Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2023 01:31
Behavioral task
behavioral1
Sample
6e5babe25aad66144dd2e15ab97bd38b.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
6e5babe25aad66144dd2e15ab97bd38b.exe
Resource
win10v2004-20230621-en
General
-
Target
6e5babe25aad66144dd2e15ab97bd38b.exe
-
Size
385KB
-
MD5
6e5babe25aad66144dd2e15ab97bd38b
-
SHA1
61d589a0814a1ef9a0b1a06454f9761fe81ddbff
-
SHA256
fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
-
SHA512
6547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
SSDEEP
6144:F8jlR5z3XxhxrL8rK/A0j1/zTzTLNozbLRpw34urkR10efUK0:FMlHzHxhV/Aqipw3XQztfK
Malware Config
Extracted
quasar
1.4.0.0
Down
simplmizer.duckdns.org:1337
rhoc35VS3mkrMtkPb1
-
encryption_key
AN1JmoUwwzfA1Metx4Ze
-
install_name
taskhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
EdgeBrowser
-
subdirectory
SubDir
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3208-133-0x0000000000BB0000-0x0000000000C16000-memory.dmp family_quasar C:\Windows\SysWOW64\SubDir\taskhost.exe family_quasar C:\Windows\SysWOW64\SubDir\taskhost.exe family_quasar C:\Windows\SysWOW64\SubDir\taskhost.exe family_quasar C:\Windows\SysWOW64\SubDir\taskhost.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
taskhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation taskhost.exe -
Executes dropped EXE 3 IoCs
Processes:
taskhost.exetaskhost.exetaskhost.exepid process 1440 taskhost.exe 416 taskhost.exe 4924 taskhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
taskhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser = "\"C:\\Windows\\SysWOW64\\SubDir\\taskhost.exe\"" taskhost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
taskhost.exedescription ioc process File created C:\autorun.inf taskhost.exe File created F:\autorun.inf taskhost.exe -
Drops file in System32 directory 4 IoCs
Processes:
taskhost.exe6e5babe25aad66144dd2e15ab97bd38b.exedescription ioc process File opened for modification C:\Windows\SysWOW64\SubDir\taskhost.exe taskhost.exe File opened for modification C:\Windows\SysWOW64\SubDir taskhost.exe File created C:\Windows\SysWOW64\SubDir\taskhost.exe 6e5babe25aad66144dd2e15ab97bd38b.exe File opened for modification C:\Windows\SysWOW64\SubDir\taskhost.exe 6e5babe25aad66144dd2e15ab97bd38b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3832 schtasks.exe 2216 schtasks.exe 828 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6e5babe25aad66144dd2e15ab97bd38b.exetaskhost.exedescription pid process Token: SeDebugPrivilege 3208 6e5babe25aad66144dd2e15ab97bd38b.exe Token: SeDebugPrivilege 1440 taskhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
taskhost.exepid process 1440 taskhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6e5babe25aad66144dd2e15ab97bd38b.exetaskhost.exedescription pid process target process PID 3208 wrote to memory of 3832 3208 6e5babe25aad66144dd2e15ab97bd38b.exe schtasks.exe PID 3208 wrote to memory of 3832 3208 6e5babe25aad66144dd2e15ab97bd38b.exe schtasks.exe PID 3208 wrote to memory of 3832 3208 6e5babe25aad66144dd2e15ab97bd38b.exe schtasks.exe PID 3208 wrote to memory of 1440 3208 6e5babe25aad66144dd2e15ab97bd38b.exe taskhost.exe PID 3208 wrote to memory of 1440 3208 6e5babe25aad66144dd2e15ab97bd38b.exe taskhost.exe PID 3208 wrote to memory of 1440 3208 6e5babe25aad66144dd2e15ab97bd38b.exe taskhost.exe PID 1440 wrote to memory of 2216 1440 taskhost.exe schtasks.exe PID 1440 wrote to memory of 2216 1440 taskhost.exe schtasks.exe PID 1440 wrote to memory of 2216 1440 taskhost.exe schtasks.exe PID 1440 wrote to memory of 828 1440 taskhost.exe schtasks.exe PID 1440 wrote to memory of 828 1440 taskhost.exe schtasks.exe PID 1440 wrote to memory of 828 1440 taskhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e5babe25aad66144dd2e15ab97bd38b.exe"C:\Users\Admin\AppData\Local\Temp\6e5babe25aad66144dd2e15ab97bd38b.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EdgeBrowser" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\6e5babe25aad66144dd2e15ab97bd38b.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SubDir\taskhost.exe"C:\Windows\SysWOW64\SubDir\taskhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EdgeBrowser" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\taskhost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Windows\SysWOW64\SubDir\taskhost.exe" /sc MINUTE /MO 13⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SubDir\taskhost.exeC:\Windows\SysWOW64\SubDir\taskhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SubDir\taskhost.exeC:\Windows\SysWOW64\SubDir\taskhost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\taskhost.exe.logFilesize
701B
MD55de8527438c860bfa3140dc420a03e52
SHA1235af682986b3292f20d8d71a8671353f5d6e16d
SHA256d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92
SHA51277c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8
-
C:\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
C:\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
C:\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
C:\Windows\SysWOW64\SubDir\taskhost.exeFilesize
385KB
MD56e5babe25aad66144dd2e15ab97bd38b
SHA161d589a0814a1ef9a0b1a06454f9761fe81ddbff
SHA256fbbb647aeb0707b5897f74bc3616b275406c6fce1ac0409a6f582fdfcc2de147
SHA5126547309b05f1ffec63c5ea9c92bb536d37ca1b7104df936324ba19dfb53dff0aa9135f3a9bd4aa0ae46a210048db9b5694424e00bd47e2cb2ab63df5a4f52896
-
memory/416-153-0x0000000005910000-0x0000000005920000-memory.dmpFilesize
64KB
-
memory/1440-148-0x0000000007510000-0x000000000751A000-memory.dmpFilesize
40KB
-
memory/1440-146-0x00000000059A0000-0x00000000059B0000-memory.dmpFilesize
64KB
-
memory/1440-151-0x00000000059A0000-0x00000000059B0000-memory.dmpFilesize
64KB
-
memory/3208-136-0x0000000005600000-0x0000000005610000-memory.dmpFilesize
64KB
-
memory/3208-135-0x0000000005610000-0x00000000056A2000-memory.dmpFilesize
584KB
-
memory/3208-137-0x00000000059D0000-0x0000000005A36000-memory.dmpFilesize
408KB
-
memory/3208-133-0x0000000000BB0000-0x0000000000C16000-memory.dmpFilesize
408KB
-
memory/3208-139-0x0000000006A30000-0x0000000006A6C000-memory.dmpFilesize
240KB
-
memory/3208-138-0x0000000006610000-0x0000000006622000-memory.dmpFilesize
72KB
-
memory/3208-134-0x0000000005C80000-0x0000000006224000-memory.dmpFilesize
5.6MB
-
memory/4924-157-0x0000000005670000-0x0000000005680000-memory.dmpFilesize
64KB