Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 07:11
Static task
static1
Behavioral task
behavioral1
Sample
c803b24286b85e84999728e62074f29a.exe
Resource
win7-20231129-en
General
-
Target
c803b24286b85e84999728e62074f29a.exe
-
Size
832KB
-
MD5
c803b24286b85e84999728e62074f29a
-
SHA1
a535987863ef3ffc0bbc5bda52b531fb687f7af8
-
SHA256
caeadc9fe15c86a04c0cbc13445cf555b14ad95b5d3a4104d62e72fdd371cdb7
-
SHA512
8007add191fb1bf9b182f6a623b7c3677257d51fe1d133fce5cbb3aa61288dfedd5022b884b1d28fc6730a351da19d4a738edd69d0305739b1e9942da846ef62
-
SSDEEP
6144:CBIXwYejKKPcAHDMn4xJRBgiBoPysbZbz4DkyNnvBImJ0H9owHbAmw/J4ffMzYVA:PQjdM40btzONp5We5zDSHzBu6/cwbGj
Malware Config
Extracted
quasar
1.3.0.0
rat2000
noelsfreexd.ddns.net:80
noelsfreexd.ddns.net:443
QSR_MUTEX_pZaUbVWTnEK2l6CC6k
-
encryption_key
z8mQ697A1LH8Y5CjsRnd
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
2500
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral1/files/0x000b000000015605-9.dat family_quasar behavioral1/memory/3068-10-0x0000000000BC0000-0x0000000000C1E000-memory.dmp family_quasar behavioral1/memory/2828-21-0x0000000000100000-0x000000000015E000-memory.dmp family_quasar behavioral1/memory/2756-33-0x0000000000CE0000-0x0000000000D3E000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 3068 cmd.exe 2828 Client.exe 2756 cmd.exe -
Loads dropped DLL 6 IoCs
pid Process 3068 cmd.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\SubDir\Client.exe cmd.exe File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2924 2828 WerFault.exe 32 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2520 schtasks.exe 2568 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2240 c803b24286b85e84999728e62074f29a.exe Token: SeDebugPrivilege 3068 cmd.exe Token: SeDebugPrivilege 2828 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2828 Client.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2240 wrote to memory of 3068 2240 c803b24286b85e84999728e62074f29a.exe 28 PID 2240 wrote to memory of 3068 2240 c803b24286b85e84999728e62074f29a.exe 28 PID 2240 wrote to memory of 3068 2240 c803b24286b85e84999728e62074f29a.exe 28 PID 2240 wrote to memory of 3068 2240 c803b24286b85e84999728e62074f29a.exe 28 PID 3068 wrote to memory of 2568 3068 cmd.exe 30 PID 3068 wrote to memory of 2568 3068 cmd.exe 30 PID 3068 wrote to memory of 2568 3068 cmd.exe 30 PID 3068 wrote to memory of 2568 3068 cmd.exe 30 PID 3068 wrote to memory of 2828 3068 cmd.exe 32 PID 3068 wrote to memory of 2828 3068 cmd.exe 32 PID 3068 wrote to memory of 2828 3068 cmd.exe 32 PID 3068 wrote to memory of 2828 3068 cmd.exe 32 PID 2828 wrote to memory of 2520 2828 Client.exe 33 PID 2828 wrote to memory of 2520 2828 Client.exe 33 PID 2828 wrote to memory of 2520 2828 Client.exe 33 PID 2828 wrote to memory of 2520 2828 Client.exe 33 PID 2828 wrote to memory of 2756 2828 Client.exe 35 PID 2828 wrote to memory of 2756 2828 Client.exe 35 PID 2828 wrote to memory of 2756 2828 Client.exe 35 PID 2828 wrote to memory of 2756 2828 Client.exe 35 PID 2828 wrote to memory of 2924 2828 Client.exe 36 PID 2828 wrote to memory of 2924 2828 Client.exe 36 PID 2828 wrote to memory of 2924 2828 Client.exe 36 PID 2828 wrote to memory of 2924 2828 Client.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2568
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2BTW532LGeSG.bat" "4⤵
- Executes dropped EXE
PID:2756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 14484⤵
- Loads dropped DLL
- Program crash
PID:2924
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD580377756ee1e0edbfe89bfd4042f8720
SHA1cb9272a2c7ba44f736ffa836a3e5315acc1c7dbc
SHA25617b3800dc79eaac3cdf1616e06b71693d346e8171e256d1a82b5b0cdb7df6571
SHA51217b1f6516119b02c8483238a9a2553d3e9042fbd0da3a9f40703ef1fe9dcd78f1f86b9c3b269e5fe57fecaca0272e6405088c56d4af5728a752b02739c99efbe
-
Filesize
349KB
MD5efb08c8abd228dc2c608b4b2ae81f8e5
SHA14c132ee66fb7ab5e26989f07d72fbc81d4480f41
SHA256bda07aecc578ff4d3f853070643e8cda8f90c3ecbd73132bc75ee17f70b84863
SHA512b3f8fa4979321dc1cf0032f36cb37c17a63e396fa2f70bd076eff8d32974c9e1b7a0f3ecc6b8b788c56d3cca131dfd3f5e6b938ceadab0cfa1a3d97e941fd962