Analysis
-
max time kernel
479s -
max time network
486s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
13/08/2023, 11:05
Behavioral task
behavioral1
Sample
Adobe Acrobat DC Setup.exe
Resource
win10-20230703-en
Behavioral task
behavioral2
Sample
Adobe Acrobat DC Setup.exe
Resource
win10v2004-20230703-en
General
-
Target
Adobe Acrobat DC Setup.exe
-
Size
3.6MB
-
MD5
199601c1d96b5fcde87f700c4d2ed29b
-
SHA1
1b59c81736b9ccebdb76bf826ab88dfd52f0dcd3
-
SHA256
502571801e831f1f780c9b44bfc403f79f16de18f5b570d54816a5f9be0be22e
-
SHA512
058ef1272748f339315d75f4ba474bb04231386e777ab60c8717a4fb8323eefcebd47798964efb34c11e1a3caf97480985889071635b440a94aa29ed32c94b2a
-
SSDEEP
98304:cH/92AYawl1WPOl6NVLkJ0xECgR16/9NdBI:aljxYG9z
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.0
PowerShell
0.tcp.eu.ngrok.io:15101
74e865e7-8aad-4e3d-9444-006353e7ca31
-
encryption_key
8A2A7B58F2803115FF796E733C7311493928333B
-
install_name
launcher.exe
-
log_directory
Windows Logs
-
reconnect_delay
3000
-
startup_key
Opera Launcher
-
subdirectory
Opera Software
Signatures
-
Quasar payload 5 IoCs
resource yara_rule behavioral1/memory/3168-118-0x0000000000FC0000-0x0000000001364000-memory.dmp family_quasar behavioral1/files/0x000800000001af2f-123.dat family_quasar behavioral1/files/0x000800000001af2f-124.dat family_quasar behavioral1/memory/3172-126-0x0000000000270000-0x00000000005A2000-memory.dmp family_quasar behavioral1/files/0x000800000001af2f-144.dat family_quasar -
Executes dropped EXE 2 IoCs
pid Process 3172 powershеll.exe 4680 powershеll.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe Adobe Acrobat DC Setup.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4692 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings taskmgr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2236 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4800 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3172 powershеll.exe Token: SeDebugPrivilege 4800 taskmgr.exe Token: SeSystemProfilePrivilege 4800 taskmgr.exe Token: SeCreateGlobalPrivilege 4800 taskmgr.exe Token: SeDebugPrivilege 4680 powershеll.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe 4800 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3172 powershеll.exe 4680 powershеll.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3168 wrote to memory of 4692 3168 Adobe Acrobat DC Setup.exe 70 PID 3168 wrote to memory of 4692 3168 Adobe Acrobat DC Setup.exe 70 PID 3168 wrote to memory of 4692 3168 Adobe Acrobat DC Setup.exe 70 PID 3168 wrote to memory of 3172 3168 Adobe Acrobat DC Setup.exe 72 PID 3168 wrote to memory of 3172 3168 Adobe Acrobat DC Setup.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /SC ONLOGON /tn PowerShell /tr %systemroot%\System32\WindowsPowerShell\v1.0\powershеll.exe2⤵
- Creates scheduled task(s)
PID:4692
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershеll.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3172
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4800
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4200
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml1⤵
- Opens file in notepad (likely ransom note)
PID:2236
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD55db8ff057e7b3926bad10ee2a2501377
SHA15531cd789c3c0906957ced945f3e72501eb7e2f5
SHA256ecd4a99e2844c0fe336a820ce67effd8d93e13c45fe3bae5b943d6d95833fc20
SHA512fbf5001d18595de04b25e7fc983980dcd5f19d1e72e68174a2ca237786dc0d3575e8e1a9c332dda3acae51715c3f6259ca88b883a8fbbef3d1eeb30273ce8982
-
Filesize
3.2MB
MD55db8ff057e7b3926bad10ee2a2501377
SHA15531cd789c3c0906957ced945f3e72501eb7e2f5
SHA256ecd4a99e2844c0fe336a820ce67effd8d93e13c45fe3bae5b943d6d95833fc20
SHA512fbf5001d18595de04b25e7fc983980dcd5f19d1e72e68174a2ca237786dc0d3575e8e1a9c332dda3acae51715c3f6259ca88b883a8fbbef3d1eeb30273ce8982
-
Filesize
3.2MB
MD55db8ff057e7b3926bad10ee2a2501377
SHA15531cd789c3c0906957ced945f3e72501eb7e2f5
SHA256ecd4a99e2844c0fe336a820ce67effd8d93e13c45fe3bae5b943d6d95833fc20
SHA512fbf5001d18595de04b25e7fc983980dcd5f19d1e72e68174a2ca237786dc0d3575e8e1a9c332dda3acae51715c3f6259ca88b883a8fbbef3d1eeb30273ce8982