Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 15:08
Behavioral task
behavioral1
Sample
bSee.exe
Resource
win7-20231201-en
General
-
Target
bSee.exe
-
Size
348KB
-
MD5
629cefe795be0f1fd1ae952cc1eb79de
-
SHA1
faedb770efe20006272183a5f6e4c99e39754c12
-
SHA256
d47e620d1c305da86a151ae4e615aedcb53448c66808998251b407831d8f669b
-
SHA512
0d774ce706def61a647b02bad28e76ef1d16475ac0b89faf50901b0496fe46e730f857eb8755dc6880fbf0f7e119518cc0dd67d930c7037bb2d3f6b75d0fb5af
-
SSDEEP
6144:izNHXf500MJb3+/8baFioEbNX3OaHZ77T4RRC:8d50XLo+5XT4RRC
Malware Config
Extracted
quasar
1.3.0.0
Office04
nodetecton.ddns.net:5552
QSR_MUTEX_PV7LCoiUmiwD1RBPCq
-
encryption_key
eZUVZ8omJzgRh5woZARI
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1640-0-0x0000000000020000-0x000000000007E000-memory.dmp family_quasar behavioral1/memory/1848-14-0x0000000001220000-0x000000000127E000-memory.dmp family_quasar behavioral1/memory/1496-29-0x0000000001220000-0x000000000127E000-memory.dmp family_quasar -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com 6 api.ipify.org 8 ip-api.com 10 api.ipify.org 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2648 PING.EXE 2296 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1640 bSee.exe Token: SeDebugPrivilege 1848 bSee.exe Token: SeDebugPrivilege 1496 bSee.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2568 1640 bSee.exe 31 PID 1640 wrote to memory of 2568 1640 bSee.exe 31 PID 1640 wrote to memory of 2568 1640 bSee.exe 31 PID 1640 wrote to memory of 2568 1640 bSee.exe 31 PID 2568 wrote to memory of 2616 2568 cmd.exe 33 PID 2568 wrote to memory of 2616 2568 cmd.exe 33 PID 2568 wrote to memory of 2616 2568 cmd.exe 33 PID 2568 wrote to memory of 2616 2568 cmd.exe 33 PID 2568 wrote to memory of 2648 2568 cmd.exe 34 PID 2568 wrote to memory of 2648 2568 cmd.exe 34 PID 2568 wrote to memory of 2648 2568 cmd.exe 34 PID 2568 wrote to memory of 2648 2568 cmd.exe 34 PID 2568 wrote to memory of 1848 2568 cmd.exe 35 PID 2568 wrote to memory of 1848 2568 cmd.exe 35 PID 2568 wrote to memory of 1848 2568 cmd.exe 35 PID 2568 wrote to memory of 1848 2568 cmd.exe 35 PID 1848 wrote to memory of 1896 1848 bSee.exe 36 PID 1848 wrote to memory of 1896 1848 bSee.exe 36 PID 1848 wrote to memory of 1896 1848 bSee.exe 36 PID 1848 wrote to memory of 1896 1848 bSee.exe 36 PID 1896 wrote to memory of 1740 1896 cmd.exe 38 PID 1896 wrote to memory of 1740 1896 cmd.exe 38 PID 1896 wrote to memory of 1740 1896 cmd.exe 38 PID 1896 wrote to memory of 1740 1896 cmd.exe 38 PID 1896 wrote to memory of 2296 1896 cmd.exe 39 PID 1896 wrote to memory of 2296 1896 cmd.exe 39 PID 1896 wrote to memory of 2296 1896 cmd.exe 39 PID 1896 wrote to memory of 2296 1896 cmd.exe 39 PID 1896 wrote to memory of 1496 1896 cmd.exe 40 PID 1896 wrote to memory of 1496 1896 cmd.exe 40 PID 1896 wrote to memory of 1496 1896 cmd.exe 40 PID 1896 wrote to memory of 1496 1896 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\bSee.exe"C:\Users\Admin\AppData\Local\Temp\bSee.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pFtLFvLBa3ZG.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2616
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\bSee.exe"C:\Users\Admin\AppData\Local\Temp\bSee.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uRlhpQVuyEQZ.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1740
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\bSee.exe"C:\Users\Admin\AppData\Local\Temp\bSee.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD50115c0f61b78219b7c53994dd7efbc40
SHA1669521deacdd15c81098dd4d2d67049eebbe98a2
SHA256ead907f8aadbb143cf22a393bbaf19bb369a9cb041195726eb1bff9a476aa467
SHA512ee9d5373c5319ca47be96fe1eacac0eee6238c577045701711873fc1039896d940e56304522ae2e38fcb0a2bb7f797c172bd76cb828ce90b5896eb971ebd34e1
-
Filesize
201B
MD50115c0f61b78219b7c53994dd7efbc40
SHA1669521deacdd15c81098dd4d2d67049eebbe98a2
SHA256ead907f8aadbb143cf22a393bbaf19bb369a9cb041195726eb1bff9a476aa467
SHA512ee9d5373c5319ca47be96fe1eacac0eee6238c577045701711873fc1039896d940e56304522ae2e38fcb0a2bb7f797c172bd76cb828ce90b5896eb971ebd34e1
-
Filesize
201B
MD5c6e5f13489731f3b0e106a6d628ba419
SHA16ca0fc67ef2c4923bd6148aa63dfd73efc02a64c
SHA256a83c3d6ab33c01b54c99c309fbb68feb6113546e348b261ecd05d7ab6d4ff041
SHA512862eeda7c906a6d024908a71a28a4a0846fb96d2a7dfd0c2388772f9cefa8f8be09f3bf6286ccc2180a9b174be1524d580a55c6358726bec2ee44f576e1f73ef
-
Filesize
201B
MD5c6e5f13489731f3b0e106a6d628ba419
SHA16ca0fc67ef2c4923bd6148aa63dfd73efc02a64c
SHA256a83c3d6ab33c01b54c99c309fbb68feb6113546e348b261ecd05d7ab6d4ff041
SHA512862eeda7c906a6d024908a71a28a4a0846fb96d2a7dfd0c2388772f9cefa8f8be09f3bf6286ccc2180a9b174be1524d580a55c6358726bec2ee44f576e1f73ef