Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 15:09
Behavioral task
behavioral1
Sample
bSee.exe
Resource
win7-20231130-en
General
-
Target
bSee.exe
-
Size
348KB
-
MD5
629cefe795be0f1fd1ae952cc1eb79de
-
SHA1
faedb770efe20006272183a5f6e4c99e39754c12
-
SHA256
d47e620d1c305da86a151ae4e615aedcb53448c66808998251b407831d8f669b
-
SHA512
0d774ce706def61a647b02bad28e76ef1d16475ac0b89faf50901b0496fe46e730f857eb8755dc6880fbf0f7e119518cc0dd67d930c7037bb2d3f6b75d0fb5af
-
SSDEEP
6144:izNHXf500MJb3+/8baFioEbNX3OaHZ77T4RRC:8d50XLo+5XT4RRC
Malware Config
Extracted
quasar
1.3.0.0
Office04
nodetecton.ddns.net:5552
QSR_MUTEX_PV7LCoiUmiwD1RBPCq
-
encryption_key
eZUVZ8omJzgRh5woZARI
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2152-0-0x0000000000D70000-0x0000000000DCE000-memory.dmp family_quasar behavioral1/memory/2216-14-0x0000000000D70000-0x0000000000DCE000-memory.dmp family_quasar behavioral1/memory/2188-28-0x0000000000E10000-0x0000000000E6E000-memory.dmp family_quasar -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org 8 ip-api.com 10 api.ipify.org 12 ip-api.com 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2716 PING.EXE 1712 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2152 bSee.exe Token: SeDebugPrivilege 2216 bSee.exe Token: SeDebugPrivilege 2188 bSee.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2520 2152 bSee.exe 31 PID 2152 wrote to memory of 2520 2152 bSee.exe 31 PID 2152 wrote to memory of 2520 2152 bSee.exe 31 PID 2152 wrote to memory of 2520 2152 bSee.exe 31 PID 2520 wrote to memory of 2704 2520 cmd.exe 33 PID 2520 wrote to memory of 2704 2520 cmd.exe 33 PID 2520 wrote to memory of 2704 2520 cmd.exe 33 PID 2520 wrote to memory of 2704 2520 cmd.exe 33 PID 2520 wrote to memory of 2716 2520 cmd.exe 34 PID 2520 wrote to memory of 2716 2520 cmd.exe 34 PID 2520 wrote to memory of 2716 2520 cmd.exe 34 PID 2520 wrote to memory of 2716 2520 cmd.exe 34 PID 2520 wrote to memory of 2216 2520 cmd.exe 35 PID 2520 wrote to memory of 2216 2520 cmd.exe 35 PID 2520 wrote to memory of 2216 2520 cmd.exe 35 PID 2520 wrote to memory of 2216 2520 cmd.exe 35 PID 2216 wrote to memory of 2368 2216 bSee.exe 36 PID 2216 wrote to memory of 2368 2216 bSee.exe 36 PID 2216 wrote to memory of 2368 2216 bSee.exe 36 PID 2216 wrote to memory of 2368 2216 bSee.exe 36 PID 2368 wrote to memory of 940 2368 cmd.exe 38 PID 2368 wrote to memory of 940 2368 cmd.exe 38 PID 2368 wrote to memory of 940 2368 cmd.exe 38 PID 2368 wrote to memory of 940 2368 cmd.exe 38 PID 2368 wrote to memory of 1712 2368 cmd.exe 39 PID 2368 wrote to memory of 1712 2368 cmd.exe 39 PID 2368 wrote to memory of 1712 2368 cmd.exe 39 PID 2368 wrote to memory of 1712 2368 cmd.exe 39 PID 2368 wrote to memory of 2188 2368 cmd.exe 40 PID 2368 wrote to memory of 2188 2368 cmd.exe 40 PID 2368 wrote to memory of 2188 2368 cmd.exe 40 PID 2368 wrote to memory of 2188 2368 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\bSee.exe"C:\Users\Admin\AppData\Local\Temp\bSee.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XWMigcC5EOGm.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2704
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\bSee.exe"C:\Users\Admin\AppData\Local\Temp\bSee.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\G12e28CnefKZ.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:940
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:1712
-
-
C:\Users\Admin\AppData\Local\Temp\bSee.exe"C:\Users\Admin\AppData\Local\Temp\bSee.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD5fa3a07a7016ec1129c111c02d2e00eef
SHA14c22695e4e807a403a830835afdd04f730d56437
SHA256923538176eb63cd36d3ae2453443f10b3103be940ae8968074acf87b5bd55442
SHA512521c9e3e3e3fcc627420d67d3a1f8ad04c32141b36d4b030dbf0fcd3714cd4256727f49a496d4bc45f0e65075c60e00dbe240245ba96fc4fea02b5ddaba14df4
-
Filesize
201B
MD5fa3a07a7016ec1129c111c02d2e00eef
SHA14c22695e4e807a403a830835afdd04f730d56437
SHA256923538176eb63cd36d3ae2453443f10b3103be940ae8968074acf87b5bd55442
SHA512521c9e3e3e3fcc627420d67d3a1f8ad04c32141b36d4b030dbf0fcd3714cd4256727f49a496d4bc45f0e65075c60e00dbe240245ba96fc4fea02b5ddaba14df4
-
Filesize
201B
MD54dc76c3377b620a56ee5078c0a9cb6af
SHA15d725ccad6a8061fc3e10412e4029280d072deb9
SHA2568854f4ee91da04aaaf99aa72deb0352f2fbea4ccf408b254953aa2c33903e77e
SHA5129b015c49079df55db5f4ae17f67876fb72c3a333ae080d85dce0cebd7b8030f245ec37d2043959d549a25170cfef98994791bdb3701de06ee1a1002595864ef4
-
Filesize
201B
MD54dc76c3377b620a56ee5078c0a9cb6af
SHA15d725ccad6a8061fc3e10412e4029280d072deb9
SHA2568854f4ee91da04aaaf99aa72deb0352f2fbea4ccf408b254953aa2c33903e77e
SHA5129b015c49079df55db5f4ae17f67876fb72c3a333ae080d85dce0cebd7b8030f245ec37d2043959d549a25170cfef98994791bdb3701de06ee1a1002595864ef4