Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 01:39
Behavioral task
behavioral1
Sample
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
Resource
win7-20231129-en
General
-
Target
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
-
Size
916KB
-
MD5
fb57053d7202dbaca1e71a649047597f
-
SHA1
b5c39ce77aa7c9a0f5f044eb887fb4baec3ce0db
-
SHA256
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87
-
SHA512
fe4f64695c0121180b2a0829f82cee6de42170d17b34125f1ac0741580e58c1c282ea1bc5d1a0c8a3ae597f3e2dc014c8980416a2bfdcf30db98df984cf1ab43
-
SSDEEP
24576:tmkdueXjq0OQKc2YSEegpQRDLusJLK1lkyoLP:IkdueXjq0OQKc2YSEegpshk1lk
Malware Config
Extracted
quasar
2.8.0.1
backup
45.40.96.164:5552
4zqoNUTZKMvnLHkoUD
-
encryption_key
S2EJJjFXQqrAnFg7XBWE
-
install_name
Registry.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Hotels Client Startup
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-1-0x0000000000C50000-0x0000000000D3C000-memory.dmp family_quasar -
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-1-0x0000000000C50000-0x0000000000D3C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-1-0x0000000000C50000-0x0000000000D3C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables containing URLs to raw contents of a Github gist 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-1-0x0000000000C50000-0x0000000000D3C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables embedding command execution via IExecuteCommand COM object 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-1-0x0000000000C50000-0x0000000000D3C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-1-0x0000000000C50000-0x0000000000D3C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Detects file containing reversed ASEP Autorun registry keys 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-1-0x0000000000C50000-0x0000000000D3C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse -
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-1-0x0000000000C50000-0x0000000000D3C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exedescription pid process Token: SeDebugPrivilege 2060 a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe