General
-
Target
Update.exe
-
Size
409KB
-
Sample
240421-vfqvfafh6v
-
MD5
ed68b64af85a06a4d3edfb0eedbd5a00
-
SHA1
668dbc4990b0a1cdd2f0c254f41b539e9b69afc1
-
SHA256
347776cb31b6dfbb5a5cbb39e617b3913b8af8a0a826468b7e0df3b4738fc184
-
SHA512
7555b7ff4534f0549f35f14b47f8a75509801e4c87e3740aaae20cf6c291b1e17e8a4f833e05d73e2a39471e93a63b75d5513e999850a840ac58a38d656990be
-
SSDEEP
6144:nrBdTMOznI2U/rgSuXfh+8sopVpkG9YiLLLKItKbFrJCBzzFd3MI:oynI2UeXfh+X+5YiPLKItwyRd3MI
Behavioral task
behavioral1
Sample
Update.exe
Resource
win10-20240404-en
Malware Config
Extracted
quasar
3.1.5
SLAVE
147.185.221.19:33587
$Sxr-GdUyI5k46zQj7thBLl
-
encryption_key
y0X14czHxU2CjCZoALAD
-
install_name
BiosUpdX64.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
Windows
Targets
-
-
Target
Update.exe
-
Size
409KB
-
MD5
ed68b64af85a06a4d3edfb0eedbd5a00
-
SHA1
668dbc4990b0a1cdd2f0c254f41b539e9b69afc1
-
SHA256
347776cb31b6dfbb5a5cbb39e617b3913b8af8a0a826468b7e0df3b4738fc184
-
SHA512
7555b7ff4534f0549f35f14b47f8a75509801e4c87e3740aaae20cf6c291b1e17e8a4f833e05d73e2a39471e93a63b75d5513e999850a840ac58a38d656990be
-
SSDEEP
6144:nrBdTMOznI2U/rgSuXfh+8sopVpkG9YiLLLKItKbFrJCBzzFd3MI:oynI2UeXfh+X+5YiPLKItwyRd3MI
Score10/10-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1