Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2023, 10:04
Static task
static1
Behavioral task
behavioral1
Sample
Booking0217pdf.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Booking0217pdf.exe
Resource
win10v2004-20230703-en
General
-
Target
Booking0217pdf.exe
-
Size
62KB
-
MD5
073a7d0ba4619b63b59e3f3c055a52e5
-
SHA1
e7e91c2f94f946627bfd4cae19a263e7d99861cc
-
SHA256
cd1a3a3951014346894a253fa1a9dc05b221640be311dc679a83b4f91b1449f0
-
SHA512
d1e359651d072d18c645b05e016c8407e2f9ca17693cfbd73a04bf7c163865df640ec7cb81ebfc79522cf2e84b22f3e5cb73be088ee4b200c3a5fe4185de3ebb
-
SSDEEP
768:4e9QoE/ASU2kRpqoOkAdsA9kWFXXtwboYzAF+IFqoZlO1iG8IYiV/eXlPxWEaB:4eid5kRpqIsdFn0Hz2qoFI7VeVPxu
Malware Config
Extracted
quasar
1.3.0.0
16th JULY
198.98.54.161:6666
QSR_MUTEX_Pl8uFsFQG2ggU9gBx9
-
encryption_key
3XivPs8YQVpfxU1EhGZE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
notes
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/3216-3438-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 2128 i.exe 212 m.exe 460 n.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bwflxqtbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Bwflxqtbmr.exe" Booking0217pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bwflxqtbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Bwflxqtbmr.exe" i.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Njlzpp = "C:\\Users\\Admin\\AppData\\Roaming\\Njlzpp.exe" m.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nhxjlzpp = "C:\\Users\\Admin\\AppData\\Roaming\\Nhxjlzpp.exe" n.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 53 api.ipify.org 54 api.ipify.org 75 ip-api.com -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{478F962B-A548-4C78-B4D8-DF4B5D79B223}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1616 set thread context of 2672 1616 Booking0217pdf.exe 95 PID 2128 set thread context of 4828 2128 i.exe 97 PID 212 set thread context of 3216 212 m.exe 103 PID 460 set thread context of 1604 460 n.exe 104 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MSBuild.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1556 4828 WerFault.exe 97 3860 1604 WerFault.exe 104 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2672 MSBuild.exe 2672 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1616 Booking0217pdf.exe Token: SeDebugPrivilege 2672 MSBuild.exe Token: SeDebugPrivilege 2128 i.exe Token: SeDebugPrivilege 212 m.exe Token: SeDebugPrivilege 460 n.exe Token: SeDebugPrivilege 3216 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3216 MSBuild.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1616 wrote to memory of 2128 1616 Booking0217pdf.exe 94 PID 1616 wrote to memory of 2128 1616 Booking0217pdf.exe 94 PID 1616 wrote to memory of 2128 1616 Booking0217pdf.exe 94 PID 1616 wrote to memory of 2672 1616 Booking0217pdf.exe 95 PID 1616 wrote to memory of 2672 1616 Booking0217pdf.exe 95 PID 1616 wrote to memory of 2672 1616 Booking0217pdf.exe 95 PID 1616 wrote to memory of 2672 1616 Booking0217pdf.exe 95 PID 1616 wrote to memory of 2672 1616 Booking0217pdf.exe 95 PID 1616 wrote to memory of 2672 1616 Booking0217pdf.exe 95 PID 1616 wrote to memory of 2672 1616 Booking0217pdf.exe 95 PID 1616 wrote to memory of 2672 1616 Booking0217pdf.exe 95 PID 2128 wrote to memory of 212 2128 i.exe 96 PID 2128 wrote to memory of 212 2128 i.exe 96 PID 2128 wrote to memory of 212 2128 i.exe 96 PID 2128 wrote to memory of 4828 2128 i.exe 97 PID 2128 wrote to memory of 4828 2128 i.exe 97 PID 2128 wrote to memory of 4828 2128 i.exe 97 PID 2128 wrote to memory of 4828 2128 i.exe 97 PID 2128 wrote to memory of 4828 2128 i.exe 97 PID 2128 wrote to memory of 4828 2128 i.exe 97 PID 2128 wrote to memory of 4828 2128 i.exe 97 PID 2128 wrote to memory of 4828 2128 i.exe 97 PID 212 wrote to memory of 460 212 m.exe 102 PID 212 wrote to memory of 460 212 m.exe 102 PID 212 wrote to memory of 460 212 m.exe 102 PID 212 wrote to memory of 3216 212 m.exe 103 PID 212 wrote to memory of 3216 212 m.exe 103 PID 212 wrote to memory of 3216 212 m.exe 103 PID 212 wrote to memory of 3216 212 m.exe 103 PID 212 wrote to memory of 3216 212 m.exe 103 PID 212 wrote to memory of 3216 212 m.exe 103 PID 212 wrote to memory of 3216 212 m.exe 103 PID 212 wrote to memory of 3216 212 m.exe 103 PID 460 wrote to memory of 1604 460 n.exe 104 PID 460 wrote to memory of 1604 460 n.exe 104 PID 460 wrote to memory of 1604 460 n.exe 104 PID 460 wrote to memory of 1604 460 n.exe 104 PID 460 wrote to memory of 1604 460 n.exe 104 PID 460 wrote to memory of 1604 460 n.exe 104 PID 460 wrote to memory of 1604 460 n.exe 104 PID 460 wrote to memory of 1604 460 n.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Booking0217pdf.exe"C:\Users\Admin\AppData\Local\Temp\Booking0217pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\i.exe"C:\Users\Admin\AppData\Local\Temp\i.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\m.exe"C:\Users\Admin\AppData\Local\Temp\m.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\n.exe"C:\Users\Admin\AppData\Local\Temp\n.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵
