Overview
overview
10Static
static
10Guna.UI2.dll
windows10-2004-x64
1Mono.Cecil.dll
windows10-2004-x64
1Mono.Nat.dll
windows10-2004-x64
1Octokit.dll
windows10-2004-x64
1SeroXen.exe
windows10-2004-x64
1Siticone.D...UI.dll
windows10-2004-x64
1Vestris.Re...ib.dll
windows10-2004-x64
1client.exe
windows10-2004-x64
10Analysis
-
max time kernel
52s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 00:20
Behavioral task
behavioral1
Sample
Guna.UI2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Mono.Cecil.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Mono.Nat.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Octokit.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
SeroXen.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
Siticone.Desktop.UI.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Vestris.ResourceLib.dll
Resource
win10v2004-20240802-en
General
-
Target
client.exe
-
Size
292KB
-
MD5
c5cb7f04d3461efa49da4ba79b0295f3
-
SHA1
82441798da42d6b8138ba2e0488aa981886c5248
-
SHA256
b158f718405a2df94ad3aac1b4d695ed2e990d90d4537fc621c8a31d19a6052b
-
SHA512
91c7376c047a2d8e8da1069f708cb8b45b9624993a6a4cb80e28b91ab1180df965c49bc180915a9facd8c45f7170cb674f158c6bba66fbe247bb68572ecea5a8
-
SSDEEP
6144:BTjJFBhD3ackfL0a576r3dwO4LAkbDFfrAaYoutpz:BhJ6wr3d34MaYzV
Malware Config
Extracted
quasar
-
reconnect_delay
5000
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral8/memory/728-1-0x0000000000160000-0x00000000001B0000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation client.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation client.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation client.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation client.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation client.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2324 PING.EXE 3700 PING.EXE 2624 PING.EXE 4448 PING.EXE 4892 PING.EXE 4416 PING.EXE -
Runs ping.exe 1 TTPs 6 IoCs
pid Process 4448 PING.EXE 4892 PING.EXE 4416 PING.EXE 2324 PING.EXE 3700 PING.EXE 2624 PING.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 728 wrote to memory of 4240 728 client.exe 86 PID 728 wrote to memory of 4240 728 client.exe 86 PID 728 wrote to memory of 4240 728 client.exe 86 PID 4240 wrote to memory of 2952 4240 cmd.exe 88 PID 4240 wrote to memory of 2952 4240 cmd.exe 88 PID 4240 wrote to memory of 2952 4240 cmd.exe 88 PID 4240 wrote to memory of 4448 4240 cmd.exe 89 PID 4240 wrote to memory of 4448 4240 cmd.exe 89 PID 4240 wrote to memory of 4448 4240 cmd.exe 89 PID 4240 wrote to memory of 4968 4240 cmd.exe 97 PID 4240 wrote to memory of 4968 4240 cmd.exe 97 PID 4240 wrote to memory of 4968 4240 cmd.exe 97 PID 4968 wrote to memory of 2828 4968 client.exe 98 PID 4968 wrote to memory of 2828 4968 client.exe 98 PID 4968 wrote to memory of 2828 4968 client.exe 98 PID 2828 wrote to memory of 4592 2828 cmd.exe 100 PID 2828 wrote to memory of 4592 2828 cmd.exe 100 PID 2828 wrote to memory of 4592 2828 cmd.exe 100 PID 2828 wrote to memory of 4892 2828 cmd.exe 101 PID 2828 wrote to memory of 4892 2828 cmd.exe 101 PID 2828 wrote to memory of 4892 2828 cmd.exe 101 PID 2828 wrote to memory of 4052 2828 cmd.exe 102 PID 2828 wrote to memory of 4052 2828 cmd.exe 102 PID 2828 wrote to memory of 4052 2828 cmd.exe 102 PID 4052 wrote to memory of 4132 4052 client.exe 103 PID 4052 wrote to memory of 4132 4052 client.exe 103 PID 4052 wrote to memory of 4132 4052 client.exe 103 PID 4132 wrote to memory of 1764 4132 cmd.exe 105 PID 4132 wrote to memory of 1764 4132 cmd.exe 105 PID 4132 wrote to memory of 1764 4132 cmd.exe 105 PID 4132 wrote to memory of 4416 4132 cmd.exe 106 PID 4132 wrote to memory of 4416 4132 cmd.exe 106 PID 4132 wrote to memory of 4416 4132 cmd.exe 106 PID 4132 wrote to memory of 948 4132 cmd.exe 108 PID 4132 wrote to memory of 948 4132 cmd.exe 108 PID 4132 wrote to memory of 948 4132 cmd.exe 108 PID 948 wrote to memory of 4340 948 client.exe 109 PID 948 wrote to memory of 4340 948 client.exe 109 PID 948 wrote to memory of 4340 948 client.exe 109 PID 4340 wrote to memory of 4248 4340 cmd.exe 111 PID 4340 wrote to memory of 4248 4340 cmd.exe 111 PID 4340 wrote to memory of 4248 4340 cmd.exe 111 PID 4340 wrote to memory of 2324 4340 cmd.exe 112 PID 4340 wrote to memory of 2324 4340 cmd.exe 112 PID 4340 wrote to memory of 2324 4340 cmd.exe 112 PID 4340 wrote to memory