Analysis
-
max time kernel
483s -
max time network
489s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13/08/2023, 11:05
Behavioral task
behavioral1
Sample
Adobe Acrobat DC Setup.exe
Resource
win10-20230703-en
Behavioral task
behavioral2
Sample
Adobe Acrobat DC Setup.exe
Resource
win10v2004-20230703-en
General
-
Target
Adobe Acrobat DC Setup.exe
-
Size
3.6MB
-
MD5
199601c1d96b5fcde87f700c4d2ed29b
-
SHA1
1b59c81736b9ccebdb76bf826ab88dfd52f0dcd3
-
SHA256
502571801e831f1f780c9b44bfc403f79f16de18f5b570d54816a5f9be0be22e
-
SHA512
058ef1272748f339315d75f4ba474bb04231386e777ab60c8717a4fb8323eefcebd47798964efb34c11e1a3caf97480985889071635b440a94aa29ed32c94b2a
-
SSDEEP
98304:cH/92AYawl1WPOl6NVLkJ0xECgR16/9NdBI:aljxYG9z
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.0
PowerShell
0.tcp.eu.ngrok.io:15101
74e865e7-8aad-4e3d-9444-006353e7ca31
-
encryption_key
8A2A7B58F2803115FF796E733C7311493928333B
-
install_name
launcher.exe
-
log_directory
Windows Logs
-
reconnect_delay
3000
-
startup_key
Opera Launcher
-
subdirectory
Opera Software
Signatures
-
Quasar payload 5 IoCs
resource yara_rule behavioral2/memory/4856-134-0x0000000000CD0000-0x0000000001074000-memory.dmp family_quasar behavioral2/files/0x000600000002322f-140.dat family_quasar behavioral2/files/0x000600000002322f-147.dat family_quasar behavioral2/files/0x000600000002322f-149.dat family_quasar behavioral2/memory/2872-150-0x0000000000130000-0x0000000000462000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2872 powershеll.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe Adobe Acrobat DC Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2720 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2872 powershеll.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2872 powershеll.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4856 wrote to memory of 2720 4856 Adobe Acrobat DC Setup.exe 82 PID 4856 wrote to memory of 2720 4856 Adobe Acrobat DC Setup.exe 82 PID 4856 wrote to memory of 2720 4856 Adobe Acrobat DC Setup.exe 82 PID 4856 wrote to memory of 2872 4856 Adobe Acrobat DC Setup.exe 84 PID 4856 wrote to memory of 2872 4856 Adobe Acrobat DC Setup.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /SC ONLOGON /tn PowerShell /tr %systemroot%\System32\WindowsPowerShell\v1.0\powershеll.exe2⤵
- Creates scheduled task(s)
PID:2720
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershеll.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD55db8ff057e7b3926bad10ee2a2501377
SHA15531cd789c3c0906957ced945f3e72501eb7e2f5
SHA256ecd4a99e2844c0fe336a820ce67effd8d93e13c45fe3bae5b943d6d95833fc20
SHA512fbf5001d18595de04b25e7fc983980dcd5f19d1e72e68174a2ca237786dc0d3575e8e1a9c332dda3acae51715c3f6259ca88b883a8fbbef3d1eeb30273ce8982
-
Filesize
3.2MB
MD55db8ff057e7b3926bad10ee2a2501377
SHA15531cd789c3c0906957ced945f3e72501eb7e2f5
SHA256ecd4a99e2844c0fe336a820ce67effd8d93e13c45fe3bae5b943d6d95833fc20
SHA512fbf5001d18595de04b25e7fc983980dcd5f19d1e72e68174a2ca237786dc0d3575e8e1a9c332dda3acae51715c3f6259ca88b883a8fbbef3d1eeb30273ce8982
-
Filesize
3.2MB
MD55db8ff057e7b3926bad10ee2a2501377
SHA15531cd789c3c0906957ced945f3e72501eb7e2f5
SHA256ecd4a99e2844c0fe336a820ce67effd8d93e13c45fe3bae5b943d6d95833fc20
SHA512fbf5001d18595de04b25e7fc983980dcd5f19d1e72e68174a2ca237786dc0d3575e8e1a9c332dda3acae51715c3f6259ca88b883a8fbbef3d1eeb30273ce8982