Analysis
-
max time kernel
126s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 02:10
Static task
static1
Behavioral task
behavioral1
Sample
a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
Resource
win7-20240903-en
General
-
Target
a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
-
Size
5.8MB
-
MD5
7f4092487f658020d13296690668d937
-
SHA1
4c2e7041e90f7f651c3f514f092260fdf38d23e4
-
SHA256
a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a
-
SHA512
bf24517138ae37ad6dbb5aec2272b0db9a7aa9c38e8b1928a4e6223c624592bf2fff2ce27e3971329bd829667cfd5722ce1906b55ebb779b421bd8ec3aae749b
-
SSDEEP
98304:VdAle+Q5MpCOKdEJFZPG+chrvWREYJSqKpwR5agwxo7CH+TY9PcFO3y9jmKn+HBT:bkgMpCOL++KYMqDbSVdRf3y9jKH+U
Malware Config
Extracted
quasar
1.3.0.0
XXXNewsgroupdirect
jwy1nw4mcx2svbmvgo76.ru:4782
o6tqyui3rxxk2sfghduiypzz7pxlym.ru:4782
RHjqJCxmCalXXEe.ru:4782
xMfLSMPKBWsgmUC.ru:4782
FHXvaxLSFIDvieO.ru:4782
QfFaRBPqOoJQqEF.ru:4782
moNxVtjgeWpPVUz.ru:4782
JDIsOivQCBlbzlN.ru:4782
DGnZQjkVDhsxgVV.ru:4782
ByZBzewBiKXuqUR.ru:4782
ytXDZUKKgHETqys.ru:4782
yPZmTJDDnmJhkwf.ru:4782
QVggEpcffTSfXLG.ru:4782
DqUTFasmBwlEIBT.ru:4782
VYJjpyHabYhrJDd.ru:4782
RgNSTMHSnjafPEX.ru:4782
HoQcpHAOBoMWu5FCve
-
encryption_key
VJrLu7UGImn19bb9qL6Z
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/4344-21-0x0000000000BB0000-0x0000000000C0E000-memory.dmp family_quasar -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 ip-api.com 30 ip-api.com -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3144 set thread context of 4344 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 101 PID 3744 set thread context of 444 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3148 PING.EXE 4424 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3148 PING.EXE 4424 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 536 schtasks.exe 3972 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4344 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe Token: SeDebugPrivilege 444 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 3144 wrote to memory of 536 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 99 PID 3144 wrote to memory of 536 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 99 PID 3144 wrote to memory of 536 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 99 PID 3144 wrote to memory of 4344 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 101 PID 3144 wrote to memory of 4344 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 101 PID 3144 wrote to memory of 4344 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 101 PID 3144 wrote to memory of 4344 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 101 PID 3144 wrote to memory of 4344 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 101 PID 3144 wrote to memory of 4344 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 101 PID 3144 wrote to memory of 4344 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 101 PID 3144 wrote to memory of 4344 3144 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 101 PID 4344 wrote to memory of 1528 4344 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 103 PID 4344 wrote to memory of 1528 4344 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 103 PID 4344 wrote to memory of 1528 4344 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 103 PID 1528 wrote to memory of 1780 1528 cmd.exe 105 PID 1528 wrote to memory of 1780 1528 cmd.exe 105 PID 1528 wrote to memory of 1780 1528 cmd.exe 105 PID 1528 wrote to memory of 3148 1528 cmd.exe 106 PID 1528 wrote to memory of 3148 1528 cmd.exe 106 PID 1528 wrote to memory of 3148 1528 cmd.exe 106 PID 1528 wrote to memory of 3744 1528 cmd.exe 110 PID 1528 wrote to memory of 3744 1528 cmd.exe 110 PID 1528 wrote to memory of 3744 1528 cmd.exe 110 PID 3744 wrote to memory of 3972 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 112 PID 3744 wrote to memory of 3972 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 112 PID 3744 wrote to memory of 3972 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 112 PID 3744 wrote to memory of 444 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 114 PID 3744 wrote to memory of 444 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 114 PID 3744 wrote to memory of 444 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 114 PID 3744 wrote to memory of 444 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 114 PID 3744 wrote to memory of 444 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 114 PID 3744 wrote to memory of 444 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 114 PID 3744 wrote to memory of 444 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 114 PID 3744 wrote to memory of 444 3744 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 114 PID 444 wrote to memory of 1932 444 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 116 PID 444 wrote to memory of 1932 444 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 116 PID 444 wrote to memory of 1932 444 a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe 116 PID 1932 wrote to memory of 3280 1932 cmd.exe 118 PID 1932 wrote to memory of 3280 1932 cmd.exe 118 PID 1932 wrote to memory of 3280 1932 cmd.exe 118 PID 1932 wrote to memory of 4424 1932 cmd.exe 119 PID 1932 wrote to memory of 4424 1932 cmd.exe 119 PID 1932 wrote to memory of 4424 1932 cmd.exe 119 PID 1932 wrote to memory of 3340 1932 cmd.exe 121 PID 1932 wrote to memory of 3340 1932 cmd.exe 121 PID 1932 wrote to memory of 3340 1932 cmd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LmJmpmdSYXRV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp656C.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:536
-
-
C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XzstfXbf8V33.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:1780
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3148
-
-
C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"4⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LmJmpmdSYXRV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5049.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3972
-
-
C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eTKYcXpmsjon.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
- System Location Discovery: System Language Discovery
PID:3280
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"7⤵
- System Location Discovery: System Language Discovery
PID:3340
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Peripheral Device Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe.log
Filesize599B
MD54c035bcf4ab1fbbc9de8a5ed5be5dfb8
SHA1180299ba8c06ed922f515b8cdb2409edd8b432d0
SHA25675b9a0f2298151bbbf388dd94b9f13d5c5ec174891f0c76b07b8cd8bbd1273c1
SHA5120166b2b1b0d79f366d3ae8b9e76b2fff9648c85b3cf883120b23355ca484337cee6e0462e7d8cd52654506ff739f195bff9e1b4d4617b882ec9943dc31abde4d
-
Filesize
261B
MD5201881ca7efea08d53445112a68fb21c
SHA1bf6ffc003e5c09677f04eb19cb3022c04ef281aa
SHA256c51eb95f61f17cc46aeaad106597f10eaba5cfc1014c8469f02af2ad260d5bd9
SHA5129255ad146a4861a0c58c621987a587858dacea30ebaa132cff95d23a1a0808b6c4e5ffc89e7df5ddba8ba71101013a24e9b829565efb456d8789188aa01052b5
-
Filesize
261B
MD5b308428fdc1ab0ebfbba404df11a5293
SHA11c69cee6f380546d970b24f7ef1cae9c20e75ba6
SHA256bc78b8130d983d50d2c95059f02e3d752a921121c86bef15e0cbdfc403ce097e
SHA512b31fc5e5b6d081eead73c4303b9922046d62b8fa814e1394894451e2a615cc45721ab1d8f069bbb575f1dab41f84beff1d2cf746f3a82fa98c4d54b7d26ea8a8
-
Filesize
1KB
MD5d583b7f47971b29d64cb2d49aa81a870
SHA1baf1bc39facf68c09e53ac10033b05030880927e
SHA2562a98f411e2107cfc7f9ab2262699245d7b47cc8562f24f88986b71f41a27894a
SHA51238869f2cea5ef5f88ce4a8ef775100444982ae6a2fc387b36f373e0b8448d04ff58f4bc16bf0c4bbc983bb85783c20a16ce0b6a149e9797012d810e13da940e2