Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 01:39
Behavioral task
behavioral1
Sample
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
Resource
win7-20231129-en
General
-
Target
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
-
Size
916KB
-
MD5
fb57053d7202dbaca1e71a649047597f
-
SHA1
b5c39ce77aa7c9a0f5f044eb887fb4baec3ce0db
-
SHA256
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87
-
SHA512
fe4f64695c0121180b2a0829f82cee6de42170d17b34125f1ac0741580e58c1c282ea1bc5d1a0c8a3ae597f3e2dc014c8980416a2bfdcf30db98df984cf1ab43
-
SSDEEP
24576:tmkdueXjq0OQKc2YSEegpQRDLusJLK1lkyoLP:IkdueXjq0OQKc2YSEegpshk1lk
Malware Config
Extracted
quasar
2.8.0.1
backup
45.40.96.164:5552
4zqoNUTZKMvnLHkoUD
-
encryption_key
S2EJJjFXQqrAnFg7XBWE
-
install_name
Registry.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Hotels Client Startup
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-1-0x00000000002F0000-0x00000000003DC000-memory.dmp family_quasar -
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-1-0x00000000002F0000-0x00000000003DC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-1-0x00000000002F0000-0x00000000003DC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables containing URLs to raw contents of a Github gist 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-1-0x00000000002F0000-0x00000000003DC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables embedding command execution via IExecuteCommand COM object 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-1-0x00000000002F0000-0x00000000003DC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-1-0x00000000002F0000-0x00000000003DC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Detects file containing reversed ASEP Autorun registry keys 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-1-0x00000000002F0000-0x00000000003DC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse -
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-1-0x00000000002F0000-0x00000000003DC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exedescription pid process Token: SeDebugPrivilege 4820 a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe"C:\Users\Admin\AppData\Local\Temp\a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:4508