Analysis

  • max time kernel
    125s
  • max time network
    130s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-12-2023 05:01

General

  • Target

    Mercuri Update.exe

  • Size

    3.1MB

  • MD5

    ba64b6ffbb3a484cd6b96f1077ac5347

  • SHA1

    653f030d369bc3f1377612cf8b372c9085986bd5

  • SHA256

    948d003947b71983cf3c828c73d3945bdb82520d8c6bbfa403ff6a7bb4231dac

  • SHA512

    be7d2a88f598a353fea7742ddedd52b50b682e7feda66fdee5e9b67167ff30c85a7a988353c227f7967d8eb64c2abc390cb85fe93cd0c2f5a73ddf877ce2f2f8

  • SSDEEP

    49152:yvKI22SsaNYfdPBldt698dBcjHdGRJ6rbR3LoGdFsDTHHB72eh2NT:yvn22SsaNYfdPBldt6+dBcjHdGRJ69

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

vxc-63595.portmap.host:63595

Mutex

58e60463-4627-49ee-ab74-e0a77205c078

Attributes
  • encryption_key

    D8EDBBB13B1FB3736A6D78215174358FE3F01386

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkvvM4I2sU0P.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4432
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:3536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tkvvM4I2sU0P.bat

      Filesize

      215B

      MD5

      aa450b4fd43f987a01d27ccef08c61cd

      SHA1

      5bbeb936b0302ad3694c6d717c547dcfbcd62645

      SHA256

      557ecc72766c3b881cc38771c193cf7ac7c664a600654cfba4c6bb436e6868fd

      SHA512

      822f3fcbb07d075330b7faf590164437ead94b93c6709505e2a8f16e87dfb0b3e4ab33eb8fb4ac8b835deba7fb61457dcd7f73cb6512a9684c5cc9314ffcb163

    • memory/5088-0-0x0000000000FB0000-0x00000000012D4000-memory.dmp

      Filesize

      3.1MB

    • memory/5088-1-0x00007FFD495B0000-0x00007FFD49F9C000-memory.dmp

      Filesize

      9.9MB

    • memory/5088-2-0x000000001C060000-0x000000001C070000-memory.dmp

      Filesize

      64KB

    • memory/5088-3-0x000000001BFE0000-0x000000001C030000-memory.dmp

      Filesize

      320KB

    • memory/5088-4-0x000000001C430000-0x000000001C4E2000-memory.dmp

      Filesize

      712KB

    • memory/5088-7-0x000000001C3B0000-0x000000001C3C2000-memory.dmp

      Filesize

      72KB

    • memory/5088-8-0x000000001D120000-0x000000001D15E000-memory.dmp

      Filesize

      248KB

    • memory/5088-9-0x00007FFD495B0000-0x00007FFD49F9C000-memory.dmp

      Filesize

      9.9MB

    • memory/5088-14-0x00007FFD495B0000-0x00007FFD49F9C000-memory.dmp

      Filesize

      9.9MB