Analysis
-
max time kernel
133s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2023, 10:46
Static task
static1
Behavioral task
behavioral1
Sample
Booking0217pdf.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Booking0217pdf.exe
Resource
win10v2004-20230703-en
General
-
Target
Booking0217pdf.exe
-
Size
62KB
-
MD5
073a7d0ba4619b63b59e3f3c055a52e5
-
SHA1
e7e91c2f94f946627bfd4cae19a263e7d99861cc
-
SHA256
cd1a3a3951014346894a253fa1a9dc05b221640be311dc679a83b4f91b1449f0
-
SHA512
d1e359651d072d18c645b05e016c8407e2f9ca17693cfbd73a04bf7c163865df640ec7cb81ebfc79522cf2e84b22f3e5cb73be088ee4b200c3a5fe4185de3ebb
-
SSDEEP
768:4e9QoE/ASU2kRpqoOkAdsA9kWFXXtwboYzAF+IFqoZlO1iG8IYiV/eXlPxWEaB:4eid5kRpqIsdFn0Hz2qoFI7VeVPxu
Malware Config
Extracted
quasar
1.3.0.0
16th JULY
198.98.54.161:6666
QSR_MUTEX_Pl8uFsFQG2ggU9gBx9
-
encryption_key
3XivPs8YQVpfxU1EhGZE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
notes
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/2560-3437-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 4612 i.exe 4016 m.exe 2036 n.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bwflxqtbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Bwflxqtbmr.exe" Booking0217pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bwflxqtbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Bwflxqtbmr.exe" i.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Njlzpp = "C:\\Users\\Admin\\AppData\\Roaming\\Njlzpp.exe" m.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nhxjlzpp = "C:\\Users\\Admin\\AppData\\Roaming\\Nhxjlzpp.exe" n.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 50 ip-api.com 35 api.ipify.org 36 api.ipify.org -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3676 set thread context of 844 3676 Booking0217pdf.exe 94 PID 4612 set thread context of 2792 4612 i.exe 96 PID 4016 set thread context of 2560 4016 m.exe 103 PID 2036 set thread context of 2392 2036 n.exe 105 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MSBuild.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3480 2792 WerFault.exe 96 2400 2392 WerFault.exe 105 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 844 MSBuild.exe 844 MSBuild.exe 4016 m.exe 4016 m.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3676 Booking0217pdf.exe Token: SeDebugPrivilege 844 MSBuild.exe Token: SeDebugPrivilege 4612 i.exe Token: SeDebugPrivilege 4016 m.exe Token: SeDebugPrivilege 2036 n.exe Token: SeDebugPrivilege 2560 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2560 MSBuild.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 3676 wrote to memory of 4612 3676 Booking0217pdf.exe 93 PID 3676 wrote to memory of 4612 3676 Booking0217pdf.exe 93 PID 3676 wrote to memory of 4612 3676 Booking0217pdf.exe 93 PID 3676 wrote to memory of 844 3676 Booking0217pdf.exe 94 PID 3676 wrote to memory of 844 3676 Booking0217pdf.exe 94 PID 3676 wrote to memory of 844 3676 Booking0217pdf.exe 94 PID 3676 wrote to memory of 844 3676 Booking0217pdf.exe 94 PID 3676 wrote to memory of 844 3676 Booking0217pdf.exe 94 PID 3676 wrote to memory of 844 3676 Booking0217pdf.exe 94 PID 3676 wrote to memory of 844 3676 Booking0217pdf.exe 94 PID 3676 wrote to memory of 844 3676 Booking0217pdf.exe 94 PID 4612 wrote to memory of 4016 4612 i.exe 95 PID 4612 wrote to memory of 4016 4612 i.exe 95 PID 4612 wrote to memory of 4016 4612 i.exe 95 PID 4612 wrote to memory of 2792 4612 i.exe 96 PID 4612 wrote to memory of 2792 4612 i.exe 96 PID 4612 wrote to memory of 2792 4612 i.exe 96 PID 4612 wrote to memory of 2792 4612 i.exe 96 PID 4612 wrote to memory of 2792 4612 i.exe 96 PID 4612 wrote to memory of 2792 4612 i.exe 96 PID 4612 wrote to memory of 2792 4612 i.exe 96 PID 4612 wrote to memory of 2792 4612 i.exe 96 PID 4016 wrote to memory of 2036 4016 m.exe 101 PID 4016 wrote to memory of 2036 4016 m.exe 101 PID 4016 wrote to memory of 2036 4016 m.exe 101 PID 4016 wrote to memory of 3904 4016 m.exe 102 PID 4016 wrote to memory of 3904 4016 m.exe 102 PID 4016 wrote to memory of 3904 4016 m.exe 102 PID 4016 wrote to memory of 2560 4016 m.exe 103 PID 4016 wrote to memory of 2560 4016 m.exe 103 PID 4016 wrote to memory of 2560 4016 m.exe 103 PID 4016 wrote to memory of 2560 4016 m.exe 103 PID 4016 wrote to memory of 2560 4016 m.exe 103 PID 4016 wrote to memory of 2560 4016 m.exe 103 PID 4016 wrote to memory of 2560 4016 m.exe 103 PID 4016 wrote to memory of 2560 4016 m.exe 103 PID 2036 wrote to memory of 2392 2036 n.exe 105 PID 2036 wrote to memory of 2392 2036 n.exe 105 PID 2036 wrote to memory of 2392 2036 n.exe 105 PID 2036 wrote to memory of 2392 2036 n.exe 105 PID 2036 wrote to memory of 2392 2036 n.exe 105 PID 2036 wrote to memory of 2392 2036 n.exe 105 PID 2036 wrote to memory of 2392 2036 n.exe 105 PID 2036 wrote to memory of 2392 2036 n.