Analysis
-
max time kernel
125s -
max time network
130s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
02-12-2023 05:01
General
-
Target
Mercuri Update.exe
-
Size
3.1MB
-
MD5
ba64b6ffbb3a484cd6b96f1077ac5347
-
SHA1
653f030d369bc3f1377612cf8b372c9085986bd5
-
SHA256
948d003947b71983cf3c828c73d3945bdb82520d8c6bbfa403ff6a7bb4231dac
-
SHA512
be7d2a88f598a353fea7742ddedd52b50b682e7feda66fdee5e9b67167ff30c85a7a988353c227f7967d8eb64c2abc390cb85fe93cd0c2f5a73ddf877ce2f2f8
-
SSDEEP
49152:yvKI22SsaNYfdPBldt698dBcjHdGRJ6rbR3LoGdFsDTHHB72eh2NT:yvn22SsaNYfdPBldt6+dBcjHdGRJ69
Malware Config
Extracted
quasar
1.4.1
Office04
vxc-63595.portmap.host:63595
58e60463-4627-49ee-ab74-e0a77205c078
-
encryption_key
D8EDBBB13B1FB3736A6D78215174358FE3F01386
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/5088-0-0x0000000000FB0000-0x00000000012D4000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3536 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5088 Mercuri Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5088 Mercuri Update.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5088 wrote to memory of 3200 5088 Mercuri Update.exe 72 PID 5088 wrote to memory of 3200 5088 Mercuri Update.exe 72 PID 3200 wrote to memory of 4432 3200 cmd.exe 74 PID 3200 wrote to memory of 4432 3200 cmd.exe 74 PID 3200 wrote to memory of 3536 3200 cmd.exe 75 PID 3200 wrote to memory of 3536 3200 cmd.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe"C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkvvM4I2sU0P.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4432
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:3536
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD5aa450b4fd43f987a01d27ccef08c61cd
SHA15bbeb936b0302ad3694c6d717c547dcfbcd62645
SHA256557ecc72766c3b881cc38771c193cf7ac7c664a600654cfba4c6bb436e6868fd
SHA512822f3fcbb07d075330b7faf590164437ead94b93c6709505e2a8f16e87dfb0b3e4ab33eb8fb4ac8b835deba7fb61457dcd7f73cb6512a9684c5cc9314ffcb163