Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231201-en -
resource tags
arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 02:15
Static task
static1
Behavioral task
behavioral1
Sample
aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe
Resource
win7-20231023-en
General
-
Target
aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe
-
Size
155.0MB
-
MD5
64282b6b4d579449c2ad7799f06f86b6
-
SHA1
2b468af1d1a656d666d8137cb1ca42476d975643
-
SHA256
aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c
-
SHA512
1474b425d80eae5507d76235ff08dde303d1d4ef8287ef408621530fe9ae7983a5face388968b078671b6db0bc85053e80a600eeaafddd67b7b980ded9579977
-
SSDEEP
1572864:gFysNpDQKKr7VskunAMTp9d6vN2EzzyPsYpeU9EK:g4snQ/rxsnnAw6vUEzlYB
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.10.145:4782
4f9fc524-eb7d-412c-82e9-60d973f2e68b
-
encryption_key
25C16D5BA2F06B33ED6B1D041FCCCC89A74FFA91
-
install_name
System32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 6 IoCs
resource yara_rule behavioral2/files/0x00080000000231e9-7.dat family_quasar behavioral2/files/0x00080000000231e9-12.dat family_quasar behavioral2/files/0x00080000000231e9-13.dat family_quasar behavioral2/memory/5112-14-0x0000000000810000-0x0000000000B34000-memory.dmp family_quasar behavioral2/files/0x00080000000231f9-21.dat family_quasar behavioral2/files/0x00080000000231f9-20.dat family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe -
Executes dropped EXE 3 IoCs
pid Process 5112 wwwwwww.exe 3976 System32.exe 1996 NovaInstaller.exe -
Loads dropped DLL 3 IoCs
pid Process 1996 NovaInstaller.exe 1996 NovaInstaller.exe 1996 NovaInstaller.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\SubDir\System32.exe wwwwwww.exe File opened for modification C:\Windows\system32\SubDir\System32.exe wwwwwww.exe File opened for modification C:\Windows\system32\SubDir wwwwwww.exe File opened for modification C:\Windows\system32\SubDir\System32.exe System32.exe File opened for modification C:\Windows\system32\SubDir System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5112 wwwwwww.exe Token: SeDebugPrivilege 3976 System32.exe Token: SeDebugPrivilege 1996 NovaInstaller.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3976 System32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3976 System32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4640 wrote to memory of 5112 4640 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 89 PID 4640 wrote to memory of 5112 4640 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 89 PID 5112 wrote to memory of 3976 5112 wwwwwww.exe 90 PID 5112 wrote to memory of 3976 5112 wwwwwww.exe 90 PID 4640 wrote to memory of 1996 4640 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 91 PID 4640 wrote to memory of 1996 4640 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe"C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\SubDir\System32.exe"C:\Windows\system32\SubDir\System32.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3976
-
-
-
C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\D3DCompiler_47_cor3.dll
Filesize4.7MB
MD52191e768cc2e19009dad20dc999135a3
SHA1f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA2567353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA5125adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
-
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\PresentationNative_cor3.dll
Filesize1.2MB
MD5c7bcc68b81e965fe74ef58d503c58deb
SHA199990f204f7318eeb8de6f9664ebcd0d42ea81b7
SHA25606cb4da78f5cfddece86329241a2af9d6390ce1082b02f7db2e3bf320215a23e
SHA512cab2bc27eca0ee097324a2471c8228f1723cfef5df9971359eec7710082c122b26a7aa1d1e6faab75389438a358bbff2973ad67e8dd9046455b4c4ac880d858c
-
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\wpfgfx_cor3.dll
Filesize1.9MB
MD51b01746fe61beb761a643050823190b0
SHA1927b12e4a733bcc51545c6a005838a24b8dc4dda
SHA256f8c4d6eb1cfa9c5b6fb322a0c818a4f5d5ee44043c259e0262c0460513953fb8
SHA51283eeb187e554588a5a4efbce0fcb7e9c30e718ec9f6d797a7add28036e3d4506cd3e78386522467d7ac967a60ac509a23edd79a1b9032a7e230d980b9f36080a
-
Filesize
152.1MB
MD56196a6ac54713dc0d11c7ebab96bc6d0
SHA1594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA25674db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7
-
Filesize
152.1MB
MD56196a6ac54713dc0d11c7ebab96bc6d0
SHA1594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA25674db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7
-
Filesize
152.1MB
MD56196a6ac54713dc0d11c7ebab96bc6d0
SHA1594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA25674db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26