of 5028 4340 cmd.exe 114 PID 4340 wrote to memory of 5028 4340 cmd.exe 114 PID 4340 wrote to memory of 5028 4340 cmd.exe 114 PID 5028 wrote to memory of 3492 5028 client.exe 115 PID 5028 wrote to memory of 3492 5028 client.exe 115 PID 5028 wrote to memory of 3492 5028 client.exe 115 PID 3492 wrote to memory of 2448 3492 cmd.exe 117 PID 3492 wrote to memory of 2448 3492 cmd.exe 117 PID 3492 wrote to memory of 2448 3492 cmd.exe 117 PID 3492 wrote to memory of 3700 3492 cmd.exe 118 PID 3492 wrote to memory of 3700 3492 cmd.exe 118 PID 3492 wrote to memory of 3700 3492 cmd.exe 118 PID 3492 wrote to memory of 4288 3492 cmd.exe 119 PID 3492 wrote to memory of 4288 3492 cmd.exe 119 PID 3492 wrote to memory of 4288 3492 cmd.exe 119 PID 4288 wrote to memory of 2252 4288 client.exe 120 PID 4288 wrote to memory of 2252 4288 client.exe 120 PID 4288 wrote to memory of 2252 4288 client.exe 120 PID 2252 wrote to memory of 3424 2252 cmd.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2qAba1OyJSVU.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4448
-
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAqgknrVhgvb.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:4592
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y6qJvDmpkByu.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
- System Location Discovery: System Language Discovery
PID:1764
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m4ZlzGPFj1uk.bat" "8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
- System Location Discovery: System Language Discovery
PID:4248
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"9⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1GSCrFy5uXDt.bat" "10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\chcp.comchcp 6500111⤵
- System Location Discovery: System Language Discovery
PID:2448
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost11⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3700
-
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"11⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7hJ9SYdX8cd.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\chcp.comchcp 6500113⤵
- System Location Discovery: System Language Discovery
PID:3424
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
609B
MD5f78129c2d7c98a4397fa4931b11feef4
SHA1ea26f38d12515741651ff161ea8393d5fa41a5bd
SHA25629830390784d06271342237443b6224bb98be0539e34b64e7344c78d7cdd93d9
SHA512cbca1d486c2bd7655752930b9020ccf3f8ae67a67dcb2cca51c31763a51fea8fb951d617c31a3746680303a8c6d45361c120f15ef06c30b417202949728b5b35
-
Filesize
203B
MD51418b11902bc8fa9ca6be62d8c450d4b
SHA1e0fa0bcfd906bc8c42bc67e33c7deeb67c624d9d
SHA256b5d8dac3fe9eeeaf35dadf4a0e81fa08826323318310fc8d80f824e3c292e2c2
SHA512571eb5e8e0fcf41a65b9b33a3824479a69150c8133dab0a567aa08596d2a53889de58455698c6250f9fecb1fca4dc5c459e99d878f7e086d51c82c3f44297503
-
Filesize
203B
MD5456406257b8b5bfe0adf1305b7e57e2d
SHA195063c63def2d9f5e2b5708ddd2ea7bac18e5e40
SHA256df8c803b7d83dc8bd3518222f0de34981956f8057516e54ec693b96f4b129767
SHA51220745330289c8c8b31f2328fc29dfdaf070494a024abe0a48ba58cbfd54ddd4c499ee9b0b20d74fe50bcc7927c2c1b953919aed02f78b4c991eb7938637fe0b7
-
Filesize
203B
MD58b2ebee8ef4026f71f680599e33fdc78
SHA194ab5c2e439d5354dc10cdf5467378452ff32da3
SHA2563a70a0ce3355af9bda6fa3a408bb2f1a03c84545006820992c79c37e0bf582f9
SHA5122d6c88809aeac19522961af967bbd51f11c9ee6182bea06168f5008d6e1d48802d0fd133986598ace230379cfa0be9172f79902b5d7e64228b4a809403826a30
-
Filesize
203B
MD5f2a0199e7e7dd53d78aa079a5a19772e
SHA19f2e834b1f991c62a70ad4b7e2a6775b631ee9ca
SHA25600be849325294f5bfa2e521a1d4c5929fe0b49eadbacc23e54dc2d5232c9e20e
SHA512ee6101492f645ec449790b6746db52ea54aca33362426d63b13e842a6c66e593ef0a9111a1a6308f9b9f0d988cdd2167b1bc717d9da33672c8a0d350e7cda51f
-
Filesize
203B
MD56e9a0cd045f372c8375e3df39281d9d0
SHA1b2597ec60cfb079c0a7b8a80a989289be6ae2c4c
SHA25697991f8065cf87a0cd75ead0390bab9c7686107a4d2478f9fdddefd7786e2f9c
SHA512772ba14290c7c740536a3ae74c2a3aee6a966bd039bbf9104ba88bcff89544cafc2219a601b857ea03f645c99b6a8ed4a52a55f2eac1f9078e62ce2f618b9bc9
-
Filesize
203B
MD533f5faba04be1bd59903092ead81670a
SHA15eaa7a701ada9c9ef564302043851c7f79e1a625
SHA256ba0a33f4c948a62346dce84578af36be64515602a45eb2b13512f6f78d6ff130
SHA512d6a52819d17529aa64d904e928eaa3a8a8eb2e19e5d2ec9afdfc6254dec24802e95e598debc5c3b6aec9f74467905c5feb5491505438cc9a61fa379bbc15984c