Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 18:10
Behavioral task
behavioral1
Sample
FpsBoosterUpdated.exe
Resource
win7-20240708-en
General
-
Target
FpsBoosterUpdated.exe
-
Size
348KB
-
MD5
290b4ade8d6facb2bddad3eb853c1bcf
-
SHA1
f86966d34bc407090f418192ebbd1bc88346b98e
-
SHA256
91d3d30addc138a7e5792098b38e0d0600e4e81044372306d857ae05002a1e48
-
SHA512
5d0ebf9b4d9fb1c88dac4be649e2e0fc88972d89fe5c090e02b0fcf736d26b57371bc6702195c37d2711c661afb685cb4bbf87d2224c2ae333051d6acfa8286b
-
SSDEEP
6144:6vUhIvTCqLALgOnvbrXXmHbYNS2QabeCc2AW9E/rpW:INTCvn3X2yS25e72m/1W
Malware Config
Extracted
quasar
1.3.0.0
Office04
127.0.0.1:4782
QSR_MUTEX_n0f6at7YDD5llBKKrq
-
encryption_key
MvuLVFJdoxRMzV0zCtOV
-
install_name
FpsBooster.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
FpsBooster
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2196-1-0x0000000000910000-0x000000000096E000-memory.dmp family_quasar behavioral1/files/0x00360000000160e7-5.dat family_quasar behavioral1/memory/2832-10-0x0000000000AE0000-0x0000000000B3E000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2832 FpsBooster.exe -
Loads dropped DLL 1 IoCs
pid Process 2196 FpsBoosterUpdated.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\SubDir FpsBooster.exe File created C:\Program Files (x86)\SubDir\FpsBooster.exe FpsBoosterUpdated.exe File opened for modification C:\Program Files (x86)\SubDir\FpsBooster.exe FpsBoosterUpdated.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FpsBoosterUpdated.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FpsBooster.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2752 schtasks.exe 2608 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2196 FpsBoosterUpdated.exe Token: SeDebugPrivilege 2832 FpsBooster.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2752 2196 FpsBoosterUpdated.exe 31 PID 2196 wrote to memory of 2752 2196 FpsBoosterUpdated.exe 31 PID 2196 wrote to memory of 2752 2196 FpsBoosterUpdated.exe 31 PID 2196 wrote to memory of 2752 2196 FpsBoosterUpdated.exe 31 PID 2196 wrote to memory of 2832 2196 FpsBoosterUpdated.exe 33 PID 2196 wrote to memory of 2832 2196 FpsBoosterUpdated.exe 33 PID 2196 wrote to memory of 2832 2196 FpsBoosterUpdated.exe 33 PID 2196 wrote to memory of 2832 2196 FpsBoosterUpdated.exe 33 PID 2832 wrote to memory of 2608 2832 FpsBooster.exe 34 PID 2832 wrote to memory of 2608 2832 FpsBooster.exe 34 PID 2832 wrote to memory of 2608 2832 FpsBooster.exe 34 PID 2832 wrote to memory of 2608 2832 FpsBooster.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe"C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "FpsBooster" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2752
-
-
C:\Program Files (x86)\SubDir\FpsBooster.exe"C:\Program Files (x86)\SubDir\FpsBooster.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "FpsBooster" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\FpsBooster.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5290b4ade8d6facb2bddad3eb853c1bcf
SHA1f86966d34bc407090f418192ebbd1bc88346b98e
SHA25691d3d30addc138a7e5792098b38e0d0600e4e81044372306d857ae05002a1e48
SHA5125d0ebf9b4d9fb1c88dac4be649e2e0fc88972d89fe5c090e02b0fcf736d26b57371bc6702195c37d2711c661afb685cb4bbf87d2224c2ae333051d6acfa8286b