Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 10:23
Behavioral task
behavioral1
Sample
NEAS.MercuriUpdateexe.exe
Resource
win7-20231130-en
General
-
Target
NEAS.MercuriUpdateexe.exe
-
Size
3.1MB
-
MD5
ba64b6ffbb3a484cd6b96f1077ac5347
-
SHA1
653f030d369bc3f1377612cf8b372c9085986bd5
-
SHA256
948d003947b71983cf3c828c73d3945bdb82520d8c6bbfa403ff6a7bb4231dac
-
SHA512
be7d2a88f598a353fea7742ddedd52b50b682e7feda66fdee5e9b67167ff30c85a7a988353c227f7967d8eb64c2abc390cb85fe93cd0c2f5a73ddf877ce2f2f8
-
SSDEEP
49152:yvKI22SsaNYfdPBldt698dBcjHdGRJ6rbR3LoGdFsDTHHB72eh2NT:yvn22SsaNYfdPBldt6+dBcjHdGRJ69
Malware Config
Extracted
quasar
1.4.1
Office04
vxc-63595.portmap.host:63595
58e60463-4627-49ee-ab74-e0a77205c078
-
encryption_key
D8EDBBB13B1FB3736A6D78215174358FE3F01386
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2856-0-0x0000000000870000-0x0000000000B94000-memory.dmp family_quasar behavioral1/memory/2480-13-0x0000000001160000-0x0000000001484000-memory.dmp family_quasar behavioral1/memory/1036-37-0x0000000001290000-0x00000000015B4000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 7 IoCs
pid Process 1616 PING.EXE 908 PING.EXE 2632 PING.EXE 2784 PING.EXE 2288 PING.EXE 2656 PING.EXE 600 PING.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2856 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 2480 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 2996 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 1036 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 1644 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 624 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 1856 NEAS.MercuriUpdateexe.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2856 NEAS.MercuriUpdateexe.exe 2480 NEAS.MercuriUpdateexe.exe 2996 NEAS.MercuriUpdateexe.exe 1036 NEAS.MercuriUpdateexe.exe 1644 NEAS.MercuriUpdateexe.exe 624 NEAS.MercuriUpdateexe.exe 1856 NEAS.MercuriUpdateexe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2468 2856 NEAS.MercuriUpdateexe.exe 28 PID 2856 wrote to memory of 2468 2856 NEAS.MercuriUpdateexe.exe 28 PID 2856 wrote to memory of 2468 2856 NEAS.MercuriUpdateexe.exe 28 PID 2468 wrote to memory of 2616 2468 cmd.exe 30 PID 2468 wrote to memory of 2616 2468 cmd.exe 30 PID 2468 wrote to memory of 2616 2468 cmd.exe 30 PID 2468 wrote to memory of 2632 2468 cmd.exe 31 PID 2468 wrote to memory of 2632 2468 cmd.exe 31 PID 2468 wrote to memory of 2632 2468 cmd.exe 31 PID 2468 wrote to memory of 2480 2468 cmd.exe 32 PID 2468 wrote to memory of 2480 2468 cmd.exe 32 PID 2468 wrote to memory of 2480 2468 cmd.exe 32 PID 2480 wrote to memory of 2416 2480 NEAS.MercuriUpdateexe.exe 33 PID 2480 wrote to memory of 2416 2480 NEAS.MercuriUpdateexe.exe 33 PID 2480 wrote to memory of 2416 2480 NEAS.MercuriUpdateexe.exe 33 PID 2416 wrote to memory of 2624 2416 cmd.exe 35 PID 2416 wrote to memory of 2624 2416 cmd.exe 35 PID 2416 wrote to memory of 2624 2416 cmd.exe 35 PID 2416 wrote to memory of 2784 2416 cmd.exe 36 PID 2416 wrote to memory of 2784 2416 cmd.exe 36 PID 2416 wrote to memory of 2784 2416 cmd.exe 36 PID 2416 wrote to memory of 2996 2416 cmd.exe 37 PID 2416 wrote to memory of 2996 2416 cmd.exe 37 PID 2416 wrote to memory of 2996 2416 cmd.exe 37 PID 2996 wrote to memory of 2140 2996 NEAS.MercuriUpdateexe.exe 40 PID 2996 wrote to memory of 2140 2996 NEAS.MercuriUpdateexe.exe 40 PID 2996 wrote to memory of 2140 2996 NEAS.MercuriUpdateexe.exe 40 PID 2140 wrote to memory of 1552 2140 cmd.exe 42 PID 2140 wrote to memory of 1552 