Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe
Resource
win7-20241010-en
General
-
Target
c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe
-
Size
1.0MB
-
MD5
7ccf1fdf90d92e8a7ebca6f935207440
-
SHA1
301ed5b0bd32f06a32855f659c9a44f0d1766d0a
-
SHA256
c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadc
-
SHA512
a7957cb6fb3e418f0eda322433dcc8518fde5a66a4da2fe7cf53d96f710169bf1e55ad698f1ccf0124b39c4d3107d3e52672e6eeb279c03e4d613fe0557cb5a1
-
SSDEEP
24576:7P3JAsyS48MGN075+RFfdX0SOvYZKjVNhFpV1SLzknZ7cPR:7P3CFS4w075+DdVezFpVcon1cP
Malware Config
Extracted
quasar
1.3.0.0
HTROY
87.120.116.115:61510
onadeatcamsides.sytes.net:61511
QSR_MUTEX_ZAU4jFZ758CCGtDmef
-
encryption_key
rK1SiSuzs11zCQEpJeMg
-
install_name
Updates.exe
-
log_directory
Logs
-
reconnect_delay
30000
-
startup_key
NewUpdates
-
subdirectory
Mindow
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-10-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2768-8-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2768-6-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 8 IoCs
Processes:
Updates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exepid Process 672 Updates.exe 3060 Updates.exe 1256 Updates.exe 2668 Updates.exe 872 Updates.exe 2188 Updates.exe 1332 Updates.exe 2376 Updates.exe -
Loads dropped DLL 8 IoCs
Processes:
c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exeUpdates.execmd.exeUpdates.exepid Process 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 672 Updates.exe 672 Updates.exe 672 Updates.exe 1984 cmd.exe 872 Updates.exe 872 Updates.exe 872 Updates.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 9 IoCs
Processes:
c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exeUpdates.exeUpdates.exedescription pid Process procid_target PID 2032 set thread context of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 set thread context of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 set thread context of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 672 set thread context of 3060 672 Updates.exe 38 PID 672 set thread context of 1256 672 Updates.exe 39 PID 672 set thread context of 2668 672 Updates.exe 40 PID 872 set thread context of 2188 872 Updates.exe 48 PID 872 set thread context of 1332 872 Updates.exe 49 PID 872 set thread context of 2376 872 Updates.exe 50 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
schtasks.exeUpdates.exeUpdates.exeschtasks.exePING.EXEc64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exec64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exec64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.execmd.exechcp.comc64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exeUpdates.exeUpdates.exeUpdates.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2504 schtasks.exe 2416 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exec64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exeUpdates.exeUpdates.exeUpdates.exedescription pid Process Token: SeDebugPrivilege 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe Token: SeDebugPrivilege 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe Token: SeDebugPrivilege 672 Updates.exe Token: SeDebugPrivilege 3060 Updates.exe Token: SeDebugPrivilege 872 Updates.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exec64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exeUpdates.exedescription pid Process procid_target PID 2032 wrote to memory of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 wrote to memory of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 wrote to memory of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 wrote to memory of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 wrote to memory of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 wrote to memory of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 wrote to memory of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 wrote to memory of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 wrote to memory of 2768 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 31 PID 2032 wrote to memory of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 wrote to memory of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 wrote to memory of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 wrote to memory of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 wrote to memory of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 wrote to memory of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 wrote to memory of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 wrote to memory of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 wrote to memory of 548 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 32 PID 2032 wrote to memory of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 2032 wrote to memory of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 2032 wrote to memory of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 2032 wrote to memory of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 2032 wrote to memory of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 2032 wrote to memory of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 2032 wrote to memory of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 2032 wrote to memory of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 2032 wrote to memory of 1740 2032 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 33 PID 2768 wrote to memory of 2416 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 35 PID 2768 wrote to memory of 2416 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 35 PID 2768 wrote to memory of 2416 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 35 PID 2768 wrote to memory of 2416 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 35 PID 2768 wrote to memory of 672 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 37 PID 2768 wrote to memory of 672 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 37 PID 2768 wrote to memory of 672 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 37 PID 2768 wrote to memory of 672 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 37 PID 2768 wrote to memory of 672 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 37 PID 2768 wrote to memory of 672 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 37 PID 2768 wrote to memory of 672 2768 c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe 37 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 3060 672 Updates.exe 38 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 1256 672 Updates.exe 39 PID 672 wrote to memory of 2668 672 Updates.exe 40 PID 672 wrote to memory of 2668 672 Updates.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe"C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exeC:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2416
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2504
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pdKQSk9LRdT4.bat" "5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
PID:1240
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe7⤵
- Executes dropped EXE
PID:2188
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe7⤵
- Executes dropped EXE
PID:1332
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe7⤵
- Executes dropped EXE
PID:2376
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1256
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exeC:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe2⤵
- System Location Discovery: System Language Discovery
PID:548
-
-
C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exeC:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe2⤵
- System Location Discovery: System Language Discovery
PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5b9658453b3869d9bd23953bfc1e5104d
SHA12124c46f6d20581767288605849a59327cce3e57
SHA256ce9b2e774a7d363edcb026f311bd490dbcc4818c5dd56d0e284299b0d720c9cf
SHA512c4a0b9a25da5161152b84ad64db137c0d5e8b87d39fdac8b073c30845fca23b0c6f4e0fff1f39ebc6e31a361f9616453624810e59919e04e47a1bb8feae9eef7
-
Filesize
1.0MB
MD57ccf1fdf90d92e8a7ebca6f935207440
SHA1301ed5b0bd32f06a32855f659c9a44f0d1766d0a
SHA256c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadc
SHA512a7957cb6fb3e418f0eda322433dcc8518fde5a66a4da2fe7cf53d96f710169bf1e55ad698f1ccf0124b39c4d3107d3e52672e6eeb279c03e4d613fe0557cb5a1