Overview
overview
10Static
static
3Chaos_V3_2...o).exe
windows7-x64
1Chaos_V3_2...o).exe
windows10-2004-x64
1Chaos_V3_2...V3.exe
windows7-x64
10Chaos_V3_2...V3.exe
windows10-2004-x64
10Chaos_V3_2...er.exe
windows7-x64
1Chaos_V3_2...er.exe
windows10-2004-x64
1Chaos_V3_2...nd.exe
windows7-x64
1Chaos_V3_2...nd.exe
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/04/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Anti-Crash (Anti-Crash method by 13ooeo).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Anti-Crash (Anti-Crash method by 13ooeo).exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Chaos Launcher V3.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Chaos Launcher V3.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/fpsunlocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/fpsunlocker.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/pssuspend.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/pssuspend.exe
Resource
win10v2004-20240412-en
General
-
Target
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Chaos Launcher V3.exe
-
Size
37.8MB
-
MD5
719fd2b752f99f9ad1da3e2f439ec717
-
SHA1
900a578b55324712b3fc2edc8b44c6f336932849
-
SHA256
a12504ad741383782b4e0ef4cc808903195484080f5770966aceb1d117b09697
-
SHA512
b1822f059810e50a072fcd871e81b2c5d83eaf343f7322384ad34013bed3f4d6a98ed6d37c1840dfc03a925eb334981911b86de534903a941346fcac3b820601
-
SSDEEP
786432:SulzfQX0ZlAime/FtbB9lNdnl8/A539IyPA:bQXknme/FhB9PtgA539IyPA
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.0.78:4782
4616ad00-4709-44bd-a2b4-9a61d621574d
-
encryption_key
DDE23047BCC4F649ACA444E89F2DBB5D52A3004D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral3/files/0x000500000001c83f-132.dat family_quasar behavioral3/memory/2644-170-0x00000000002A0000-0x00000000005C4000-memory.dmp family_quasar behavioral3/memory/692-289-0x00000000010E0000-0x0000000001404000-memory.dmp family_quasar -
Executes dropped EXE 8 IoCs
pid Process 1636 Chaos Launcher V3.exe 2920 Loader.exe 832 Loader.exe 1464 main.exe 2644 ChaosUPD.exe 1352 main.exe 1200 Process not Found 692 Client.exe -
Loads dropped DLL 8 IoCs
pid Process 2776 Chaos Launcher V3.exe 2776 Chaos Launcher V3.exe 2920 Loader.exe 832 Loader.exe 1464 main.exe 1352 main.exe 1200 Process not Found 1200 Process not Found -
resource yara_rule behavioral3/files/0x000500000001a459-126.dat upx behavioral3/memory/832-140-0x000007FEF2860000-0x000007FEF2CCE000-memory.dmp upx behavioral3/files/0x000400000001cc33-275.dat upx behavioral3/memory/1352-278-0x000007FEEDDA0000-0x000007FEEE20E000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral3/files/0x0009000000015c23-12.dat pyinstaller behavioral3/files/0x000500000001a453-96.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2880 schtasks.exe 1588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2832 powershell.exe 2680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1636 Chaos Launcher V3.exe Token: SeDebugPrivilege 2644 ChaosUPD.exe Token: SeDebugPrivilege 692 Client.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 1636 Chaos Launcher V3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 692 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 692 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 692 Client.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2776 wrote to memory of 1636 2776 Chaos Launcher V3.exe 28 PID 2776 wrote to memory of 1636 2776 Chaos Launcher V3.exe 28 PID 2776 wrote to memory of 1636 2776 Chaos Launcher V3.exe 28 PID 2776 wrote to memory of 2920 2776 Chaos Launcher V3.exe 29 PID 2776 wrote to memory of 2920 2776 Chaos Launcher V3.exe 29 PID 2776 wrote to memory of 2920 2776 Chaos Launcher V3.exe 29 PID 2920 wrote to memory of 832 2920 Loader.exe 31 PID 2920 wrote to memory of 832 2920 Loader.exe 31 PID 2920 wrote to memory of 832 2920 Loader.exe 31 PID 2776 wrote to memory of 1464 2776 Chaos Launcher V3.exe 30 PID 2776 wrote to memory of 1464 2776 Chaos