Analysis Overview
SHA256
948d003947b71983cf3c828c73d3945bdb82520d8c6bbfa403ff6a7bb4231dac
Threat Level: Known bad
The file Mercuri Update.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-02 05:01
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-02 05:01
Reported
2023-12-02 05:15
Platform
win10-20231023-en
Max time kernel
125s
Max time network
130s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5088 wrote to memory of 3200 | N/A | C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe | C:\Windows\system32\cmd.exe |
| PID 5088 wrote to memory of 3200 | N/A | C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe | C:\Windows\system32\cmd.exe |
| PID 3200 wrote to memory of 4432 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 3200 wrote to memory of 4432 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 3200 wrote to memory of 3536 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 3200 wrote to memory of 3536 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe
"C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkvvM4I2sU0P.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| DE | 193.161.193.99:63595 | vxc-63595.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/5088-0-0x0000000000FB0000-0x00000000012D4000-memory.dmp
memory/5088-1-0x00007FFD495B0000-0x00007FFD49F9C000-memory.dmp
memory/5088-2-0x000000001C060000-0x000000001C070000-memory.dmp
memory/5088-3-0x000000001BFE0000-0x000000001C030000-memory.dmp
memory/5088-4-0x000000001C430000-0x000000001C4E2000-memory.dmp
memory/5088-7-0x000000001C3B0000-0x000000001C3C2000-memory.dmp
memory/5088-8-0x000000001D120000-0x000000001D15E000-memory.dmp
memory/5088-9-0x00007FFD495B0000-0x00007FFD49F9C000-memory.dmp
memory/5088-14-0x00007FFD495B0000-0x00007FFD49F9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tkvvM4I2sU0P.bat
| MD5 | aa450b4fd43f987a01d27ccef08c61cd |
| SHA1 | 5bbeb936b0302ad3694c6d717c547dcfbcd62645 |
| SHA256 | 557ecc72766c3b881cc38771c193cf7ac7c664a600654cfba4c6bb436e6868fd |
| SHA512 | 822f3fcbb07d075330b7faf590164437ead94b93c6709505e2a8f16e87dfb0b3e4ab33eb8fb4ac8b835deba7fb61457dcd7f73cb6512a9684c5cc9314ffcb163 |