Analysis
-
max time kernel
127s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2023, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe
Resource
win7-20230712-en
General
-
Target
d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe
-
Size
1.4MB
-
MD5
9ef1ba6758ea23950360a34b1e4b0bb0
-
SHA1
45612825204597bb913a0f816bc2e3f2ca47e449
-
SHA256
d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997
-
SHA512
190a469ed4acd8187c02e28b1a77ec05ca23b31703b2bad81fda2254af4d9e7c6169fe48ce0d08b68fba78657dad5152c5d05970341fe3797f0dc4a5de88f7dc
-
SSDEEP
24576:scvn1hCiZ+8BuR2vDOlLIHzF1/szzpftNfd:scvnPDyR2fT3szz1X1
Malware Config
Extracted
quasar
1.4.0.0
SENSHI 2
185.177.125.198:222
iymJHvH9ynROR1gg75
-
encryption_key
1yjymCTPNsZciyp5n2SW
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
2500
-
startup_key
Windows Defender
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/1580-222-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2948 created 3172 2948 Complement.pif 71 -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxPDhDxdPH.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxPDhDxdPH.url cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2948 Complement.pif 1580 jsc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2948 set thread context of 1580 2948 Complement.pif 99 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1828 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2616 powershell.exe 2616 powershell.exe 2616 powershell.exe 2564 powershell.exe 2564 powershell.exe 2564 powershell.exe 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 1580 jsc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2948 Complement.pif 2948 Complement.pif 2948 Complement.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1580 jsc.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3644 wrote to memory of 3840 3644 d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe 81 PID 3644 wrote to memory of 3840 3644 d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe 81 PID 3644 wrote to memory of 3840 3644 d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe 81 PID 3840 wrote to memory of 1728 3840 cmd.exe 83 PID 3840 wrote to memory of 1728 3840 cmd.exe 83 PID 3840 wrote to memory of 1728 3840 cmd.exe 83 PID 1728 wrote to memory of 2616 1728 cmd.exe 84 PID 1728 wrote to memory of 2616 1728 cmd.exe 84 PID 1728 wrote to memory of 2616 1728 cmd.exe 84 PID 1728 wrote to memory of 2564 1728 cmd.exe 90 PID 1728 wrote to memory of 2564 1728 cmd.exe 90 PID 1728 wrote to memory of 2564 1728 cmd.exe 90 PID 1728 wrote to memory of 3180 1728 cmd.exe 91 PID 1728 wrote to memory of 3180 1728 cmd.exe 91 PID 1728 wrote to memory of 3180 1728 cmd.exe 91 PID 1728 wrote to memory of 2948 1728 cmd.exe 93 PID 1728 wrote to memory of 2948 1728 cmd.exe 93 PID 1728 wrote to memory of 2948 1728 cmd.exe 93 PID 1728 wrote to memory of 1828 1728 cmd.exe 94 PID 1728 wrote to memory of 1828 1728 cmd.exe 94 PID 1728 wrote to memory of 1828 1728 cmd.exe 94 PID 2948 wrote to memory of 1852 2948 Complement.pif 97 PID 2948 wrote to memory of 1852 2948 Complement.pif 97 PID 2948 wrote to memory of 1852 2948 Complement.pif 97 PID 2948 wrote to memory of 1580 2948 Complement.pif 99 PID 2948 wrote to memory of 1580 2948 Complement.pif 99 PID 2948 wrote to memory of 1580 2948 Complement.pif 99 PID 2948 wrote to memory of 1580 2948 Complement.pif 99 PID 2948 wrote to memory of 1580 2948 Complement.pif 99