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\Booking0217pdf.exe"C:\Users\Admin\AppData\Local\Temp\Booking0217pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\i.exe"C:\Users\Admin\AppData\Local\Temp\i.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\m.exe"C:\Users\Admin\AppData\Local\Temp\m.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\n.exe"C:\Users\Admin\AppData\Local\Temp\n.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵
- Drops file in Windows directory
PID:2392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 10046⤵
- Program crash
PID:2400
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵PID:3904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Drops file in Windows directory
PID:2792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 10044⤵
- Program crash
PID:3480
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2792 -ip 27921⤵PID:3484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2392 -ip 23921⤵PID:4664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5ee07551af1ff71c8bf41081af118e533
SHA15d939457cf3cdde73b8f5d9208c19016ec6dc667
SHA2562d65ad95a0b21f9ed668d3bd5ec95e79e6b69d9defd07f86ee4813cd01ab6dd3
SHA512df95760068b8d9aad9603f0f2ec0e70c9c0ccbdbc2b7aa3d0623d580b55abb1ce6642c031560ce38918b5c34d213127dac516347a911ab34f9037c053b1ca00c
-
Filesize
62KB
MD5ee07551af1ff71c8bf41081af118e533
SHA15d939457cf3cdde73b8f5d9208c19016ec6dc667
SHA2562d65ad95a0b21f9ed668d3bd5ec95e79e6b69d9defd07f86ee4813cd01ab6dd3
SHA512df95760068b8d9aad9603f0f2ec0e70c9c0ccbdbc2b7aa3d0623d580b55abb1ce6642c031560ce38918b5c34d213127dac516347a911ab34f9037c053b1ca00c
-
Filesize
62KB
MD5ee07551af1ff71c8bf41081af118e533
SHA15d939457cf3cdde73b8f5d9208c19016ec6dc667
SHA2562d65ad95a0b21f9ed668d3bd5ec95e79e6b69d9defd07f86ee4813cd01ab6dd3
SHA512df95760068b8d9aad9603f0f2ec0e70c9c0ccbdbc2b7aa3d0623d580b55abb1ce6642c031560ce38918b5c34d213127dac516347a911ab34f9037c053b1ca00c
-
Filesize
35KB
MD5ef2674a7a181ea242fa1d2ce7e1e4c8b
SHA104899dacbf89ba23aab59537f75415b6bb21c500
SHA25651c425b7dd5cb71e28f1957179756f0d85c14a0c3af8d95151d1a7a345cff99f
SHA512a97145fb11c92b85b6c17bad90f66aa6d818cb520af352a02b4dc19ba8c7e6a13f8ed6950737c0234bb7520692b2515de2bf21421070d36a34376ef01754ebdb
-
Filesize
35KB
MD5ef2674a7a181ea242fa1d2ce7e1e4c8b
SHA104899dacbf89ba23aab59537f75415b6bb21c500
SHA25651c425b7dd5cb71e28f1957179756f0d85c14a0c3af8d95151d1a7a345cff99f
SHA512a97145fb11c92b85b6c17bad90f66aa6d818cb520af352a02b4dc19ba8c7e6a13f8ed6950737c0234bb7520692b2515de2bf21421070d36a34376ef01754ebdb
-
Filesize
35KB
MD5ef2674a7a181ea242fa1d2ce7e1e4c8b
SHA104899dacbf89ba23aab59537f75415b6bb21c500
SHA25651c425b7dd5cb71e28f1957179756f0d85c14a0c3af8d95151d1a7a345cff99f
SHA512a97145fb11c92b85b6c17bad90f66aa6d818cb520af352a02b4dc19ba8c7e6a13f8ed6950737c0234bb7520692b2515de2bf21421070d36a34376ef01754ebdb
-
Filesize
25KB
MD51737530086de9cfe1ac2f0cdf726b5ae
SHA12aa91ea20f653f170aa53ac7d996674a41b8d241
SHA2567de8e5f576d2cf58a13f17e7b6e3d51f3529404b4f6e79952e3d832de935ae4c
SHA5120be0d89209579379c62faafb467285da9b8ec46fb7a1281543badd50764f7e543acc600bcce1faf724ef88b60e0927ac66fa80d4637893f299f33f7e33ed1237
-
Filesize
25KB
MD51737530086de9cfe1ac2f0cdf726b5ae
SHA12aa91ea20f653f170aa53ac7d996674a41b8d241
SHA2567de8e5f576d2cf58a13f17e7b6e3d51f3529404b4f6e79952e3d832de935ae4c
SHA5120be0d89209579379c62faafb467285da9b8ec46fb7a1281543badd50764f7e543acc600bcce1faf724ef88b60e0927ac66fa80d4637893f299f33f7e33ed1237
-
Filesize
25KB
MD51737530086de9cfe1ac2f0cdf726b5ae
SHA12aa91ea20f653f170aa53ac7d996674a41b8d241
SHA2567de8e5f576d2cf58a13f17e7b6e3d51f3529404b4f6e79952e3d832de935ae4c
SHA5120be0d89209579379c62faafb467285da9b8ec46fb7a1281543badd50764f7e543acc600bcce1faf724ef88b60e0927ac66fa80d4637893f299f33f7e33ed1237