Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2023, 09:31
Static task
static1
Behavioral task
behavioral1
Sample
Booking0217pdf.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Booking0217pdf.exe
Resource
win10v2004-20230703-en
General
-
Target
Booking0217pdf.exe
-
Size
62KB
-
MD5
073a7d0ba4619b63b59e3f3c055a52e5
-
SHA1
e7e91c2f94f946627bfd4cae19a263e7d99861cc
-
SHA256
cd1a3a3951014346894a253fa1a9dc05b221640be311dc679a83b4f91b1449f0
-
SHA512
d1e359651d072d18c645b05e016c8407e2f9ca17693cfbd73a04bf7c163865df640ec7cb81ebfc79522cf2e84b22f3e5cb73be088ee4b200c3a5fe4185de3ebb
-
SSDEEP
768:4e9QoE/ASU2kRpqoOkAdsA9kWFXXtwboYzAF+IFqoZlO1iG8IYiV/eXlPxWEaB:4eid5kRpqIsdFn0Hz2qoFI7VeVPxu
Malware Config
Extracted
quasar
1.3.0.0
16th JULY
198.98.54.161:6666
QSR_MUTEX_Pl8uFsFQG2ggU9gBx9
-
encryption_key
3XivPs8YQVpfxU1EhGZE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
notes
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/488-3439-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 3064 i.exe 1552 m.exe 1144 n.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bwflxqtbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Bwflxqtbmr.exe" Booking0217pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bwflxqtbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Bwflxqtbmr.exe" i.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Njlzpp = "C:\\Users\\Admin\\AppData\\Roaming\\Njlzpp.exe" m.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nhxjlzpp = "C:\\Users\\Admin\\AppData\\Roaming\\Nhxjlzpp.exe" n.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 api.ipify.org 41 api.ipify.org 55 ip-api.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3184 set thread context of 2588 3184 Booking0217pdf.exe 93 PID 3064 set thread context of 4200 3064 i.exe 95 PID 1552 set thread context of 488 1552 m.exe 103 PID 1144 set thread context of 4364 1144 n.exe 105 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MSBuild.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4168 4200 WerFault.exe 95 1688 4364 WerFault.exe 105 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2588 MSBuild.exe 2588 MSBuild.exe 1552 m.exe 1552 m.exe 1552 m.exe 1552 m.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3184 Booking0217pdf.exe Token: SeDebugPrivilege 2588 MSBuild.exe Token: SeDebugPrivilege 3064 i.exe Token: SeDebugPrivilege 1552 m.exe Token: SeDebugPrivilege 1144 n.exe Token: SeDebugPrivilege 488 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 488 MSBuild.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 3184 wrote to memory of 3064 3184 Booking0217pdf.exe 92 PID 3184 wrote to memory of 3064 3184 Booking0217pdf.exe 92 PID 3184 wrote to memory of 3064 3184 Booking0217pdf.exe 92 PID 3184 wrote to memory of 2588 3184 Booking0217pdf.exe 93 PID 3184 wrote to memory of 2588 3184 Booking0217pdf.exe 93 PID 3184 wrote to memory of 2588 3184 Booking0217pdf.exe 93 PID 3184 wrote to memory of 2588 3184 Booking0217pdf.exe 93 PID 3184 wrote to memory of 2588 3184 Booking0217pdf.exe 93 PID 3184 wrote to memory of 2588 3184 Booking0217pdf.exe 93 PID 3184 wrote to memory of 2588 3184 Booking0217pdf.exe 93 PID 3184 wrote to memory of 2588 3184 Booking0217pdf.exe 93 PID 3064 wrote to memory of 1552 3064 i.exe 94 PID 3064 wrote to memory of 1552 3064 i.exe 94 PID 3064 wrote to memory of 1552 3064 i.exe 94 PID 3064 wrote to memory of 4200 3064 i.exe 95 PID 3064 wrote to memory of 4200 3064 i.exe 95 PID 3064 wrote to memory of 4200 3064 i.exe 95 PID 3064 wrote to memory of 4200 3064 i.exe 95 PID 3064 wrote to memory of 4200 3064 i.exe 95 PID 3064 wrote to memory of 4200 3064 i.exe 95 PID 3064 wrote to memory of 4200 3064 i.exe 95 PID 3064 wrote to memory of 4200 3064 i.exe 95 PID 1552 wrote to memory of 1144 1552 m.exe 100 PID 1552 wrote to memory of 1144 1552 m.exe 100 PID 1552 wrote to memory of 1144 1552 m.exe 100 PID 1552 wrote to memory of 1492 1552 m.exe 101 PID 1552 wrote to memory of 1492 1552 m.exe 101 PID 1552 wrote to memory of 1492 1552 m.exe 101 PID 1552 wrote to memory of 4460 1552 m.exe 102 PID 1552 wrote to memory of 4460 1552 m.exe 102 PID 1552 wrote to memory of 4460 1552 m.exe 102 PID 1552 wrote to memory of 488 1552 m.exe 103 PID 1552 wrote to memory of 488 1552 m.exe 103 PID 1552 wrote to memory of 488 1552 m.exe 103 PID 1552 wrote to memory of 488 1552 m.exe 103 PID 1552 wrote to memory of 488 1552 m.exe 103 PID 1552 wrote to memory of 488 1552 m.exe 103 PID 1552 wrote to memory of 488 1552 m.exe 103 PID 1552 wrote to memory of 488 1552 m.exe 103 PID 1144 wrote to memory of 4364 1144 n.exe 105 PID 1144 wrote to memory of 4364 1144 n.exe 105 PID 1144 wrote to memory of 4364 1144 n.exe 105 PID 1144 wrote to memory of 4364 1144 n.exe 105 PID 1144 wrote to memory of 4364 1144 n.exe 105 PID 1144 wrote to memory of 4364 1144 n.exe 105 PID 1144 wrote to memory of 4364 1144 n.exe 105 PID 1144 wrote to memory of 4364 1144 n.