Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 10:19
Static task
static1
Behavioral task
behavioral1
Sample
94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
Resource
win7-20231130-en
General
-
Target
94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
-
Size
829KB
-
MD5
2abed91ee9611fdd5cd6118f465e18e9
-
SHA1
0fe598bbc219da65715fe26a4722a427c63ac5b7
-
SHA256
94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1
-
SHA512
f1ef8e168c19e1840aef0a2db653cd12c3955dbe7fc389fc0ba307b05638d0340704a724c7154920351462ea7b61e71ab24f8b20450696605d275ebbd8a81e0f
-
SSDEEP
12288:XueH5qgRSJZl5v7ehH0Xg3hLZ4miAJMY72RUC9lXudcXuXhUguwL0t8WIp7VMyam:FqgRml5j0UXgxl4mZDkUCDgEvm
Malware Config
Extracted
quasar
1.3.0.0
Office04
labtek.duckdns.org:4782
QSR_MUTEX_Pc805LzmblzcJtBoEi
-
encryption_key
9WuVWCumPUdQwI1jN0XT
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 5 IoCs
resource yara_rule behavioral1/memory/3032-11-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/3032-19-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/3032-17-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/3032-15-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/3032-12-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org 2 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2208 set thread context of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 1104 set thread context of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2944 3032 WerFault.exe 28 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2036 PING.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe Token: SeDebugPrivilege 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe Token: SeDebugPrivilege 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2208 wrote to memory of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 2208 wrote to memory of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 2208 wrote to memory of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 2208 wrote to memory of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 2208 wrote to memory of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 2208 wrote to memory of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 2208 wrote to memory of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 2208 wrote to memory of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 2208 wrote to memory of 3032 2208 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 28 PID 3032 wrote to memory of 3044 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 32 PID 3032 wrote to memory of 3044 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 32 PID 3032 wrote to memory of 3044 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 32 PID 3032 wrote to memory of 3044 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 32 PID 3032 wrote to memory of 2944 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 34 PID 3032 wrote to memory of 2944 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 34 PID 3032 wrote to memory of 2944 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 34 PID 3032 wrote to memory of 2944 3032 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 34 PID 3044 wrote to memory of 1928 3044 cmd.exe 35 PID 3044 wrote to memory of 1928 3044 cmd.exe 35 PID 3044 wrote to memory of 1928 3044 cmd.exe 35 PID 3044 wrote to memory of 1928 3044 cmd.exe 35 PID 3044 wrote to memory of 2036 3044 cmd.exe 36 PID 3044 wrote to memory of 2036 3044 cmd.exe 36 PID 3044 wrote to memory of 2036 3044 cmd.exe 36 PID 3044 wrote to memory of 2036 3044 cmd.exe 36 PID 3044 wrote to memory of 1104 3044 cmd.exe 37 PID 3044 wrote to memory of 1104 3044 cmd.exe 37 PID 3044 wrote to memory of 1104 3044 cmd.exe 37 PID 3044 wrote to memory of 1104 3044 cmd.exe 37 PID 1104 wrote to memory of 1788 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 38 PID 1104 wrote to memory of 1788 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 38 PID 1104 wrote to memory of 1788 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 38 PID 1104 wrote to memory of 1788 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 38 PID 1104 wrote to memory of 956 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 39 PID 1104 wrote to memory of 956 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 39 PID 1104 wrote to memory of 956 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 39 PID 1104 wrote to memory of 956 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 39 PID 1104 wrote to memory of 1760 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 40 PID 1104 wrote to memory of 1760 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 40 PID 1104 wrote to memory of 1760 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 40 PID 1104 wrote to memory of 1760 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 40 PID 1104 wrote to memory of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41 PID 1104 wrote to memory of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41 PID 1104 wrote to memory of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41 PID 1104 wrote to memory of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41 PID 1104 wrote to memory of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41 PID 1104 wrote to memory of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41 PID 1104 wrote to memory of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41 PID 1104 wrote to memory of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41 PID 1104 wrote to memory of 1192 1104 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AQYRvCRhgNGF.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1928
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"5⤵PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"5⤵PID:956
-
-
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"5⤵PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"5⤵PID:1192
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 14723⤵
- Program crash
PID:2944
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD528aab5f36c545a2016fd1f5ea3be4fde
SHA16cb27bcd5918ab3d5275899ddf6f32eecbcf2ee6
SHA256f557c0101b62d143917bd6cc0866318680ea818a59cededa89512b9ce059242a
SHA51244f27ad2d10e0b8a212fea1cc5a6f93287fb58038e633b3c335b701e36a7555f932cb26d6b7c64bd36fa2c3d37d1391e62fa687b41a37889d8dbb9bebfa5626c
-
Filesize
261B
MD528aab5f36c545a2016fd1f5ea3be4fde
SHA16cb27bcd5918ab3d5275899ddf6f32eecbcf2ee6
SHA256f557c0101b62d143917bd6cc0866318680ea818a59cededa89512b9ce059242a
SHA51244f27ad2d10e0b8a212fea1cc5a6f93287fb58038e633b3c335b701e36a7555f932cb26d6b7c64bd36fa2c3d37d1391e62fa687b41a37889d8dbb9bebfa5626c