Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231201-en -
resource tags
arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 10:23
Behavioral task
behavioral1
Sample
NEAS.MercuriUpdateexe.exe
Resource
win7-20231130-en
General
-
Target
NEAS.MercuriUpdateexe.exe
-
Size
3.1MB
-
MD5
ba64b6ffbb3a484cd6b96f1077ac5347
-
SHA1
653f030d369bc3f1377612cf8b372c9085986bd5
-
SHA256
948d003947b71983cf3c828c73d3945bdb82520d8c6bbfa403ff6a7bb4231dac
-
SHA512
be7d2a88f598a353fea7742ddedd52b50b682e7feda66fdee5e9b67167ff30c85a7a988353c227f7967d8eb64c2abc390cb85fe93cd0c2f5a73ddf877ce2f2f8
-
SSDEEP
49152:yvKI22SsaNYfdPBldt698dBcjHdGRJ6rbR3LoGdFsDTHHB72eh2NT:yvn22SsaNYfdPBldt6+dBcjHdGRJ69
Malware Config
Extracted
quasar
1.4.1
Office04
vxc-63595.portmap.host:63595
58e60463-4627-49ee-ab74-e0a77205c078
-
encryption_key
D8EDBBB13B1FB3736A6D78215174358FE3F01386
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/5100-0-0x00000000000B0000-0x00000000003D4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation NEAS.MercuriUpdateexe.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation NEAS.MercuriUpdateexe.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation NEAS.MercuriUpdateexe.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation NEAS.MercuriUpdateexe.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation NEAS.MercuriUpdateexe.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation NEAS.MercuriUpdateexe.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation NEAS.MercuriUpdateexe.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation NEAS.MercuriUpdateexe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 8 IoCs
pid Process 5116 PING.EXE 3460 PING.EXE 5112 PING.EXE 4884 PING.EXE 1680 PING.EXE 1432 PING.EXE 4140 PING.EXE 1816 PING.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 5100 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 3216 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 3592 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 2976 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 4076 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 1304 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 2216 NEAS.MercuriUpdateexe.exe Token: SeDebugPrivilege 2920 NEAS.MercuriUpdateexe.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5100 NEAS.MercuriUpdateexe.exe 3592 NEAS.MercuriUpdateexe.exe 2976 NEAS.MercuriUpdateexe.exe 4076 NEAS.MercuriUpdateexe.exe 2216 NEAS.MercuriUpdateexe.exe 2920 NEAS.MercuriUpdateexe.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 5100 wrote to memory of 4836 5100 NEAS.MercuriUpdateexe.exe 89 PID 5100 wrote to memory of 4836 5100 NEAS.MercuriUpdateexe.exe 89 PID 4836 wrote to memory of 3140 4836 cmd.exe 91 PID 4836 wrote to memory of 3140 4836 cmd.exe 91 PID 4836 wrote to memory of 4140 4836 cmd.exe 92 PID 4836 wrote to memory of 4140 4836 cmd.exe 92 PID 4836 wrote to memory of 3216 4836 cmd.exe 93 PID 4836 wrote to memory of 3216 4836 cmd.exe 93 PID 3216 wrote to memory of 4544 3216 NEAS.MercuriUpdateexe.exe 94 PID 3216 wrote to memory of 4544 3216 NEAS.MercuriUpdateexe.exe 