Analysis
-
max time kernel
148s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 06:46
Static task
static1
Behavioral task
behavioral1
Sample
b8fc2efcc33d3160f38fcb6b39319e6a.exe
Resource
win7-20240903-en
General
-
Target
b8fc2efcc33d3160f38fcb6b39319e6a.exe
-
Size
774KB
-
MD5
b8fc2efcc33d3160f38fcb6b39319e6a
-
SHA1
a61413a5b6c19b4a388e6c89aaa9304c657b3e08
-
SHA256
3df20b1c9806c327d72824f1b9a4ffcbe702d152fbf11fca42a36c862cbafd0a
-
SHA512
ba4ef7ec5dd7b9ad8ec49ef73315bded8ecc72212b11e3a1384b6d4f3f264867312cda41268a8d1df6fc8c3caa63813c15aa4ff29f0324360a95d59de3456d3b
-
SSDEEP
24576:XBx+Lv/QRiHCywDv2JIh7tJIYZFk+XJJ:xeXBm2JIDJNDXJ
Malware Config
Extracted
quasar
1.3.0.0
VTROY
31.13.224.12:61512
31.13.224.13:61513
QSR_MUTEX_4Q2rJqiVyC7hohzbjx
-
encryption_key
7Vp2dMCHrMjJthQ2Elyy
-
install_name
downloads.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
cssrse.exe
-
subdirectory
downloadupdates
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3396-5-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 5 IoCs
Processes:
downloads.exedownloads.exedownloads.exedownloads.exedownloads.exepid Process 748 downloads.exe 392 downloads.exe 4576 downloads.exe 1760 downloads.exe 816 downloads.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exedownloads.exedescription pid Process procid_target PID 4552 set thread context of 3396 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 89 PID 4552 set thread context of 1940 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 90 PID 4552 set thread context of 3752 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 91 PID 392 set thread context of 4576 392 downloads.exe 106 PID 392 set thread context of 1760 392 downloads.exe 107 PID 392 set thread context of 816 392 downloads.exe 108 -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 3116 3752 WerFault.exe 91 2836 1760 WerFault.exe 107 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exeschtasks.exeschtasks.exedownloads.exeb8fc2efcc33d3160f38fcb6b39319e6a.exeb8fc2efcc33d3160f38fcb6b39319e6a.exedownloads.exedownloads.exedownloads.exeschtasks.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8fc2efcc33d3160f38fcb6b39319e6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8fc2efcc33d3160f38fcb6b39319e6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8fc2efcc33d3160f38fcb6b39319e6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloads.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid Process 3776 schtasks.exe 1200 schtasks.exe 1876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exepid Process 3396 b8fc2efcc33d3160f38fcb6b39319e6a.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exeb8fc2efcc33d3160f38fcb6b39319e6a.exeb8fc2efcc33d3160f38fcb6b39319e6a.exedownloads.exedownloads.exedescription pid Process Token: SeDebugPrivilege 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe Token: SeDebugPrivilege 1940 b8fc2efcc33d3160f38fcb6b39319e6a.exe Token: SeDebugPrivilege 3396 b8fc2efcc33d3160f38fcb6b39319e6a.exe Token: SeDebugPrivilege 392 downloads.exe Token: SeDebugPrivilege 4576 downloads.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
downloads.exepid Process 1760 downloads.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
b8fc2efcc33d3160f38fcb6b39319e6a.exeb8fc2efcc33d3160f38fcb6b39319e6a.exeb8fc2efcc33d3160f38fcb6b39319e6a.exedownloads.exedownloads.exedescription pid Process procid_target PID 4552 wrote to memory of 3396 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 89 PID 4552 wrote to memory of 3396 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 89 PID 4552 wrote to memory of 3396 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 89 PID 4552 wrote to memory of 3396 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 89 PID 4552 wrote to memory of 3396 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 89 PID 4552 wrote to memory of 3396 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 89 PID 4552 wrote to memory of 3396 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 89 PID 4552 wrote to memory of 3396 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 89 PID 4552 wrote to memory of 1940 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 90 PID 4552 wrote to memory of 1940 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 90 PID 4552 wrote to memory of 1940 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 90 PID 4552 wrote to memory of 1940 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 90 PID 4552 wrote to memory of 1940 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 90 PID 4552 wrote to memory of 1940 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 90 PID 4552 wrote to memory of 1940 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 90 PID 4552 wrote to memory of 1940 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 90 PID 4552 wrote to memory of 3752 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 