2140 cmd.exe 42 PID 2140 wrote to memory of 1552 2140 cmd.exe 42 PID 2140 wrote to memory of 2288 2140 cmd.exe 43 PID 2140 wrote to memory of 2288 2140 cmd.exe 43 PID 2140 wrote to memory of 2288 2140 cmd.exe 43 PID 2140 wrote to memory of 1036 2140 cmd.exe 44 PID 2140 wrote to memory of 1036 2140 cmd.exe 44 PID 2140 wrote to memory of 1036 2140 cmd.exe 44 PID 1036 wrote to memory of 2008 1036 NEAS.MercuriUpdateexe.exe 45 PID 1036 wrote to memory of 2008 1036 NEAS.MercuriUpdateexe.exe 45 PID 1036 wrote to memory of 2008 1036 NEAS.MercuriUpdateexe.exe 45 PID 2008 wrote to memory of 2684 2008 cmd.exe 47 PID 2008 wrote to memory of 2684 2008 cmd.exe 47 PID 2008 wrote to memory of 2684 2008 cmd.exe 47 PID 2008 wrote to memory of 2656 2008 cmd.exe 48 PID 2008 wrote to memory of 2656 2008 cmd.exe 48 PID 2008 wrote to memory of 2656 2008 cmd.exe 48 PID 2008 wrote to memory of 1644 2008 cmd.exe 49 PID 2008 wrote to memory of 1644 2008 cmd.exe 49 PID 2008 wrote to memory of 1644 2008 cmd.exe 49 PID 1644 wrote to memory of 592 1644 NEAS.MercuriUpdateexe.exe 50 PID 1644 wrote to memory of 592 1644 NEAS.MercuriUpdateexe.exe 50 PID 1644 wrote to memory of 592 1644 NEAS.MercuriUpdateexe.exe 50 PID 592 wrote to memory of 872 592 cmd.exe 52 PID 592 wrote to memory of 872 592 cmd.exe 52 PID 592 wrote to memory of 872 592 cmd.exe 52 PID 592 wrote to memory of 600 592 cmd.exe 53 PID 592 wrote to memory of 600 592 cmd.exe 53 PID 592 wrote to memory of 600 592 cmd.exe 53 PID 592 wrote to memory of 624 592 cmd.exe 54 PID 592 wrote to memory of 624 592 cmd.exe 54 PID 592 wrote to memory of 624 592 cmd.exe 54 PID 624 wrote to memory of 3044 624 NEAS.MercuriUpdateexe.exe 55 PID 624 wrote to memory of 3044 624 NEAS.MercuriUpdateexe.exe 55 PID 624 wrote to memory of 3044 624 NEAS.MercuriUpdateexe.exe 55 PID 3044 wrote to memory of 840 3044 cmd.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\S2R2BLWcUaDD.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2616
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TrV9Xr1pZud8.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2624
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yMNXKLDpLZVw.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A7Peklf5aEuQ.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2684
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KYbG9ym1pIk1.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:872
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:600
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qcGDNMQhfheA.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1856 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IsgCDyBWTBVw.bat" "14⤵PID:944
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:816
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD55e50c45aaa4e2fc87e7a509ba107b344
SHA1fc7900618efd82b33935e8b5aec36e5dfc05f212
SHA2562a993fb021001616df1d7ce2efe5515183e65671d3f5c2b006448941431b9014
SHA512160f1b9cca31c15d37b1432903f51f2a1fc66c624661679efbd14fc435a11fe4d55df15cc345a744ace4832db0ab80bbb24f4659120d7b0e53fa7c2c7cf51f05
-
Filesize
218B
MD55e50c45aaa4e2fc87e7a509ba107b344
SHA1fc7900618efd82b33935e8b5aec36e5dfc05f212
SHA2562a993fb021001616df1d7ce2efe5515183e65671d3f5c2b006448941431b9014
SHA512160f1b9cca31c15d37b1432903f51f2a1fc66c624661679efbd14fc435a11fe4d55df15cc345a744ace4832db0ab80bbb24f4659120d7b0e53fa7c2c7cf51f05
-
Filesize
218B
MD52665e99d44fba1d2fb27c947e6e27b01
SHA1743957e3249f85c25a879b1e49cf7355de10ca61
SHA2562494d8997a85ac1e81e65624eb3a8ca34bfc29e7bd89d62ff1a850ef14828dd1
SHA512bfc580bb9064ce6935ba41e457125d290d0aa42a19cf1a2e108e9d43a1b4ff9621578e5184d8443b55a88accb916dd61c4e1a3769d4da7ef51836d9812e264b8
-
Filesize
218B
MD52665e99d44fba1d2fb27c947e6e27b01
SHA1743957e3249f85c25a879b1e49cf7355de10ca61
SHA2562494d8997a85ac1e81e65624eb3a8ca34bfc29e7bd89d62ff1a850ef14828dd1
SHA512bfc580bb9064ce6935ba41e457125d290d0aa42a19cf1a2e108e9d43a1b4ff9621578e5184d8443b55a88accb916dd61c4e1a3769d4da7ef51836d9812e264b8
-
Filesize
218B
MD5c26e9aa85298f9019464f53aacd00165
SHA137ca9be323e1b538ccec8befa4ee171c6241275b
SHA256f35a61c63750e794921268099acfa7cf12f614edbf23378996d63e741c70e7b7
SHA51252233d02611684d7daa552728c40f40554e43cf6064349ee3075559cea1382c9793472f071e454f42b0ef9e5ce047a236300c30f7d4a91c269253ba08055fcf0
-
Filesize
218B
MD5c26e9aa85298f9019464f53aacd00165
SHA137ca9be323e1b538ccec8befa4ee171c6241275b
SHA256f35a61c63750e794921268099acfa7cf12f614edbf23378996d63e741c70e7b7
SHA51252233d02611684d7daa552728c40f40554e43cf6064349ee3075559cea1382c9793472f071e454f42b0ef9e5ce047a236300c30f7d4a91c269253ba08055fcf0
-
Filesize
218B
MD5438bf0d4208407ee2b6faddebd13f5c2
SHA19dcbf43cfea1089b76a6f150a3f83b947cc8da5f
SHA2566575fafaa661fd6effecee1a812ad9d85f22e068530840120105b80822009e42
SHA512b3902118235386ad94bf7c230a3d5a5cf758ed57c9ddf92894b46cb978cd82ee4d1133283b7bcfcd8d7b21dab9fbbb98908cb8a5858afc08874796cbe5c29a3a
-
Filesize
218B
MD5438bf0d4208407ee2b6faddebd13f5c2
SHA19dcbf43cfea1089b76a6f150a3f83b947cc8da5f
SHA2566575fafaa661fd6effecee1a812ad9d85f22e068530840120105b80822009e42
SHA512b3902118235386ad94bf7c230a3d5a5cf758ed57c9ddf92894b46cb978cd82ee4d1133283b7bcfcd8d7b21dab9fbbb98908cb8a5858afc08874796cbe5c29a3a
-
Filesize
218B
MD58b3fd2313c02cb7d888981bea63eea9b
SHA18e5b214d7cb73d4189cc944ec539cff82c40cc05
SHA256ba51306e94771a87f242e4095974760d4ab7177d3fbd3fdba829d5fd4f6a5436
SHA512678668696f7ac1646eaf8bc5c0a9235019189265976c4d13a27ab8dc5766f14f0f33954403d25cc68b173da08c40257e8d10e924b594c4974ed4ec602c93fafd
-
Filesize
218B
MD58b3fd2313c02cb7d888981bea63eea9b
SHA18e5b214d7cb73d4189cc944ec539cff82c40cc05
SHA256ba51306e94771a87f242e4095974760d4ab7177d3fbd3fdba829d5fd4f6a5436
SHA512678668696f7ac1646eaf8bc5c0a9235019189265976c4d13a27ab8dc5766f14f0f33954403d25cc68b173da08c40257e8d10e924b594c4974ed4ec602c93fafd
-
Filesize
218B
MD56e4285f9c6f2788cf46b36a7b196e8df
SHA1054edd72e35eb4148d1932048923578f9c25470b
SHA256e01c38fc03a6ae67438667f3197023bf5c676970b2c1a335481656753a320e08
SHA512893c5edf67248bde0437df15faeb62861bd1a2ee0b4d07945eee77e1e5cacea7313f9f5fde850b41907ea684b5a3b4d989958f94038a489291486d29d7028f41
-
Filesize
218B
MD56e4285f9c6f2788cf46b36a7b196e8df
SHA1054edd72e35eb4148d1932048923578f9c25470b
SHA256e01c38fc03a6ae67438667f3197023bf5c676970b2c1a335481656753a320e08
SHA512893c5edf67248bde0437df15faeb62861bd1a2ee0b4d07945eee77e1e5cacea7313f9f5fde850b41907ea684b5a3b4d989958f94038a489291486d29d7028f41
-
Filesize
218B
MD5cdaf4f4f4e959846d729a854c84a602a
SHA180c660c4fa94177c9ed76a0d55b0a7a75d650cb7
SHA256d6e843dd38906c0ca2c9ef0ad4088b184eff1253c54a5485b33accc628451ffa
SHA51254716c5f3a9025da5b2730f47e37c29a3109e11c4a1a5b5bde7c0f5d9b8817b3265eccd5879d5e18a58faf856f7aad1369666057b52c3b44b280f8b0aaafb162
-
Filesize
218B
MD5cdaf4f4f4e959846d729a854c84a602a
SHA180c660c4fa94177c9ed76a0d55b0a7a75d650cb7
SHA256d6e843dd38906c0ca2c9ef0ad4088b184eff1253c54a5485b33accc628451ffa
SHA51254716c5f3a9025da5b2730f47e37c29a3109e11c4a1a5b5bde7c0f5d9b8817b3265eccd5879d5e18a58faf856f7aad1369666057b52c3b44b280f8b0aaafb162