Analysis
-
max time kernel
128s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 22:39
Static task
static1
Behavioral task
behavioral1
Sample
579ebb1309ad953fa0cb52c33b190baa.exe
Resource
win7-20240220-en
General
-
Target
579ebb1309ad953fa0cb52c33b190baa.exe
-
Size
786KB
-
MD5
579ebb1309ad953fa0cb52c33b190baa
-
SHA1
70ccb8c950d96a7e6c32d09c307227f271a627ba
-
SHA256
54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
-
SHA512
2b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4
-
SSDEEP
24576:6O7r0f+STf0QcR9CTsPsOcs1kITzH9FHB2PpO:6gAf+YMQceTs1t1/TzdFh20
Malware Config
Extracted
quasar
1.3.0.0
Office04
83.147.53.145:3700
QSR_MUTEX_6WQThXDTXhAO4iLfWV
-
encryption_key
rylGzNSu4oGtwQbffX0U
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3988-46-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
579ebb1309ad953fa0cb52c33b190baa.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 579ebb1309ad953fa0cb52c33b190baa.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 2 IoCs
Processes:
Client.exeClient.exepid process 216 Client.exe 1976 Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
579ebb1309ad953fa0cb52c33b190baa.exeClient.exedescription pid process target process PID 3132 set thread context of 3988 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 216 set thread context of 1976 216 Client.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4776 schtasks.exe 5020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
579ebb1309ad953fa0cb52c33b190baa.exepowershell.exepowershell.exeClient.exepowershell.exepowershell.exepid process 3132 579ebb1309ad953fa0cb52c33b190baa.exe 3964 powershell.exe 3964 powershell.exe 5012 powershell.exe 5012 powershell.exe 3132 579ebb1309ad953fa0cb52c33b190baa.exe 3132 579ebb1309ad953fa0cb52c33b190baa.exe 3132 579ebb1309ad953fa0cb52c33b190baa.exe 3132 579ebb1309ad953fa0cb52c33b190baa.exe 3964 powershell.exe 5012 powershell.exe 216 Client.exe 4748 powershell.exe 4624 powershell.exe 216 Client.exe 4748 powershell.exe 4624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
579ebb1309ad953fa0cb52c33b190baa.exepowershell.exepowershell.exe579ebb1309ad953fa0cb52c33b190baa.exeClient.exepowershell.exepowershell.exeClient.exedescription pid process Token: SeDebugPrivilege 3132 579ebb1309ad953fa0cb52c33b190baa.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 3964 powershell.exe Token: SeDebugPrivilege 3988 579ebb1309ad953fa0cb52c33b190baa.exe Token: SeDebugPrivilege 216 Client.exe Token: SeDebugPrivilege 4748 powershell.exe Token: SeDebugPrivilege 4624 powershell.exe Token: SeDebugPrivilege 1976 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1976 Client.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
579ebb1309ad953fa0cb52c33b190baa.exe579ebb1309ad953fa0cb52c33b190baa.exeClient.exedescription pid process target process PID 3132 wrote to memory of 3964 3132 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 3132 wrote to memory of 3964 3132 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 3132 wrote to memory of 3964 3132 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 3132 wrote to memory of 5012 3132 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 3132 wrote to memory of 5012 3132 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 3132 wrote to memory of 5012 3132 579ebb1309ad953fa0cb52c33b190baa.exe powershell.exe PID 3132 wrote to memory of 4776 3132 579ebb1309ad953fa0cb52c33b190baa.exe schtasks.exe PID 3132 wrote to memory of 4776 3132 579ebb1309ad953fa0cb52c33b190baa.exe schtasks.exe PID 3132 wrote to memory of 4776 3132 579ebb1309ad953fa0cb52c33b190baa.exe schtasks.exe PID 3132 wrote to memory of 3212 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3212 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3212 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3988 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3988 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3988 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3988 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3988 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3988 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3988 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3132 wrote to memory of 3988 3132 579ebb1309ad953fa0cb52c33b190baa.exe 579ebb1309ad953fa0cb52c33b190baa.exe PID 3988 wrote to memory of 216 3988 579ebb1309ad953fa0cb52c33b190baa.exe Client.exe PID 3988 wrote to memory of 216 3988 579ebb1309ad953fa0cb52c33b190baa.exe Client.exe PID 3988 wrote to memory of 216 3988 579ebb1309ad953fa0cb52c33b190baa.exe Client.exe PID 216 wrote to memory of 4748 216 Client.exe powershell.exe PID 216 wrote to memory of 4748 216 Client.exe powershell.exe PID 216 wrote to memory of 4748 216 Client.exe powershell.exe PID 216 wrote to memory of 4624 216 Client.exe powershell.exe PID 216 wrote to memory of 4624 216 Client.exe powershell.exe PID 216 wrote to memory of 4624 216 Client.exe powershell.exe PID 216 wrote to memory of 5020 216 Client.exe schtasks.exe PID 216 wrote to memory of 5020 216 Client.exe schtasks.exe PID 216 wrote to memory of 5020 216 Client.exe schtasks.exe PID 216 wrote to memory of 1976 216 Client.exe Client.exe PID 216 wrote to memory of 1976 216 Client.exe Client.exe PID 216 wrote to memory of 1976 216 Client.exe Client.exe PID 216 wrote to memory of 1976 216 Client.exe Client.exe PID 216 wrote to memory of 1976 216 Client.exe Client.exe PID 216 wrote to memory of 1976 216 Client.exe Client.exe PID 216 wrote to memory of 1976 216 Client.exe Client.exe PID 216 wrote to memory of 1976 216 Client.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YXiUvROAyTyYWN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YXiUvROAyTyYWN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6561.tmp"2⤵
- Creates scheduled task(s)
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"2⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YXiUvROAyTyYWN.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YXiUvROAyTyYWN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CBD.tmp"4⤵
- Creates scheduled task(s)
PID:5020 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\579ebb1309ad953fa0cb52c33b190baa.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5cd48552ac250ebfe93447bc75ccfe442
SHA103b5823247ec794a61580a8115ee74fec241f28f
SHA256c0281e0db8d67007e1e51e94a391c2f7a3f746e94ef2646a05d0160bf9196fbc
SHA512a57d0f1b26d53ce67ad6fdcd683b8f2e4d4e1abfd455a33f765d1a18af77f0d47b1af37b8405e2d5b9658b706984587ded79e94172178f8fe279b0d9cdfe4295
-
Filesize
18KB
MD5a8dc1f6fa23f660eab56064627925ae5
SHA11f68e86745fe006912ac9a76ec10bfd251dcccc9
SHA256e8354eb3d3ca747f53a7ed832fa4a7810413a93c379c25d6b4ddf9aeb6cafe87
SHA512ef049cbce2294b4cdab535245e7f9ec1d4e69b04736e9197bfeeb6179b13653bbf32bed29b1f2c3a9dc12e708e6b6041a60d4f3d41e5dc62d667bf6dd4eb1559
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD503ed54d29052e596b4598f41cacbe969
SHA10cf8a0e23862e6905ba6d71c82748846d267a9b4
SHA256fefdc4e55a41f64c28ce0f2a206d7967130198dabc2066abe042cf52f17b5637
SHA512a04892a880d2cf3a805065e2857f8fbf3af1dd8a9f06ac5d247193c24953420de24bab1f24ef23516ca7ae9646cc8441f7522cb1a2b8575891a554fd420d29c2
-
Filesize
786KB
MD5579ebb1309ad953fa0cb52c33b190baa
SHA170ccb8c950d96a7e6c32d09c307227f271a627ba
SHA25654d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
SHA5122b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4