Analysis
-
max time kernel
113s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20231201-en -
resource tags
arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 10:19
Static task
static1
Behavioral task
behavioral1
Sample
94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
Resource
win7-20231130-en
General
-
Target
94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
-
Size
829KB
-
MD5
2abed91ee9611fdd5cd6118f465e18e9
-
SHA1
0fe598bbc219da65715fe26a4722a427c63ac5b7
-
SHA256
94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1
-
SHA512
f1ef8e168c19e1840aef0a2db653cd12c3955dbe7fc389fc0ba307b05638d0340704a724c7154920351462ea7b61e71ab24f8b20450696605d275ebbd8a81e0f
-
SSDEEP
12288:XueH5qgRSJZl5v7ehH0Xg3hLZ4miAJMY72RUC9lXudcXuXhUguwL0t8WIp7VMyam:FqgRml5j0UXgxl4mZDkUCDgEvm
Malware Config
Extracted
quasar
1.3.0.0
Office04
labtek.duckdns.org:4782
QSR_MUTEX_Pc805LzmblzcJtBoEi
-
encryption_key
9WuVWCumPUdQwI1jN0XT
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/2176-12-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com 18 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2792 set thread context of 2176 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 89 PID 5064 set thread context of 3192 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 101 PID 3684 set thread context of 4828 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 109 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2032 2176 WerFault.exe 89 3328 3192 WerFault.exe 101 4928 4828 WerFault.exe 109 -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 4808 PING.EXE 3492 PING.EXE 2380 PING.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe Token: SeDebugPrivilege 2176 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe Token: SeDebugPrivilege 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe Token: SeDebugPrivilege 3192 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe Token: SeDebugPrivilege 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe Token: SeDebugPrivilege 4828 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2176 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 3192 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2176 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 89 PID 2792 wrote to memory of 2176 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 89 PID 2792 wrote to memory of 2176 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 89 PID 2792 wrote to memory of 2176 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 89 PID 2792 wrote to memory of 2176 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 89 PID 2792 wrote to memory of 2176 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 89 PID 2792 wrote to memory of 2176 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 89 PID 2792 wrote to memory of 2176 2792 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 89 PID 2176 wrote to memory of 3220 2176 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 91 PID 2176 wrote to memory of 3220 2176 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 91 PID 2176 wrote to memory of 3220 2176 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 91 PID 3220 wrote to memory of 5100 3220 cmd.exe 94 PID 3220 wrote to memory of 5100 3220 cmd.exe 94 PID 3220 wrote to memory of 5100 3220 cmd.exe 94 PID 3220 wrote to memory of 4808 3220 cmd.exe 96 PID 3220 wrote to memory of 4808 3220 cmd.exe 96 PID 3220 wrote to memory of 4808 3220 cmd.exe 96 PID 3220 wrote to memory of 5064 3220 cmd.exe 99 PID 3220 wrote to memory of 5064 3220 cmd.exe 99 PID 3220 wrote to memory of 5064 3220 cmd.exe 99 PID 5064 wrote to memory of 3192 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 101 PID 5064 wrote to memory of 3192 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 101 PID 5064 wrote to memory of 3192 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 101 PID 5064 wrote to memory of 3192 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 101 PID 5064 wrote to memory of 3192 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 101 PID 5064 wrote to memory of 3192 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 101 PID 5064 wrote to memory of 3192 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 101 PID 5064 wrote to memory of 3192 5064 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 101 PID 3192 wrote to memory of 1028 3192 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 104 PID 3192 wrote to memory of 1028 3192 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 104 PID 3192 wrote to memory of 1028 3192 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 104 PID 1028 wrote to memory of 1404 1028 cmd.exe 107 PID 1028 wrote to memory of 1404 1028 cmd.exe 107 PID 1028 wrote to memory of 1404 1028 cmd.exe 107 PID 1028 wrote to memory of 3492 1028 cmd.exe 105 PID 1028 wrote to memory of 3492 1028 cmd.exe 105 PID 1028 wrote to memory of 3492 1028 cmd.exe 105 PID 1028 wrote to memory of 3684 1028 cmd.exe 108 PID 1028 wrote to memory of 3684 1028 cmd.exe 108 PID 1028 wrote to memory of 3684 1028 cmd.exe 108 PID 3684 wrote to memory of 4828 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 109 PID 3684 wrote to memory of 4828 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 109 PID 3684 wrote to memory of 4828 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 109 PID 3684 wrote to memory of 4828 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 109 PID 3684 wrote to memory of 4828 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 109 PID 3684 wrote to memory of 4828 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 109 PID 3684 wrote to memory of 4828 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 109 PID 3684 wrote to memory of 4828 3684 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5xo8NZstSVh8.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:5100
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZExp6vhs0Mq4.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:3492
-
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 22169⤵
- Program crash
PID:4928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hou6aILpYJCV.bat" "9⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"10⤵PID:3640
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 17046⤵
- Program crash
PID:3328
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 22123⤵
- Program crash
PID:2032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2176 -ip 21761⤵PID:3544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3192 -ip 31921⤵PID:4104
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
PID:2380
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:2372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4828 -ip 48281⤵PID:3896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
261B
MD5b77848cd2f970e4be87f0a7a24a015d9
SHA11332d30ab73c8f551f85719602b76194189c49ee
SHA2569adc2117f8ffc971fa44af9ca123c343c1406a41ebcd293ed6ef658d01f81a3a
SHA51220a2b2302d1a9f4a14778e725fba60e88a8c71d33d2d3bef35c00a8746167440b2399cc6ad274b1978d63652c4f410f98ca125ebac5f9a42afed4bda31056aa3
-
Filesize
261B
MD5758b08a5f9dacf0c173a9b5f4cdc5175
SHA199bf49f38773215ca2819a60441b14784ef8ed7e
SHA256d280e2142ecfa497be8e18dc76d05bae8bf0cfbf8cade7e4d141a948a0410839
SHA51229a05ec3b00bbd07fc32a97bec1d44d25d3f4f9adbd8140169a8baafb99c92329dd88bcd24aa09968d8ea0d6475c2ae4950b05748e2c4d21ca962b124762316f
-
Filesize
261B
MD5753d86d9020ac6e2742e7bcb0f113bea
SHA162dadbcce565c262ab19fded1c2dc414b3559fef
SHA256c245ff277e382ffebd48f67e0c39e1d773afe89c7945fed07b563d35059b21f7
SHA51237ab612560a0bff6582c2199b1b9263825948cea3c721856cde3b81f60b7b68ec483cf82d315b8b290e68754940094e33e41848f51c6adb8b468a23f08d35ea3
-
Filesize
224B
MD57cf9fd0bb2712da5374c6377c2ae000e
SHA1dc606622b48cf227f48f1269e8a1f1eeeb39b831
SHA25669ba63dcc7ea6f6f859a4d86e433b583916c5b356d71cc84d36c86fd30e3c1d3
SHA512bf7f29f94d51d24ab3d3f1cf6bc31619676b6bc06cd84d502547f01a9d455c937a31d18314bfeed9215bc82da630790374375c62dc264ef41f08923ce091e119