taskhost.exe family_quasar C:\Windows\SysWOW64\SubDir\taskhost.exe family_quasar behavioral1/memory/2040-63-0x0000000000C40000-0x0000000000CA6000-memory.dmp family_quasar C:\Windows\SysWOW64\SubDir\taskhost.exe family_quasar behavioral1/memory/2040-69-0x0000000004C80000-0x0000000004CC0000-memory.dmp family_quasar C:\Windows\SysWOW64\SubDir\taskhost.exe family_quasar behavioral1/memory/1708-71-0x00000000049C0000-0x0000000004A00000-memory.dmp family_quasar C:\Windows\SysWOW64\SubDir\taskhost.exe family_quasar -
Executes dropped EXE 4 IoCs
Processes:
taskhost.exetaskhost.exetaskhost.exetaskhost.exepid process 2040 taskhost.exe 892 taskhost.exe 1708 taskhost.exe 1484 taskhost.exe -
Loads dropped DLL 1 IoCs
Processes:
6e5babe25aad66144dd2e15ab97bd38b.exepid process 1936 6e5babe25aad66144dd2e15ab97bd38b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
taskhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser = "\"C:\\Windows\\SysWOW64\\SubDir\\taskhost.exe\"" taskhost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
taskhost.exedescription ioc process File created C:\autorun.inf taskhost.exe -
Drops file in System32 directory 4 IoCs
Processes:
6e5babe25aad66144dd2e15ab97bd38b.exetaskhost.exedescription ioc process File created C:\Windows\SysWOW64\SubDir\taskhost.exe 6e5babe25aad66144dd2e15ab97bd38b.exe File opened for modification C:\Windows\SysWOW64\SubDir\taskhost.exe 6e5babe25aad66144dd2e15ab97bd38b.exe File opened for modification C:\Windows\SysWOW64\SubDir\taskhost.exe taskhost.exe File opened for modification C:\Windows\SysWOW64\SubDir taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1776 schtasks.exe 1760 schtasks.exe 544 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6e5babe25aad66144dd2e15ab97bd38b.exetaskhost.exedescription pid process Token: SeDebugPrivilege 1936 6e5babe25aad66144dd2e15ab97bd38b.exe Token: SeDebugPrivilege 2040 taskhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
taskhost.exepid process 2040 taskhost.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6e5babe25aad66144dd2e15ab97bd38b.exetaskhost.exetaskeng.exedescription pid process target process PID 1936 wrote to memory of 1776 1936 6e5babe25aad66144dd2e15ab97bd38b.exe schtasks.exe PID 1936 wrote to memory of 1776 1936 6e5babe25aad66144dd2e15ab97bd38b.exe schtasks.exe PID 1936 wrote to memory of 1776 1936 6e5babe25aad66144dd2e15ab97bd38b.exe schtasks.exe PID 1936 wrote to memory of 1776 1936 6e5babe25aad66144dd2e15ab97bd38b.exe schtasks.exe PID 1936 wrote to memory of 2040 1936 6e5babe25aad66144dd2e15ab97bd38b.exe taskhost.exe PID 1936 wrote to memory of 2040 1936 6e5babe25aad66144dd2e15ab97bd38b.exe taskhost.exe PID 1936 wrote to memory of 2040 1936 6e5babe25aad66144dd2e15ab97bd38b.exe taskhost.exe PID 1936 wrote to memory of 2040 1936 6e5babe25aad66144dd2e15ab97bd38b.exe taskhost.exe PID 2040 wrote to memory of 1760 2040 taskhost.exe schtasks.exe PID 2040 wrote to memory of 1760 2040 taskhost.exe schtasks.exe PID 2040 wrote to memory of 1760 2040 taskhost.exe schtasks.exe PID 2040 wrote to memory of 1760 2040 taskhost.exe schtasks.exe PID 2040 wrote to memory of 544 2040 taskhost.exe schtasks.exe PID 2040 wrote to memory of 544 2040 taskhost.exe schtasks.exe PID 2040 wrote to memory of 544 2040 taskhost.exe schtasks.exe PID 2040 wrote to memory of 544 2040 taskhost.exe schtasks.exe PID 360 wrote to memory of 892 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 892 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 892 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 892 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 1708 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 1708 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 1708 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 1708 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 1484 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 1484 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 1484 360 taskeng.exe taskhost.exe PID 360 wrote to memory of 1484 360 taskeng.exe taskhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e5babe25aad66144dd2e15ab97bd38b.exe"C:\Users\Admin\AppData\Local\Temp\6e5babe25aad66144dd2e15ab97bd38b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EdgeBrowser" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\6e5babe25aad66144dd2e15ab97bd38b.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SubDir\taskhost.exe"C:\Windows\SysWOW64\SubDir\taskhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EdgeBrowser" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\taskhost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Windows\SysWOW64\SubDir\taskhost.exe" /sc MINUTE /MO 13⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {924D889E-EB25-46E0-8238-37B0B9CBC684} S-1-5-21-3465915139-4244146034-2076118314-1000:MSOKFDFP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SubDir\taskhost.exeC:\Windows\SysWOW64\SubDir\taskhost.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SubDir\taskhost.exeC:\Windows\SysWOW64\SubDir\taskhost.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SubDir\taskhost.exeC:\Windows\SysWOW64\SubDir\taskhost.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
C:\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
C:\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
C:\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
C:\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
memory/892-68-0x00000000042F0000-0x0000000004330000-memory.dmpFilesize
256KB
-
memory/1708-71-0x00000000049C0000-0x0000000004A00000-memory.dmpFilesize
256KB
-
memory/1936-55-0x0000000004A80000-0x0000000004AC0000-memory.dmpFilesize
256KB
-
memory/1936-54-0x0000000000E40000-0x0000000000EA6000-memory.dmpFilesize
408KB
-
memory/2040-64-0x0000000004C80000-0x0000000004CC0000-memory.dmpFilesize
256KB
-
memory/2040-69-0x0000000004C80000-0x0000000004CC0000-memory.dmpFilesize
256KB
-
memory/2040-63-0x0000000000C40000-0x0000000000CA6000-memory.dmpFilesize
408KB