Analysis
-
max time kernel
172s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 08:55
Static task
static1
Behavioral task
behavioral1
Sample
c803b24286b85e84999728e62074f29a.exe
Resource
win7-20240221-en
General
-
Target
c803b24286b85e84999728e62074f29a.exe
-
Size
832KB
-
MD5
c803b24286b85e84999728e62074f29a
-
SHA1
a535987863ef3ffc0bbc5bda52b531fb687f7af8
-
SHA256
caeadc9fe15c86a04c0cbc13445cf555b14ad95b5d3a4104d62e72fdd371cdb7
-
SHA512
8007add191fb1bf9b182f6a623b7c3677257d51fe1d133fce5cbb3aa61288dfedd5022b884b1d28fc6730a351da19d4a738edd69d0305739b1e9942da846ef62
-
SSDEEP
6144:CBIXwYejKKPcAHDMn4xJRBgiBoPysbZbz4DkyNnvBImJ0H9owHbAmw/J4ffMzYVA:PQjdM40btzONp5We5zDSHzBu6/cwbGj
Malware Config
Extracted
quasar
1.3.0.0
rat2000
noelsfreexd.ddns.net:80
noelsfreexd.ddns.net:443
QSR_MUTEX_pZaUbVWTnEK2l6CC6k
-
encryption_key
z8mQ697A1LH8Y5CjsRnd
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
2500
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 5 IoCs
resource yara_rule behavioral1/files/0x0028000000012265-8.dat family_quasar behavioral1/memory/2464-11-0x0000000000D10000-0x0000000000D6E000-memory.dmp family_quasar behavioral1/memory/1972-26-0x0000000000E40000-0x0000000000E9E000-memory.dmp family_quasar behavioral1/memory/2752-40-0x0000000000E30000-0x0000000000E8E000-memory.dmp family_quasar behavioral1/memory/668-50-0x0000000140000000-0x00000001405E8000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 2464 cmd.exe 1972 Client.exe 2752 cmd.exe -
Loads dropped DLL 6 IoCs
pid Process 2464 cmd.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "\"C:\\Windows\\SysWOW64\\SubDir\\Client.exe\"" Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.exe\"" cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\SubDir\Client.exe cmd.exe File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2904 1972 WerFault.exe 33 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1632 schtasks.exe 1496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 668 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2500 c803b24286b85e84999728e62074f29a.exe Token: SeDebugPrivilege 2464 cmd.exe Token: SeDebugPrivilege 1972 Client.exe Token: SeDebugPrivilege 668 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe -
Suspicious use of SendNotifyMessage 50 IoCs
pid Process 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1972 Client.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2464 2500 c803b24286b85e84999728e62074f29a.exe 29 PID 2500 wrote to memory of 2464 2500 c803b24286b85e84999728e62074f29a.exe 29 PID 2500 wrote to memory of 2464 2500 c803b24286b85e84999728e62074f29a.exe 29 PID 2500 wrote to memory of 2464 2500 c803b24286b85e84999728e62074f29a.exe 29 PID 2464 wrote to memory of 1632 2464 cmd.exe 31 PID 2464 wrote to memory of 1632 2464 cmd.exe 31 PID 2464 wrote to memory of 1632 2464 cmd.exe 31 PID 2464 wrote to memory of 1632 2464 cmd.exe 31 PID 2464 wrote to memory of 1972 2464 cmd.exe 33 PID 2464 wrote to memory of 1972 2464 cmd.exe 33 PID 2464 wrote to memory of 1972 2464 cmd.exe 33 PID 2464 wrote to memory of 1972 2464 cmd.exe 33 PID 1972 wrote to memory of 1496 1972 Client.exe 34 PID 1972 wrote to memory of 1496 1972 Client.exe 34 PID 1972 wrote to memory of 1496 1972 Client.exe 34 PID 1972 wrote to memory of 1496 1972 Client.exe 34 PID 1972 wrote to memory of 2752 1972 Client.exe 36 PID 1972 wrote to memory of 2752 1972 Client.exe 36 PID 1972 wrote to memory of 2752 1972 Client.exe 36 PID 1972 wrote to memory of 2752 1972 Client.exe 36 PID 1972 wrote to memory of 2904 1972 Client.exe 37 PID 1972 wrote to memory of 2904 1972 Client.exe 37 PID 1972 wrote to memory of 2904 1972 Client.exe 37 PID 1972 wrote to memory of 2904 1972 Client.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1632
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:1496
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0WRZ4k44txBc.bat" "4⤵
- Executes dropped EXE
PID:2752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 14924⤵
- Loads dropped DLL
- Program crash
PID:2904
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD58b40d57aec119a37c045dd2d4eabc66e
SHA149c08719cf7f2e8ae9ebe3c1beb73dfaf17c11d1
SHA2568d9c644b15f78f3b61738a3a8deaf38f7eeccff37eee0bb16394996167af0d68
SHA5126317b618950c8588b1887f50de3a69939a51eceb8b8748aa70f6cec1365b8b7e88cd94b7fd49e7e5c9f98225d31b08dbab7a1c58b61bbd118b3671de4897fae8
-
Filesize
349KB
MD5efb08c8abd228dc2c608b4b2ae81f8e5
SHA14c132ee66fb7ab5e26989f07d72fbc81d4480f41
SHA256bda07aecc578ff4d3f853070643e8cda8f90c3ecbd73132bc75ee17f70b84863
SHA512b3f8fa4979321dc1cf0032f36cb37c17a63e396fa2f70bd076eff8d32974c9e1b7a0f3ecc6b8b788c56d3cca131dfd3f5e6b938ceadab0cfa1a3d97e941fd962