Launcher V3.exe 30 PID 2776 wrote to memory of 1464 2776 Chaos Launcher V3.exe 30 PID 2776 wrote to memory of 2644 2776 Chaos Launcher V3.exe 32 PID 2776 wrote to memory of 2644 2776 Chaos Launcher V3.exe 32 PID 2776 wrote to memory of 2644 2776 Chaos Launcher V3.exe 32 PID 1464 wrote to memory of 1352 1464 main.exe 33 PID 1464 wrote to memory of 1352 1464 main.exe 33 PID 1464 wrote to memory of 1352 1464 main.exe 33 PID 2644 wrote to memory of 2880 2644 ChaosUPD.exe 35 PID 2644 wrote to memory of 2880 2644 ChaosUPD.exe 35 PID 2644 wrote to memory of 2880 2644 ChaosUPD.exe 35 PID 2644 wrote to memory of 692 2644 ChaosUPD.exe 37 PID 2644 wrote to memory of 692 2644 ChaosUPD.exe 37 PID 2644 wrote to memory of 692 2644 ChaosUPD.exe 37 PID 1636 wrote to memory of 2832 1636 Chaos Launcher V3.exe 38 PID 1636 wrote to memory of 2832 1636 Chaos Launcher V3.exe 38 PID 1636 wrote to memory of 2832 1636 Chaos Launcher V3.exe 38 PID 692 wrote to memory of 1588 692 Client.exe 40 PID 692 wrote to memory of 1588 692 Client.exe 40 PID 692 wrote to memory of 1588 692 Client.exe 40 PID 1636 wrote to memory of 2680 1636 Chaos Launcher V3.exe 42 PID 1636 wrote to memory of 2680 1636 Chaos Launcher V3.exe 42 PID 1636 wrote to memory of 2680 1636 Chaos Launcher V3.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\Chaos Launcher V3.exe"C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\Chaos Launcher V3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe"C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chaos Launcher V3.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832
-
-
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352
-
-
-
C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe"C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2880
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:1588
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
265KB
MD55cc694e159b34a66c68512e333772427
SHA156a1167290c880b7c581e4ffe904865d443dd6b3
SHA2561eaa491f5252f5e36c3e6f4955e42ce738f2ac11ab476efb4b9cbbf62982740e
SHA512efe956122aa35c481422c3b0d33afa3ca5e6faecb5aa7e771320070d43c07fed141038754ca025ed703c066f8a5782330b82b263bca2afaa0f549c444a1ab87d
-
Filesize
3.1MB
MD5cf19f3097c3605dcb9fe14283b318622
SHA12300f90815b44685ea480622cdce31b82c0d429e
SHA256b7438077689006b12262914245e04bc67e7c4cbacda3aa99f100a894d33fd43a
SHA51212a9c62e0bf5ebeaa1f104979cf1a3477b4e0b455ff2cf413cdc43589f91c3bcccc1a3b54cd7cf463ff9aff481a870425c7b2e3738be27187a7cb71b38f0ef69
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
1.4MB
MD569d4f13fbaeee9b551c2d9a4a94d4458
SHA169540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA5128e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378
-
Filesize
1.4MB
MD5bbcb74867bd3f8a691b1f0a394336908
SHA1aea4b231b9f09bedcd5ce02e1962911edd4b35ad
SHA256800b5e9a08c3a0f95a2c6f4a3355df8bbbc416e716f95bd6d42b6f0d6fb92f41
SHA51200745ddd468504b3652bdda757d42ebe756e419d6432ceb029ed3ccde3b99c8ae21b4fc004938bb0babaa169768db385374b29ac121608c5630047e55c40f481
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ed9165339304a4f8aad66c8d940a4ac4
SHA14cf4b6177d91a53829fe94818cecf4f790ed1477
SHA256777a174053f7845104e5ca94c7b2a8a6aaa878fa0b3210bc4cd43877f51f24eb
SHA512a7b15332330a6a62c042293b508bdaeef2c22287de9e40ae99013690d347931f11b180065975fcab02a1aff493eee02646728e76c4d46755566458d790d80c07
-
Filesize
16.1MB
MD5137c2a6610b55f77004ff0bb52bb12e2
SHA1202e8bce20e5b2b0341f5cc2c8767881717b7022
SHA2560cb19bda3eafb8edae3d7902e8af0bf2a7896c225669c338565423f63558d841
SHA51275fa9eb00ba2f8d49c606e9d508c0ec5e6d372edc31d56736a0a60e24454643e16709f0da915f066aaf42ea6d78163ff923ff5449d3e7549f44b7cf8dc1a83df
-
Filesize
20.7MB
MD5c6d3097d7f4377fdb93ed93e8453bb5c
SHA1da30212e78d079ded3d68711ef8e1367958406c1
SHA256ef5a50b9159ab00cee86e16962495beaf7f0c60f5464e8b7786abc5edeec3b2e
SHA512903dc8441e1373862a24a7f55ceeb2b7d1ea71b098fff07e2b51218dbabae743cc71f1865fccdac49668ac913e384196476b4c294b8d267b33fd05f98caad604