91 PID 4552 wrote to memory of 3752 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 91 PID 4552 wrote to memory of 3752 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 91 PID 4552 wrote to memory of 3752 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 91 PID 4552 wrote to memory of 3752 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 91 PID 4552 wrote to memory of 3752 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 91 PID 4552 wrote to memory of 3752 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 91 PID 4552 wrote to memory of 3752 4552 b8fc2efcc33d3160f38fcb6b39319e6a.exe 91 PID 1940 wrote to memory of 3776 1940 b8fc2efcc33d3160f38fcb6b39319e6a.exe 96 PID 1940 wrote to memory of 3776 1940 b8fc2efcc33d3160f38fcb6b39319e6a.exe 96 PID 1940 wrote to memory of 3776 1940 b8fc2efcc33d3160f38fcb6b39319e6a.exe 96 PID 1940 wrote to memory of 748 1940 b8fc2efcc33d3160f38fcb6b39319e6a.exe 98 PID 1940 wrote to memory of 748 1940 b8fc2efcc33d3160f38fcb6b39319e6a.exe 98 PID 1940 wrote to memory of 748 1940 b8fc2efcc33d3160f38fcb6b39319e6a.exe 98 PID 3396 wrote to memory of 1200 3396 b8fc2efcc33d3160f38fcb6b39319e6a.exe 102 PID 3396 wrote to memory of 1200 3396 b8fc2efcc33d3160f38fcb6b39319e6a.exe 102 PID 3396 wrote to memory of 1200 3396 b8fc2efcc33d3160f38fcb6b39319e6a.exe 102 PID 3396 wrote to memory of 392 3396 b8fc2efcc33d3160f38fcb6b39319e6a.exe 104 PID 3396 wrote to memory of 392 3396 b8fc2efcc33d3160f38fcb6b39319e6a.exe 104 PID 3396 wrote to memory of 392 3396 b8fc2efcc33d3160f38fcb6b39319e6a.exe 104 PID 392 wrote to memory of 4576 392 downloads.exe 106 PID 392 wrote to memory of 4576 392 downloads.exe 106 PID 392 wrote to memory of 4576 392 downloads.exe 106 PID 392 wrote to memory of 4576 392 downloads.exe 106 PID 392 wrote to memory of 4576 392 downloads.exe 106 PID 392 wrote to memory of 4576 392 downloads.exe 106 PID 392 wrote to memory of 4576 392 downloads.exe 106 PID 392 wrote to memory of 4576 392 downloads.exe 106 PID 392 wrote to memory of 1760 392 downloads.exe 107 PID 392 wrote to memory of 1760 392 downloads.exe 107 PID 392 wrote to memory of 1760 392 downloads.exe 107 PID 392 wrote to memory of 1760 392 downloads.exe 107 PID 392 wrote to memory of 1760 392 downloads.exe 107 PID 392 wrote to memory of 1760 392 downloads.exe 107 PID 392 wrote to memory of 1760 392 downloads.exe 107 PID 392 wrote to memory of 1760 392 downloads.exe 107 PID 392 wrote to memory of 816 392 downloads.exe 108 PID 392 wrote to memory of 816 392 downloads.exe 108 PID 392 wrote to memory of 816 392 downloads.exe 108 PID 392 wrote to memory of 816 392 downloads.exe 108 PID 392 wrote to memory of 816 392 downloads.exe 108 PID 392 wrote to memory of 816 392 downloads.exe 108 PID 392 wrote to memory of 816 392 downloads.exe 108 PID 392 wrote to memory of 816 392 downloads.exe 108 PID 4576 wrote to memory of 1876 4576 downloads.exe 111 PID 4576 wrote to memory of 1876 4576 downloads.exe 111 PID 4576 wrote to memory of 1876 4576 downloads.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe"C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exeC:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "cssrse.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1200
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "cssrse.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1876
-
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 125⤵
- Program crash
PID:2836
-
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exeC:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:816
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exeC:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "cssrse.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3776
-
-
C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"C:\Users\Admin\AppData\Roaming\downloadupdates\downloads.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:748
-
-
-
C:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exeC:\Users\Admin\AppData\Local\Temp\b8fc2efcc33d3160f38fcb6b39319e6a.exe2⤵PID:3752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 803⤵
- Program crash
PID:3116
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3752 -ip 37521⤵PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1760 -ip 17601⤵PID:3964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b8fc2efcc33d3160f38fcb6b39319e6a.exe.log
Filesize522B
MD50f39d6b9afc039d81ff31f65cbf76826
SHA18356d04fe7bba2695d59b6caf5c59f58f3e1a6d8
SHA256ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d
SHA5125bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9
-
Filesize
774KB
MD5b8fc2efcc33d3160f38fcb6b39319e6a
SHA1a61413a5b6c19b4a388e6c89aaa9304c657b3e08
SHA2563df20b1c9806c327d72824f1b9a4ffcbe702d152fbf11fca42a36c862cbafd0a
SHA512ba4ef7ec5dd7b9ad8ec49ef73315bded8ecc72212b11e3a1384b6d4f3f264867312cda41268a8d1df6fc8c3caa63813c15aa4ff29f0324360a95d59de3456d3b