Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 22:39
Static task
static1
Behavioral task
behavioral1
Sample
579ebb1309ad953fa0cb52c33b190baa.exe
Resource
win7-20240220-en
General
-
Target
579ebb1309ad953fa0cb52c33b190baa.exe
-
Size
786KB
-
MD5
579ebb1309ad953fa0cb52c33b190baa
-
SHA1
70ccb8c950d96a7e6c32d09c307227f271a627ba
-
SHA256
54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
-
SHA512
2b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4
-
SSDEEP
24576:6O7r0f+STf0QcR9CTsPsOcs1kITzH9FHB2PpO:6gAf+YMQceTs1t1/TzdFh20
Malware Config
Extracted
quasar
1.3.0.0
Office04
83.147.53.145:3700
QSR_MUTEX_6WQThXDTXhAO4iLfWV
-
encryption_key
rylGzNSu4oGtwQbffX0U
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2816-21-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2816-23-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2816-27-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2816-29-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2816-31-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Client.exeClient.exepid process 1936 Client.exe 1916 Client.exe -
Loads dropped DLL 2 IoCs
Processes:
579ebb1309ad953fa0cb52c33b190baa.exeClient.exepid process 2816 579ebb1309ad953fa0cb52c33b190baa.exe 1936 Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
579ebb1309ad953fa0cb52c33b190baa.exeClient.exedescription pid process target process PID 2356 set thread context of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 1936 set thread context of 1916 1936 Client.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2708 schtasks.exe 2228 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
579ebb1309ad953fa0cb52c33b190baa.exepowershell.exepowershell.exeClient.exepowershell.exepowershell.exepid process 2356 579ebb1309ad953fa0cb52c33b190baa.exe 2300 powershell.exe 2604 powershell.exe 2356 579ebb1309ad953fa0cb52c33b190baa.exe 1936 Client.exe 1952 powershell.exe 1368 powershell.exe 1936 Client.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
579ebb1309ad953fa0cb52c33b190baa.exepowershell.exepowershell.exe579ebb1309ad953fa0cb52c33b190baa.exeClient.exepowershell.exepowershell.exeClient.exedescription pid process Token: SeDebugPrivilege 2356 579ebb1309ad953fa0cb52c33b190baa.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2816 579ebb1309ad953fa0cb52c33b190baa.exe Token: SeDebugPrivilege 1936 Client.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 1916 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1916 Client.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
579ebb1309ad953fa0cb52c33b190baa.exe579ebb1309ad953fa0cb52c33b190baa.exeClient.exedescription pid process target process PID 2356 wrote to memory of 2300 2356 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 2356 wrote to memory of 2300 2356 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 2356 wrote to memory of 2300 2356 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 2356 wrote to memory of 2300 2356 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 2356 wrote to memory of 2604 2356 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 2356 wrote to memory of 2604 2356 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 2356 wrote to memory of 2604 2356 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 2356 wrote to memory of 2604 2356 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 2356 wrote to memory of 2708 2356 579ebb1309ad953fa0cb52c33b190baa.exe schtasks.exe PID 2356 wrote to memory of 2708 2356 579ebb1309ad953fa0cb52c33b190baa.exe schtasks.exe PID 2356 wrote to memory of 2708 2356 579ebb1309ad953fa0cb52c33b190baa.exe schtasks.exe PID 2356 wrote to memory of 2708 2356 579ebb1309ad953fa0cb52c33b190baa.exe schtasks.exe PID 2356 wrote to memory of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 2356 wrote to memory of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 2356 wrote to memory of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 2356 wrote to memory of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 2356 wrote to memory of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 2356 wrote to memory of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 2356 wrote to memory of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 2356 wrote to memory of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 2356 wrote to memory of 2816 2356 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 2816 wrote to memory of 1936 2816 579ebb1309ad953fa0cb52c33b190baa.exe Client.exe PID 2816 wrote to memory of 1936 2816 579ebb1309ad953fa0cb52c33b190baa.exe Client.exe PID 2816 wrote to memory of 1936 2816 579ebb1309ad953fa0cb52c33b190baa.exe Client.exe PID 2816 wrote to memory of 1936 2816 579ebb1309ad953fa0cb52c33b190baa.exe Client.exe PID 1936 wrote to memory of 1952 1936 Client.exe powershell.exe PID 1936 wrote to memory of 1952 1936 Client.exe powershell.exe PID 1936 wrote to memory of 1952 1936 Client.exe powershell.exe PID 1936 wrote to memory of 1952 1936 Client.exe powershell.exe PID 1936 wrote to memory of 1368 1936 Client.exe powershell.exe PID 1936 wrote to memory of 1368 1936 Client.exe powershell.exe PID 1936 wrote to memory of 1368 1936 Client.exe powershell.exe PID 1936 wrote to memory of 1368 1936 Client.exe powershell.exe PID 1936 wrote to memory of 2228 1936 Client.exe schtasks.exe PID 1936 wrote to memory of 2228 1936 Client.exe schtasks.exe PID 1936 wrote to memory of 2228 1936 Client.exe schtasks.exe PID 1936 wrote to memory of 2228 1936 Client.exe schtasks.exe PID 1936 wrote to memory of 1916 1936 Client.exe Client.exe PID 1936 wrote to memory of 1916 1936 Client.exe Client.exe PID 1936 wrote to memory of 1916 1936 Client.exe Client.exe PID 1936 wrote to memory of 1916 1936 Client.exe Client.exe PID 1936 wrote to memory of 1916 1936 Client.exe Client.exe PID 1936 wrote to memory of 1916 1936 Client.exe Client.exe PID 1936 wrote to memory of 1916 1936 Client.exe Client.exe PID 1936 wrote to memory of 1916 1936 Client.exe Client.exe PID 1936 wrote to memory of 1916 1936 Client.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YXiUvROAyTyYWN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YXiUvROAyTyYWN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AA0.tmp"2⤵
- Creates scheduled task(s)
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YXiUvROAyTyYWN.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YXiUvROAyTyYWN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp68F0.tmp"4⤵
- Creates scheduled task(s)
PID:2228 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56c530173ae54625f912a357f67f673ff
SHA1c48fb4cce1c31569c53be05783d8f73ee7655dff
SHA25650be067c08cc7588dffbed76b98feb820fb78edbd75b1a7c17258228dd46e797
SHA5121b663466560d74b4e43ac3151ac52dda4b0110694aa8ad76922a84b303300f4519b109361dccf886ffbc83890e2b7b0c1242e8b2de3f3836af891a75f3b2dcfb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZU59CYVRCZ1ESQDX8VQ0.temp
Filesize7KB
MD594edd14bd440682f0117bb5838309694
SHA10a68f58ee79bb7b75330780f62d79f36fec4a78b
SHA25628a2f0d9696a750b0da53d6e279bac952ac7742e8e663902aa0d0372f222a0c6
SHA512b40fdb6f16f4b16eb5fee1535e1879b0f2698d258c784f1104fc16123625f65c493f7355bbbb485bcc4e22f9021a613f5a09b0a1b59b1863a31da020b79e9b47
-
Filesize
786KB
MD5579ebb1309ad953fa0cb52c33b190baa
SHA170ccb8c950d96a7e6c32d09c307227f271a627ba
SHA25654d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
SHA5122b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4