94 PID 4544 wrote to memory of 952 4544 cmd.exe 96 PID 4544 wrote to memory of 952 4544 cmd.exe 96 PID 4544 wrote to memory of 1816 4544 cmd.exe 97 PID 4544 wrote to memory of 1816 4544 cmd.exe 97 PID 4544 wrote to memory of 3592 4544 cmd.exe 100 PID 4544 wrote to memory of 3592 4544 cmd.exe 100 PID 3592 wrote to memory of 3152 3592 NEAS.MercuriUpdateexe.exe 102 PID 3592 wrote to memory of 3152 3592 NEAS.MercuriUpdateexe.exe 102 PID 3152 wrote to memory of 4320 3152 cmd.exe 104 PID 3152 wrote to memory of 4320 3152 cmd.exe 104 PID 3152 wrote to memory of 5116 3152 cmd.exe 105 PID 3152 wrote to memory of 5116 3152 cmd.exe 105 PID 3152 wrote to memory of 2976 3152 cmd.exe 106 PID 3152 wrote to memory of 2976 3152 cmd.exe 106 PID 2976 wrote to memory of 2088 2976 NEAS.MercuriUpdateexe.exe 107 PID 2976 wrote to memory of 2088 2976 NEAS.MercuriUpdateexe.exe 107 PID 2088 wrote to memory of 2260 2088 cmd.exe 109 PID 2088 wrote to memory of 2260 2088 cmd.exe 109 PID 2088 wrote to memory of 3460 2088 cmd.exe 110 PID 2088 wrote to memory of 3460 2088 cmd.exe 110 PID 2088 wrote to memory of 4076 2088 cmd.exe 111 PID 2088 wrote to memory of 4076 2088 cmd.exe 111 PID 4076 wrote to memory of 4488 4076 NEAS.MercuriUpdateexe.exe 112 PID 4076 wrote to memory of 4488 4076 NEAS.MercuriUpdateexe.exe 112 PID 4488 wrote to memory of 636 4488 cmd.exe 114 PID 4488 wrote to memory of 636 4488 cmd.exe 114 PID 4488 wrote to memory of 5112 4488 cmd.exe 115 PID 4488 wrote to memory of 5112 4488 cmd.exe 115 PID 4488 wrote to memory of 1304 4488 cmd.exe 116 PID 4488 wrote to memory of 1304 4488 cmd.exe 116 PID 1304 wrote to memory of 2040 1304 NEAS.MercuriUpdateexe.exe 117 PID 1304 wrote to memory of 2040 1304 NEAS.MercuriUpdateexe.exe 117 PID 2040 wrote to memory of 4804 2040 cmd.exe 119 PID 2040 wrote to memory of 4804 2040 cmd.exe 119 PID 2040 wrote to memory of 4884 2040 cmd.exe 120 PID 2040 wrote to memory of 4884 2040 cmd.exe 120 PID 2040 wrote to memory of 2216 2040 cmd.exe 121 PID 2040 wrote to memory of 2216 2040 cmd.exe 121 PID 2216 wrote to memory of 2160 2216 NEAS.MercuriUpdateexe.exe 122 PID 2216 wrote to memory of 2160 2216 NEAS.MercuriUpdateexe.exe 122 PID 2160 wrote to memory of 3756 2160 cmd.exe 124 PID 2160 wrote to memory of 3756 2160 cmd.exe 124 PID 2160 wrote to memory of 1680 2160 cmd.exe 125 PID 2160 wrote to memory of 1680 2160 cmd.exe 125 PID 2160 wrote to memory of 2920 2160 cmd.exe 126 PID 2160 wrote to memory of 2920 2160 cmd.exe 126 PID 2920 wrote to memory of 3980 2920 NEAS.MercuriUpdateexe.exe 127 PID 2920 wrote to memory of 3980 2920 NEAS.MercuriUpdateexe.exe 127 PID 3980 wrote to memory of 3248 3980 cmd.exe 129 PID 3980 wrote to memory of 3248 3980 cmd.exe 129 PID 3980 wrote to memory of 1432 3980 cmd.exe 130 PID 3980 wrote to memory of 1432 3980 cmd.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98zRC8TAHlkX.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z9u6DGjlX354.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:952
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1DsXpcHar4Qs.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4320
