Analysis
-
max time kernel
118s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 01:51
Behavioral task
behavioral1
Sample
e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe
Resource
win7-20240220-en
General
-
Target
e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe
-
Size
916KB
-
MD5
6784aa946d316985ed1b8698ad2b9831
-
SHA1
7a292430ad4c64a575ada8900d99e8fbe33f5785
-
SHA256
e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0
-
SHA512
53ed9d033600d7cd0d60dedecad4d7fdae2f202982fb9ea6084cd7e2602df3b285bdc688b9acdd52f6bd6114e77945748bb4d73883063f79d8db92031a70fd48
-
SSDEEP
24576:tmkdueXjq0OQKc2YSEegpQRDLusJLK1lk2oLP:IkdueXjq0OQKc2YSEegpshk1lk
Malware Config
Extracted
quasar
2.8.0.1
Hotels
45.40.96.164:5552
4zqoNUTZKMvnLHkoUD
-
encryption_key
DrELkLp18Pk08e6KWRUc
-
install_name
Registry.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Hotels Client Startup
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp family_quasar -
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables containing URLs to raw contents of a Github gist 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables embedding command execution via IExecuteCommand COM object 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Detects file containing reversed ASEP Autorun registry keys 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse -
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exedescription pid process Token: SeDebugPrivilege 2908 e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe