Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 19:36
Behavioral task
behavioral1
Sample
e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe
Resource
win7-20231023-en
General
-
Target
e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe
-
Size
3.7MB
-
MD5
cf3e191984d67cc23e9801c1f34aef0c
-
SHA1
e077f254fab7ac5c1150925866fac997ee008237
-
SHA256
e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53
-
SHA512
0f60baf1d8a8177dfe45d603ba82181e528f1b62e4b54881fc5c7ff77e4cf2c1feef9d6bd5e697b216aeb9063e013298f26ec572226de5cfd965ce3a61239904
-
SSDEEP
98304:cv722SsaNYfdPBldt6+dBcjHgefqLXKpsvD/D+donCYUV:ac7jFIj7/A1Yc
Malware Config
Extracted
quasar
1.4.1
Office04
106.160.59.123:5468
ecbc8241-f6e8-43af-bfa9-9d8fb968ba89
-
encryption_key
B6D85D96313E99A28BC1E8EFB817AC6FE38CBB98
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/memory/2168-26-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon behavioral2/memory/2168-34-0x0000000000400000-0x0000000000437000-memory.dmp family_blackmoon -
Quasar payload 3 IoCs
resource yara_rule behavioral2/files/0x0006000000023112-19.dat family_quasar behavioral2/files/0x0006000000023112-20.dat family_quasar behavioral2/memory/1460-22-0x0000000000150000-0x0000000000474000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe 1460 Client-built.exe -
Loads dropped DLL 3 IoCs
pid Process 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe -
resource yara_rule behavioral2/files/0x0006000000023115-15.dat upx behavioral2/memory/2168-16-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0006000000023115-21.dat upx behavioral2/memory/2168-26-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/2168-34-0x0000000000400000-0x0000000000437000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1460 Client-built.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: SeIncBasePriorityPrivilege 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe Token: 33 2168 ÓÎÏ·ÄÚ´æÊÍ·Å.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4020 wrote to memory of 2128 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe 90 PID 4020 wrote to memory of 2128 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe 90 PID 4020 wrote to memory of 2128 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe 90 PID 4020 wrote to memory of 3736 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe 91 PID 4020 wrote to memory of 3736 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe 91 PID 4020 wrote to memory of 3736 4020 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe 91 PID 3736 wrote to memory of 2168 3736 cmd.exe 94 PID 3736 wrote to memory of 2168 3736 cmd.exe 94 PID 3736 wrote to memory of 2168 3736 cmd.exe 94 PID 2128 wrote to memory of 1460 2128 cmd.exe 96 PID 2128 wrote to memory of 1460 2128 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe"C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\\Client-built.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\Client-built.exeC:\Users\Admin\AppData\Local\Temp\\Client-built.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exeC:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD54581d8db596f027233f51dab3764d4b4
SHA1b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA2565b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA5126e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b
-
Filesize
3.1MB
MD54581d8db596f027233f51dab3764d4b4
SHA1b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA2565b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA5126e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b
-
Filesize
1.1MB
MD597c8fe752e354b2945e4c593a87e4a8b
SHA103ab4c91535ecf14b13e0258f3a7be459a7957f9
SHA256820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead
SHA512af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc
-
Filesize
56KB
MD5d63851f89c7ad4615565ca300e8b8e27
SHA11c9a6c1ce94581f85be0e99e2d370384b959578f
SHA2560a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d
SHA512623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2
-
Filesize
56KB
MD5d63851f89c7ad4615565ca300e8b8e27
SHA11c9a6c1ce94581f85be0e99e2d370384b959578f
SHA2560a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d
SHA512623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2
-
Filesize
60KB
MD590f02d102a066c61308c4007f7381349
SHA1e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5
-
Filesize
60KB
MD590f02d102a066c61308c4007f7381349
SHA1e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5