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ENGNg6ID3ZyV.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2260
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwqHydeU2bQc.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jugJMDsBbfgp.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:4804
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GE1Xkf6xXcOy.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:3756
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUQ3xRLcM4LP.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3248
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:1432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
218B
MD5b3038b344679f91004363f7dab219f4b
SHA14a1021e37e55335bb4bea372d233ade3101279a6
SHA256785ffc64142578f1a4014c069a41618f545268ff8ebc19321d13fe69171166f3
SHA5124a70a06358ace025e6f9f1731477da265297ccbf953714cb9c1b21ce2de27f386ed7eced9b34e5f83cd4c5a68580bc4488d1e0a4c3ec37475019bb0831449e27
-
Filesize
218B
MD525d001724390213d89d353f10e3c2b65
SHA1119e2697b83b7959c4cec838f8f42d728ddf20ee
SHA256dc8e02e7e6c7c0c7885053b5a3ebbae86fdc4e2c40d5932656a67751dfddcb8d
SHA51245945ccd8a263cfaa6baca54715bb00919d9e072d024b2921f5693e80835a6c4c58feef2a94159c828b1bb61bd09850b0dcbc3bc0ef8fd44d68fd584c1d2739a
-
Filesize
218B
MD58d3f6637023648ea6d15519c18b25db6
SHA1135bec0a9ffe976d8e236bd11e2ec6ce87ebd967
SHA2567cda3e0e68b1cd95770b68e5f556580e4f6916cbe24f790eba8b45530a6a66f4
SHA5121038d62ff268c2bbd1e5ebb8c923e81faa9f86935d2e1878d6d7630a7888ac52b47613e5b2d84d8308d6cf6f035804aafec2ec433060992c156a8028b8db19d3
-
Filesize
218B
MD5d82b5d1e233441a9c336af8805b30f61
SHA1a667b009f9427619965bacd8c46f934db0c84e78
SHA2569955b656a6360e72c583bea3ced833aed0534169fdbf545224e9b75c718d75df
SHA5123db462d448a13bc33807a1fae89bf07e9d5e9cc9c723df60ce9dda2fe2968b0a36c2895ffaaa04d1cbb559325e80a10544a8d4af3306e85f2bf731dd56bf84f5
-
Filesize
218B
MD5ff80fb7fddd6017d2cc949fc9931719e
SHA1b28950c8c8e4c274b84fdacf72c707a537322c1a
SHA256f91f07960c6090abc4cda7a9921fffa859802c2af31f3f3b270379487226453f
SHA512daa7757928d4a0e46676886b47f66031c9ba0cdd9a53e64de3e3586789c74595dffac10129ecafc5e40229d79f35ea583f72954513936a5f7f87c6b5cc6df9e2
-
Filesize
218B
MD5bf02fc40c7ad5f8d7f88c86deb73b5f8
SHA10665f7a4c7246871373e38768dfcb63bc9a63704
SHA2568cf7e1605fdd1282f00d31fdec32b4fda12db0b590e90da007e907723f1d5a0b
SHA51232836562b39c69ad70c7a2f3dfc918aa03a462ba9add9f4df1bfd10bca7a435d35430cbc9d5d643f4712ae74e0fb4830cb1e5b001d00066a93ca934176d680b7
-
Filesize
218B
MD58d17e6c8ab58e332a9e5f3d141c49ddc
SHA1f91970bd30e2f947bb3966b668875332ed27f941
SHA2566b0d98edb890b956b0b11b6ddc51aec6544465ddfba475e4b8e3d016643e2951
SHA512d13ef28fdfa0c25da103aa1c943465f708ddcdea8baa578b46e8190a5a5db252052c11bb170dc817ecb7beb8afa41fd4ef3c0122c92cb773339332619da0046d
-
Filesize
218B
MD523e56fa30ad511f7aabbb0e826531671
SHA1110b49e0bcf8f208b36b823a2bc3084cec2fd12f
SHA2562a0f518e63407813cb29c17b38ea819daee9cf31af9663753ce8cd5ecec720a0
SHA51246b26ae9612e93dc25e1b91df32c8154fbd820f087cd720e977322d7a05b04b8939f35fce5d85320c440dcf3beed725d2a3ea92efd12708b7c58def68eaeff8c