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe"C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.execmd /k cmd < Anyone & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^yorkshire$" Charts5⤵PID:3180
-
-
C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif22141\\Complement.pif 22141\\s5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exeC:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1580
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost5⤵
- Runs ping.exe
PID:1828
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxPDhDxdPH.url" & echo URL="C:\Users\Admin\AppData\Local\GcyVAQmegg\bHjXvqekX.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxPDhDxdPH.url"2⤵
- Drops startup file
PID:1852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
18KB
MD587213270273d51bd283908fae0b5533a
SHA1ea96420e530e18f0d47b0929b28943280a4ef4bc
SHA2568f20c77139c45bb35b5a972ccb2cef94e9c60f36d52a9ae423c649c309988440
SHA512452a7799a0251687c69d50508470a96e6a0546680a60ecf6df55e0bb203cd38376277b96d298e1bf10f3856c815aa4e5e3af739df10c9dd24917ea953500d06b
-
Filesize
925KB
MD50162a97ed477353bc35776a7addffd5c
SHA110db8fe20bbce0f10517c510ec73532cf6feb227
SHA25615600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA5129638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5
-
Filesize
925KB
MD50162a97ed477353bc35776a7addffd5c
SHA110db8fe20bbce0f10517c510ec73532cf6feb227
SHA25615600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA5129638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5
-
Filesize
46KB
MD594c8e57a80dfca2482dedb87b93d4fd9
SHA15729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA25639e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA5121798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc
-
Filesize
46KB
MD594c8e57a80dfca2482dedb87b93d4fd9
SHA15729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA25639e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA5121798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc
-
Filesize
65KB
MD5f8ecc05e767090afbdc65be2584fd331
SHA1796d7eb5f021cd3383a2c0eedc658a91a783a6ee
SHA25646fb07531ea612b9e77ec1f9fa0e19ca12fc00fb9d7024e5c25c8eb972d7ce04
SHA512cee60719a9dcd6bd8cc38851202c7835df294e0b19923fa580bd47207b2cf87619106c5dff04ab6dbc5f5ab3177920bbeb3322135fc5ab5ee0f30e12e4b92a43
-
Filesize
14KB
MD5ee82d316318b3bb19e2a1aa13cfde12d
SHA183ae8b583212041c75c49c11947443c57d99ebc9
SHA256ba1aa96299673031f84d6a589c990e8e4ee97f8755d40aa0caa1837e8c4b1730
SHA512fef62456632d5d8579c174a137ba3eeed537885f41e550505abf90a9ecf60663fb584624343697fda1d0ba43ea200e2c552d495d0df475d61c1e1691da09e88d
-
Filesize
126KB
MD583115bd6f1815edf7c78ae8af83fc6bd
SHA114b013d72b90dde79881288c9cfee399594b3323
SHA2565a6a4b0563927bbf248317a729f0625d92bd2b8de9861f7d6ea5d08ee53aa1c1
SHA51270195a5db0b7d0cec66fd406853b3b90cb6946f0ce89e0b2d93b51c8ee054d4ed28a64682727c6f31f978c318b13db8c6330ec3c857f3dc47668192aeae0ff71
-
Filesize
925KB
MD5f5c2c7e2ae83fffa01748388c911c958
SHA17d21e2f0519914e8e8e9c81ae232efdc406703a5
SHA256bc8f65d81703352582ab6b0b9dfe17658a78354aeaa7ef43915d3b030b3b2046
SHA512d5bae120df27f81817a3352ab9d914fd5f2bb44d9f3b51e1c07395e558f5b186dda51d29e5828569778c30f8cafda9bfe1d2d0241c51d977b8c77150487b72f4
-
Filesize
76KB
MD5268bb7ba7d9d079fcd52610c688ff820
SHA1ac1126a4263dc3787b8f535bc115e5e2e903390e
SHA256c903e1ccc15a4d219e87d4f3d7caab4cae1ef70cb18f3a135f5e09f1971109a0
SHA5126e75af5194d04ccb01c5f16968186af447bb43e012d462402726b289f570e1f8082085e5899c25feba550945ff9f6e1e223c76f5b95e0d24a211a9f2368f3646