- Drops file in Windows directory
PID:1604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 10046⤵
- Program crash
PID:3860
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3216
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Drops file in Windows directory
PID:4828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 10044⤵
- Program crash
PID:1556
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:3680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4828 -ip 48281⤵PID:3208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1604 -ip 16041⤵PID:3416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5ee07551af1ff71c8bf41081af118e533
SHA15d939457cf3cdde73b8f5d9208c19016ec6dc667
SHA2562d65ad95a0b21f9ed668d3bd5ec95e79e6b69d9defd07f86ee4813cd01ab6dd3
SHA512df95760068b8d9aad9603f0f2ec0e70c9c0ccbdbc2b7aa3d0623d580b55abb1ce6642c031560ce38918b5c34d213127dac516347a911ab34f9037c053b1ca00c
-
Filesize
62KB
MD5ee07551af1ff71c8bf41081af118e533
SHA15d939457cf3cdde73b8f5d9208c19016ec6dc667
SHA2562d65ad95a0b21f9ed668d3bd5ec95e79e6b69d9defd07f86ee4813cd01ab6dd3
SHA512df95760068b8d9aad9603f0f2ec0e70c9c0ccbdbc2b7aa3d0623d580b55abb1ce6642c031560ce38918b5c34d213127dac516347a911ab34f9037c053b1ca00c
-
Filesize
62KB
MD5ee07551af1ff71c8bf41081af118e533
SHA15d939457cf3cdde73b8f5d9208c19016ec6dc667
SHA2562d65ad95a0b21f9ed668d3bd5ec95e79e6b69d9defd07f86ee4813cd01ab6dd3
SHA512df95760068b8d9aad9603f0f2ec0e70c9c0ccbdbc2b7aa3d0623d580b55abb1ce6642c031560ce38918b5c34d213127dac516347a911ab34f9037c053b1ca00c
-
Filesize
35KB
MD5ef2674a7a181ea242fa1d2ce7e1e4c8b
SHA104899dacbf89ba23aab59537f75415b6bb21c500
SHA25651c425b7dd5cb71e28f1957179756f0d85c14a0c3af8d95151d1a7a345cff99f
SHA512a97145fb11c92b85b6c17bad90f66aa6d818cb520af352a02b4dc19ba8c7e6a13f8ed6950737c0234bb7520692b2515de2bf21421070d36a34376ef01754ebdb
-
Filesize
35KB
MD5ef2674a7a181ea242fa1d2ce7e1e4c8b
SHA104899dacbf89ba23aab59537f75415b6bb21c500
SHA25651c425b7dd5cb71e28f1957179756f0d85c14a0c3af8d95151d1a7a345cff99f
SHA512a97145fb11c92b85b6c17bad90f66aa6d818cb520af352a02b4dc19ba8c7e6a13f8ed6950737c0234bb7520692b2515de2bf21421070d36a34376ef01754ebdb
-
Filesize
35KB
MD5ef2674a7a181ea242fa1d2ce7e1e4c8b
SHA104899dacbf89ba23aab59537f75415b6bb21c500
SHA25651c425b7dd5cb71e28f1957179756f0d85c14a0c3af8d95151d1a7a345cff99f
SHA512a97145fb11c92b85b6c17bad90f66aa6d818cb520af352a02b4dc19ba8c7e6a13f8ed6950737c0234bb7520692b2515de2bf21421070d36a34376ef01754ebdb
-
Filesize
25KB
MD51737530086de9cfe1ac2f0cdf726b5ae
SHA12aa91ea20f653f170aa53ac7d996674a41b8d241
SHA2567de8e5f576d2cf58a13f17e7b6e3d51f3529404b4f6e79952e3d832de935ae4c
SHA5120be0d89209579379c62faafb467285da9b8ec46fb7a1281543badd50764f7e543acc600bcce1faf724ef88b60e0927ac66fa80d4637893f299f33f7e33ed1237
-
Filesize
25KB
MD51737530086de9cfe1ac2f0cdf726b5ae
SHA12aa91ea20f653f170aa53ac7d996674a41b8d241
SHA2567de8e5f576d2cf58a13f17e7b6e3d51f3529404b4f6e79952e3d832de935ae4c
SHA5120be0d89209579379c62faafb467285da9b8ec46fb7a1281543badd50764f7e543acc600bcce1faf724ef88b60e0927ac66fa80d4637893f299f33f7e33ed1237
-
Filesize
25KB
MD51737530086de9cfe1ac2f0cdf726b5ae
SHA12aa91ea20f653f170aa53ac7d996674a41b8d241
SHA2567de8e5f576d2cf58a13f17e7b6e3d51f3529404b4f6e79952e3d832de935ae4c
SHA5120be0d89209579379c62faafb467285da9b8ec46fb7a1281543badd50764f7e543acc600bcce1faf724ef88b60e0927ac66fa80d4637893f299f33f7e33ed1237
-
Filesize
14KB
MD5c01eaa0bdcd7c30a42bbb35a9acbf574
SHA10aee3e1b873e41d040f1991819d0027b6cc68f54
SHA25632297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
Filesize29KB
MD56d308191115b992f40ba6b43df23ed26
SHA10b8aaa42ef60d022cbd301d32567bdbc7172340c
SHA2567980a436c8ba91e94ca0992826ca72bcdab1b61223cd1772546f9d929abb78dc
SHA512f5b081a4e61e7706c426c9e4c8fe29a165f1cd51128f90b07f9f5eab6aa00b15ed776cefb80004919fd66dc36997b586b17533d823d73080b5bfc8cf1430758e