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\Booking0217pdf.exe"C:\Users\Admin\AppData\Local\Temp\Booking0217pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\i.exe"C:\Users\Admin\AppData\Local\Temp\i.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\m.exe"C:\Users\Admin\AppData\Local\Temp\m.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\n.exe"C:\Users\Admin\AppData\Local\Temp\n.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵
- Drops file in Windows directory
PID:4364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 10046⤵
- Program crash
PID:1688
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵PID:1492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵PID:4460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:488
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Drops file in Windows directory
PID:4200 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 10084⤵
- Program crash
PID:4168
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4200 -ip 42001⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4364 -ip 43641⤵PID:4028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5ee07551af1ff71c8bf41081af118e533
SHA15d939457cf3cdde73b8f5d9208c19016ec6dc667
SHA2562d65ad95a0b21f9ed668d3bd5ec95e79e6b69d9defd07f86ee4813cd01ab6dd3
SHA512df95760068b8d9aad9603f0f2ec0e70c9c0ccbdbc2b7aa3d0623d580b55abb1ce6642c031560ce38918b5c34d213127dac516347a911ab34f9037c053b1ca00c
-
Filesize
62KB
MD5ee07551af1ff71c8bf41081af118e533
SHA15d939457cf3cdde73b8f5d9208c19016ec6dc667
SHA2562d65ad95a0b21f9ed668d3bd5ec95e79e6b69d9defd07f86ee4813cd01ab6dd3
SHA512df95760068b8d9aad9603f0f2ec0e70c9c0ccbdbc2b7aa3d0623d580b55abb1ce6642c031560ce38918b5c34d213127dac516347a911ab34f9037c053b1ca00c
-
Filesize
62KB
MD5ee07551af1ff71c8bf41081af118e533
SHA15d939457cf3cdde73b8f5d9208c19016ec6dc667
SHA2562d65ad95a0b21f9ed668d3bd5ec95e79e6b69d9defd07f86ee4813cd01ab6dd3
SHA512df95760068b8d9aad9603f0f2ec0e70c9c0ccbdbc2b7aa3d0623d580b55abb1ce6642c031560ce38918b5c34d213127dac516347a911ab34f9037c053b1ca00c
-
Filesize
35KB
MD5ef2674a7a181ea242fa1d2ce7e1e4c8b
SHA104899dacbf89ba23aab59537f75415b6bb21c500
SHA25651c425b7dd5cb71e28f1957179756f0d85c14a0c3af8d95151d1a7a345cff99f
SHA512a97145fb11c92b85b6c17bad90f66aa6d818cb520af352a02b4dc19ba8c7e6a13f8ed6950737c0234bb7520692b2515de2bf21421070d36a34376ef01754ebdb
-
Filesize
35KB
MD5ef2674a7a181ea242fa1d2ce7e1e4c8b
SHA104899dacbf89ba23aab59537f75415b6bb21c500
SHA25651c425b7dd5cb71e28f1957179756f0d85c14a0c3af8d95151d1a7a345cff99f
SHA512a97145fb11c92b85b6c17bad90f66aa6d818cb520af352a02b4dc19ba8c7e6a13f8ed6950737c0234bb7520692b2515de2bf21421070d36a34376ef01754ebdb
-
Filesize
35KB
MD5ef2674a7a181ea242fa1d2ce7e1e4c8b
SHA104899dacbf89ba23aab59537f75415b6bb21c500
SHA25651c425b7dd5cb71e28f1957179756f0d85c14a0c3af8d95151d1a7a345cff99f
SHA512a97145fb11c92b85b6c17bad90f66aa6d818cb520af352a02b4dc19ba8c7e6a13f8ed6950737c0234bb7520692b2515de2bf21421070d36a34376ef01754ebdb
-
Filesize
25KB
MD51737530086de9cfe1ac2f0cdf726b5ae
SHA12aa91ea20f653f170aa53ac7d996674a41b8d241
SHA2567de8e5f576d2cf58a13f17e7b6e3d51f3529404b4f6e79952e3d832de935ae4c
SHA5120be0d89209579379c62faafb467285da9b8ec46fb7a1281543badd50764f7e543acc600bcce1faf724ef88b60e0927ac66fa80d4637893f299f33f7e33ed1237
-
Filesize
25KB
MD51737530086de9cfe1ac2f0cdf726b5ae
SHA12aa91ea20f653f170aa53ac7d996674a41b8d241
SHA2567de8e5f576d2cf58a13f17e7b6e3d51f3529404b4f6e79952e3d832de935ae4c
SHA5120be0d89209579379c62faafb467285da9b8ec46fb7a1281543badd50764f7e543acc600bcce1faf724ef88b60e0927ac66fa80d4637893f299f33f7e33ed1237
-
Filesize
25KB
MD51737530086de9cfe1ac2f0cdf726b5ae
SHA12aa91ea20f653f170aa53ac7d996674a41b8d241
SHA2567de8e5f576d2cf58a13f17e7b6e3d51f3529404b4f6e79952e3d832de935ae4c
SHA5120be0d89209579379c62faafb467285da9b8ec46fb7a1281543badd50764f7e543acc600bcce1faf724ef88b60e0927ac66fa80d4637893f299f33f7e33ed1237