-
Filesize
88KB
MD5069d3ef04f3216b6b356adab141ce596
SHA1f788088d19f3b0ff59f45e98e3df89e6bb011545
SHA25603fbfd236057624a0fb9094a0a0758cdbc42ffd3444a65e71653ad765fe90048
SHA512ee6cae922d072d5532758df8a378edb76a5e51c901279c310f19a8ebc464eab92889e1e82da647cf044ea1393781183db828acef7ed35ccde5666f7c313f640b
-
Filesize
113KB
MD56268badba8c162b2615511b92dffa673
SHA151bbf8cdd12978259ccdbb2cc3a17994cf8adf6a
SHA2563f835216d30710916917c0d54ac944a56c1c23b59c86b7634073c25572f3754b
SHA51273d5dcbfe2790561eac0536542fea51ff9e58ccd5a405e09f3f19cfe4e91febbff6930ca78fb8f390768c5c3b64965815d5d59c90a86871835bf1d2d294f8383
-
Filesize
70KB
MD5fa899ff99f2a3a0de6c4b02df7fdee32
SHA13094f78cd6ba6b9546769d12cdea7f8356811e9e
SHA256c8318ebd986adc373a758540428b227eab5a1535396dd548cb2644fc818738f6
SHA512b56fd9ee1187a07a70d08700c6028e6b6f6016a99d2ef2a758662a0c2e310522eb9d31e268b8196d856ba2234cb7e4d99e3f080023265e1ff4343dde913dd771
-
Filesize
40KB
MD5801b30bdcd8b219135eb536dbbd8338d
SHA18e9b5c6dbf281686fb0ec2a20d09dd5ab082ac62
SHA256693064a675812d4cc40b9c031eea9be8a51710aab49fa1b4116f156f2c5d0518
SHA51254d4b6a07e286be7726b0d22e47c2b5364ce156f9fbd9042ef9b7958ff4a130a52143a4db4d5ca9474dbc8abf86425dee2dc963640c109b0f110c2bf4e75fc1e
-
Filesize
29KB
MD50b874152ef1e60b08eb50f09eb080b99
SHA14009738fcd5c4ba170863357c27d2a8c43432362
SHA256a646d2eb870f18b49c3c3def597316ed44fec441527e52a80afad1e812c47595
SHA5127054c84c7f11d5d08c4e3853d2ec178b604e24ff7cd1ea303b690b0c83484a39846648f1fe3936c070447426d2fbfd08937488cf7c60d85a92fec1cf8c2423ae
-
Filesize
31KB
MD53ae01e40a182487659d55773b3f47558
SHA1c3777f389895cfb73e5ce7df7fd2285445a097f3
SHA2565ebbab41747828eee78d2efd2f04701464e6d29fd44fd1a90148fb595c041220
SHA512fb3fee2359b6d7a0d000f5b723086d9664c57fefc9beabebe77ad8a1a47d724331882c3669927bb4f429e92c71504c57c5efd25cc9e2bcf577083027c12cf277
-
Filesize
784KB
MD5154b3f1fbccf1e4c1e06418e6f4d17e6
SHA1560fbd2a0b344c1f9213c170064bf6d68be189ac
SHA256d82772c377a20932efe8611bdca909ce685de1b69617940b31068dc4d57080e3
SHA512ce92fd1d657a1287f3e118dc59a1534d9a300e558a8bf12ff61fcd07623c64b809848c443e55dde995fb0d97f978ca9e69e1f113355871e107e87613e4bb0c45
-
Filesize
11KB
MD588e9b235c566960e0d87a22d649b9408
SHA1b7027502acff9594c9b9db424751abf307215d44
SHA2566443c69271dc8e71aceda8a2a1ea776e550bfa32be93df1831dbe4ed0de2c365
SHA512637415f77ea929afae776db72013cc8bb0b8cd875ee7c738a5b6e72bb2aefbf1a2c890dc822e4a45ec710516488d8458f789aebf2010872abd8f8b3ca8c46778
-
Filesize
52KB
MD50a64e1b01d7e5384208b5d94615525a2
SHA190a89dd2135b526e87b8b55bba0ae42303437b1e
SHA256205cda8c912c15f9ab25db7ab7c3fccd05f075fcba287e26b282fe96f7a42f48
SHA512c187c12d6f13452893235be8bfa2838cf4c4b2a3e3609c9245b790f0ab74f8f1c6a2b402ab2c24dce22a99e0e5bbfab92037d380bd1775d92a46957bc84d8a71
-
Filesize
124KB
MD550dc0c5650c3a14ad534a566aa268c1c
SHA15c3b517061d303458dc7ee382b412473cd59ff1e
SHA256f58e083d8de3f4ede66bb7e055e12829066747bcc313f2100206e1538067bde5
SHA5128859e2f220a73c87214f4e26e3e104e1dfb6056c0aaef2999593a132fc32ebee07c374fc2f5209e2af89af285bd3d2be2c235913bacdd5b4faf264e7ca78fd99
-
Filesize
100KB
MD5b939a30973ed57a4e5fa327b2230a5f2
SHA1830e1014360a583bc2b5d8f0e55db7c98ea77dfe
SHA256cbe33811165f8f86c97186d5e2fff26ee0a3fc09f1265a6b0f8eee40c144e2b2
SHA5124353260c4c79ecfa06d10cb227e7f056a66502d20489fea793346aaf2ea731727daa0f6b4d01f7705ee3e6b31c638e3a7a29f0b06872ed1b99eafe8d6a39e69d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82