Analysis
-
max time kernel
1566s -
max time network
1780s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21/11/2023, 01:03
Behavioral task
behavioral1
Sample
intelservice.exe
Resource
win7-20231020-en
General
-
Target
intelservice.exe
-
Size
348KB
-
MD5
2f890b7ca2e7b4b24bb534c28e54d7cf
-
SHA1
e8d9f966c18f10f1eff01478d41dabacd0300da5
-
SHA256
92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7
-
SHA512
666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841
-
SSDEEP
6144:60qQ4i1FFiEKDvLJavf52ibVcbVKglEb0ouAYyj9jZV293DIa:rpliTVOf56WBYylc3DIa
Malware Config
Extracted
quasar
1.3.0.0
hackee
20.205.140.63:1024
QSR_MUTEX_5Tlo4RbwyDWBOOlMEb
-
encryption_key
zFGtr8G9lnuwN5OHbzbL
-
install_name
intelservice.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Intel CPU Service
-
subdirectory
intelcpu
Signatures
-
Quasar payload 5 IoCs
resource yara_rule behavioral1/memory/1384-0-0x0000000001270000-0x00000000012CE000-memory.dmp family_quasar behavioral1/files/0x000d000000012252-5.dat family_quasar behavioral1/files/0x000d000000012252-8.dat family_quasar behavioral1/files/0x000d000000012252-9.dat family_quasar behavioral1/memory/2728-10-0x0000000000F20000-0x0000000000F7E000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2728 intelservice.exe -
Loads dropped DLL 1 IoCs
pid Process 1384 intelservice.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2616 schtasks.exe 2316 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1384 intelservice.exe Token: SeDebugPrivilege 2728 intelservice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2728 intelservice.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1384 wrote to memory of 2316 1384 intelservice.exe 29 PID 1384 wrote to memory of 2316 1384 intelservice.exe 29 PID 1384 wrote to memory of 2316 1384 intelservice.exe 29 PID 1384 wrote to memory of 2316 1384 intelservice.exe 29 PID 1384 wrote to memory of 2728 1384 intelservice.exe 31 PID 1384 wrote to memory of 2728 1384 intelservice.exe 31 PID 1384 wrote to memory of 2728 1384 intelservice.exe 31 PID 1384 wrote to memory of 2728 1384 intelservice.exe 31 PID 2728 wrote to memory of 2616 2728 intelservice.exe 32 PID 2728 wrote to memory of 2616 2728 intelservice.exe 32 PID 2728 wrote to memory of 2616 2728 intelservice.exe 32 PID 2728 wrote to memory of 2616 2728 intelservice.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\intelservice.exe"C:\Users\Admin\AppData\Local\Temp\intelservice.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel CPU Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\intelservice.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2316
-
-
C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe"C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel CPU Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD52f890b7ca2e7b4b24bb534c28e54d7cf
SHA1e8d9f966c18f10f1eff01478d41dabacd0300da5
SHA25692dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7
SHA512666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841
-
Filesize
348KB
MD52f890b7ca2e7b4b24bb534c28e54d7cf
SHA1e8d9f966c18f10f1eff01478d41dabacd0300da5
SHA25692dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7
SHA512666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841
-
Filesize
348KB
MD52f890b7ca2e7b4b24bb534c28e54d7cf
SHA1e8d9f966c18f10f1eff01478d41dabacd0300da5
SHA25692dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7
SHA512666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841