Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 06:46
Static task
static1
Behavioral task
behavioral1
Sample
b8fc2efcc33d3160f38fcb6b39319e6a.exe
Resource
win7-20240903-en
General
-
Target
b8fc2efcc33d3160f38fcb6b39319e6a.exe
-
Size
774KB
-
MD5
b8fc2efcc33d3160f38fcb6b39319e6a
-
SHA1
a61413a5b6c19b4a388e6c89aaa9304c657b3e08
-
SHA256
3df20b1c9806c327d72824f1b9a4ffcbe702d152fbf11fca42a36c862cbafd0a
-
SHA512
ba4ef7ec5dd7b9ad8ec49ef73315bded8ecc72212b11e3a1384b6d4f3f264867312cda41268a8d1df6fc8c3caa63813c15aa4ff29f0324360a95d59de3456d3b
-
SSDEEP
24576:XBx+Lv/QRiHCywDv2JIh7tJIYZFk+XJJ:xeXBm2JIDJNDXJ
Malware Config
Extracted
quasar
1.3.0.0
VTROY
31.13.224.12:61512
31.13.224.13:61513
QSR_MUTEX_4Q2rJqiVyC7hohzbjx
-
encryption_key
7Vp2dMCHrMjJthQ2Elyy
-
install_name
downloads.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
cssrse.exe
-
subdirectory
downloadupdates
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2956-4-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2956-6-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/3000-13-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 4 IoCs
Processes:
downloads.exedownloads.exedownloads.exedownloads.exepid Process 2740 downloads.exe 1492 downloads.exe 2972 downloads.exe 2292 downloads.exe -
Loads dropped DLL 4 IoCs
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exedownloads.exepid Process 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe 2740 downloads.exe 2740 downloads.exe 2740 downloads.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exedownloads.exedescription pid Process procid_target PID 2516 set thread context of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 set thread context of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 set thread context of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2740 set thread context of 1492 2740 downloads.exe 37 PID 2740 set thread context of 2972 2740 downloads.exe 38 PID 2740 set thread context of 2292 2740 downloads.exe 39 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exeb8fc2efcc33d3160f38fcb6b39319e6a.exeb8fc2efcc33d3160f38fcb6b39319e6a.exedownloads.exeschtasks.exedownloads.exedownloads.exedownloads.exeschtasks.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8fc2efcc33d3160f38fcb6b39319e6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8fc2efcc33d3160f38fcb6b39319e6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8fc2efcc33d3160f38fcb6b39319e6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2604 schtasks.exe 2504 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exeb8fc2efcc33d3160f38fcb6b39319e6a.exedownloads.exedownloads.exedescription pid Process Token: SeDebugPrivilege 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe Token: SeDebugPrivilege 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe Token: SeDebugPrivilege 2740 downloads.exe Token: SeDebugPrivilege 2972 downloads.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exeb8fc2efcc33d3160f38fcb6b39319e6a.exedownloads.exedownloads.exedescription pid Process procid_target PID 2516 wrote to memory of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 wrote to memory of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 wrote to memory of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 wrote to memory of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 wrote to memory of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 wrote to memory of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 wrote to memory of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 wrote to memory of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 wrote to memory of 2956 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 30 PID 2516 wrote to memory of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 wrote to memory of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 wrote to memory of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 wrote to memory of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 wrote to memory of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 wrote to memory of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 wrote to memory of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 wrote to memory of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 wrote to memory of 3000 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 31 PID 2516 wrote to memory of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2516 wrote to memory of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2516 wrote to memory of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2516 wrote to memory of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2516 wrote to memory of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2516 wrote to memory of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2516 wrote to memory of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2516 wrote to memory of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2516 wrote to memory of 2864 2516 b8fc2efcc33d3160f38fcb6b39319e6a.exe 32 PID 2956 wrote to memory of 2604 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe 34 PID 2956 wrote to memory of 2604 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe 34 PID 2956 wrote to memory of 2604 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe 34 PID 2956 wrote to memory of 2604 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe 34 PID 2956 wrote to memory of 2740 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe 36 PID 2956 wrote to memory of 2740 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe 36 PID 2956 wrote to memory of 2740 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe 36 PID 2956 wrote to memory of 2740 2956 b8fc2efcc33d3160f38fcb6b39319e6a.exe 36 PID 2740 wrote to memory of 1492 2740 downloads.exe 37 PID 2740 wrote to memory of 1492 2740 downloads.exe 37 PID 2740 wrote to memory of 1492 2740 downloads.exe 37 PID 2740 wrote to memory of 1492 2740 downloads.exe 37 PID 2740 wrote to memory of 1492 2740 downloads.exe 37 PID 2740 wrote to memory of 1492 2740 downloads.exe 37 PID 2740 wrote to memory of 1492 2740 downloads.exe 37 PID 2740 wrote to memory of 1492 2740 downloads.exe 37 PID 2740 wrote to memory of 1492 2740 downloads.exe 37 PID 2740 wrote to memory of 2972 2740 downloads.exe 38 PID 2740 wrote to memory of 2972 2740 downloads.exe 38 PID 2740 wrote to memory of 2972 2740 downloads.exe 38 PID 2740 wrote to memory of 2972 2740 downloads.exe 38 PID 2740 wrote to memory of 2972 2740 downloads.exe 38 PID 2740 wrote to memory of 2972 2740 downloads.exe 38 PID 2740 wrote to memory of 2972 2740 downloads.exe 38 PID 2740 wrote to memory of 2972 2740 downloads.exe 38 PID 2740 wrote to memory of 2972 2740 downloads.exe 38 PID 2740 wrote to memory of 2292 2740 downloads.exe 39 PID 2740 wrote to memory of 2292 2740 downloads.exe 39 PID 2740 wrote to memory of 2292 2740 downloads.exe 39 PID 2740 wrote to memory of 2292 2740 downloads.exe 39 PID 2740 wrote to memory of 2292 2740 downloads.exe 39 PID 2740 wrote to memory of 2292 2740 downloads.exe 39 PID 2740 wrote to memory of 2292 2740 downloads.exe 39 PID 2740 wrote to memory of 2292 2740 downloads.exe 39 PID 2740 wrote to memory of 2292 2740 downloads.exe 39 PID 2972 wrote to memory of 2504 2972 downloads.exe 40 PID 2972 wrote to memory of 2504 2972 downloads.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe"C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exeC:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "cssrse.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2604
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "cssrse.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2504
-
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exeC:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe2⤵
- System Location Discovery: System Language Discovery
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exeC:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe2⤵PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
774KB
MD5b8fc2efcc33d3160f38fcb6b39319e6a
SHA1a61413a5b6c19b4a388e6c89aaa9304c657b3e08
SHA2563df20b1c9806c327d72824f1b9a4ffcbe702d152fbf11fca42a36c862cbafd0a
SHA512ba4ef7ec5dd7b9ad8ec49ef73315bded8ecc72212b11e3a1384b6d4f3f264867312cda41268a8d1df6fc8c3caa63813c15aa4ff29f0324360a95d59de3456d3b