Analysis
-
max time kernel
1766s -
max time network
1779s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2023, 11:08
Behavioral task
behavioral1
Sample
Adobe Acrobat DC Setup.exe
Resource
win10-20230703-en
Behavioral task
behavioral2
Sample
Adobe Acrobat DC Setup.exe
Resource
win10v2004-20230703-en
General
-
Target
Adobe Acrobat DC Setup.exe
-
Size
3.6MB
-
MD5
e5ba9440e3338884a7963995ca9132d7
-
SHA1
aa177c582fff33279a5e9fd27104c43cbf8d8a70
-
SHA256
1eac2dc913dd6753e4195898af82412511a503990e1d5b7a86fd5919f6feee82
-
SHA512
54e3b044a9ae4583e89695e9c7ab1e6933ea38ff55473f32537b0a9adf6522a7fb433bc143224e0b6f79223692b474acbd1196fc2e2b361f1182062250a76bc7
-
SSDEEP
98304:4ZeSO1fNPbR/5pGs4+Lrlkixl7u2J43gZxbCaly7yhR+pd2SwGJYdy8K+I:cIWJX8K
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.0
Powershell
0.tcp.eu.ngrok.io:16640
039bf99d-a398-4525-a7b4-00d8916a2e80
-
encryption_key
8A2A7B58F2803115FF796E733C7311493928333B
-
install_name
AppLaunch.exe
-
log_directory
Windows Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Applications
Signatures
-
Quasar payload 5 IoCs
resource yara_rule behavioral2/memory/3992-134-0x00000000005C0000-0x0000000000964000-memory.dmp family_quasar behavioral2/files/0x00080000000231c8-140.dat family_quasar behavioral2/files/0x00080000000231c8-147.dat family_quasar behavioral2/files/0x00080000000231c8-149.dat family_quasar behavioral2/memory/1408-150-0x00000000003D0000-0x0000000000702000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1408 powershеll.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe Adobe Acrobat DC Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1408 powershеll.exe 1408 powershеll.exe 1408 powershеll.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1408 powershеll.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1408 powershеll.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3992 wrote to memory of 3088 3992 Adobe Acrobat DC Setup.exe 81 PID 3992 wrote to memory of 3088 3992 Adobe Acrobat DC Setup.exe 81 PID 3992 wrote to memory of 3088 3992 Adobe Acrobat DC Setup.exe 81 PID 3992 wrote to memory of 1408 3992 Adobe Acrobat DC Setup.exe 83 PID 3992 wrote to memory of 1408 3992 Adobe Acrobat DC Setup.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC Setup.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /SC ONLOGON /tn PowerShell /tr %systemroot%\System32\WindowsPowerShell\v1.0\powershеll.exe2⤵
- Creates scheduled task(s)
PID:3088
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershеll.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershеll.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD550defcfc4bbe2e8d0ceb51423e803119
SHA123ac63264c00e6f5d9de38c723476c5a4ec94899
SHA2563233e42f48eda5768ad96e4b967d3b6f650afe748cf9d3e95d711bef462627a9
SHA51234b6a15292027e1d94ede71dea898df6154bf7e3ed52b8b6dc01882ee376087e95b659cb21c57eeec4c94f657dd94918598628dc7cb37e33861bb382422e5087
-
Filesize
3.2MB
MD5fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA2564fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650
-
Filesize
3.2MB
MD5fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA2564fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650
-
Filesize
3.2MB
MD5fdd63d8e4b7dd0c30b0db7e3eeecacf5
SHA1459e5f66dbcba0c68055de45621bd0a1f02d9058
SHA2564fb157d755b2747ee028d5b8e79b9a5a8ad76bcea6c0c0c4321b3c968b0995d3
SHA512c8291cfb83564d7ff999713d16b2ccc627ec38a88f1aa9e04724c483f66ef14cc56a096ecc7321b213c68c56f2d910b49513948e61a84f390c105df46ee59650