Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 14:02
Behavioral task
behavioral1
Sample
38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe
Resource
win7-20240220-en
General
-
Target
38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe
-
Size
348KB
-
MD5
9a9ad4c7726dc162e42865008d035a67
-
SHA1
4e96beb34472edb52f04d7afbd77199799b3a134
-
SHA256
38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d
-
SHA512
6bae0b5d7aa9c748c5fecd2f33443237f49dec10d2d231ec93ca25bd2fdf7737eb0fb5d65d79b4f16ba30e6fff8e4f2d843ed845fa383f5690815b7d36da786e
-
SSDEEP
6144:7zNHXf500MpquFq1tnNAjbRDOJX+clr249YSkhp40GRzgSOS:fd50Snu54E46S90GRzXOS
Malware Config
Extracted
quasar
1.3.0.0
Office04
qutz.duckdns.org:4782
QSR_MUTEX_8k92xB7YX3G5daUSZO
-
encryption_key
byj4ViyvvQaDXMdNekxD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-0-0x00000000010F0000-0x000000000114E000-memory.dmp family_quasar behavioral1/memory/2464-13-0x0000000000110000-0x000000000016E000-memory.dmp family_quasar behavioral1/memory/2344-26-0x0000000000AA0000-0x0000000000AFE000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exedescription pid process Token: SeDebugPrivilege 1992 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe Token: SeDebugPrivilege 2464 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe Token: SeDebugPrivilege 2344 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.execmd.exe38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.execmd.exedescription pid process target process PID 1992 wrote to memory of 2532 1992 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe cmd.exe PID 1992 wrote to memory of 2532 1992 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe cmd.exe PID 1992 wrote to memory of 2532 1992 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe cmd.exe PID 1992 wrote to memory of 2532 1992 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe cmd.exe PID 2532 wrote to memory of 2636 2532 cmd.exe chcp.com PID 2532 wrote to memory of 2636 2532 cmd.exe chcp.com PID 2532 wrote to memory of 2636 2532 cmd.exe chcp.com PID 2532 wrote to memory of 2636 2532 cmd.exe chcp.com PID 2532 wrote to memory of 2724 2532 cmd.exe PING.EXE PID 2532 wrote to memory of 2724 2532 cmd.exe PING.EXE PID 2532 wrote to memory of 2724 2532 cmd.exe PING.EXE PID 2532 wrote to memory of 2724 2532 cmd.exe PING.EXE PID 2532 wrote to memory of 2464 2532 cmd.exe 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe PID 2532 wrote to memory of 2464 2532 cmd.exe 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe PID 2532 wrote to memory of 2464 2532 cmd.exe 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe PID 2532 wrote to memory of 2464 2532 cmd.exe 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe PID 2464 wrote to memory of 1276 2464 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe cmd.exe PID 2464 wrote to memory of 1276 2464 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe cmd.exe PID 2464 wrote to memory of 1276 2464 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe cmd.exe PID 2464 wrote to memory of 1276 2464 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe cmd.exe PID 1276 wrote to memory of 860 1276 cmd.exe chcp.com PID 1276 wrote to memory of 860 1276 cmd.exe chcp.com PID 1276 wrote to memory of 860 1276 cmd.exe chcp.com PID 1276 wrote to memory of 860 1276 cmd.exe chcp.com PID 1276 wrote to memory of 1368 1276 cmd.exe PING.EXE PID 1276 wrote to memory of 1368 1276 cmd.exe PING.EXE PID 1276 wrote to memory of 1368 1276 cmd.exe PING.EXE PID 1276 wrote to memory of 1368 1276 cmd.exe PING.EXE PID 1276 wrote to memory of 2344 1276 cmd.exe 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe PID 1276 wrote to memory of 2344 1276 cmd.exe 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe PID 1276 wrote to memory of 2344 1276 cmd.exe 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe PID 1276 wrote to memory of 2344 1276 cmd.exe 38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe"C:\Users\Admin\AppData\Local\Temp\38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\h0w1scQY7aTl.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2636
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe"C:\Users\Admin\AppData\Local\Temp\38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aMySqBG8buAo.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:860
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe"C:\Users\Admin\AppData\Local\Temp\38632595e5ebb1ec4ed87327df02ffaf844e49559c2e881cb801f6c1e5026b7d.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD58c12c473599ecf4ae0ed801922ef8f7c
SHA131d410edc8608793dda7ad46190bcad427241864
SHA256ceeabc3148454d850c43e4bbdee4d9b982673e8bdc9563f42d37fadca72f24bf
SHA512067b6ddd74614ef032788e776dd4f7b264c71283d012181d38a0883976b224135521f8b51bdcf1b86cab1f059f608ce33a80f9f206eb10881e93cea2beb63045
-
Filesize
261B
MD5fde2584ff84009e9031c936c766749eb
SHA1b53a0846e87e45c7078683abc959acc95556cb28
SHA25651f224906be4df96d0689cd24ec126d7ad40e4186bdb478591207095388333a1
SHA512a419100bf95288fe029a4875022be294cd8785f9f485a9c201757111765cd5f4b061623c2ede161b28c27aa937ee271faa7eab4370b94f35d5296a28042eaf26