Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 03:28
Static task
static1
Behavioral task
behavioral1
Sample
e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe
Resource
win7-20240903-en
General
-
Target
e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe
-
Size
3.7MB
-
MD5
96493f8a0252e4e492de924d83db5a8a
-
SHA1
09dad264469e86a858f0183ed6e5bfe2d53781f4
-
SHA256
e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879
-
SHA512
29d6192b4aae0af83fe15d015be5cf3e1b8832e154c6e847d71de1834c30421f435192490fc9f5b868c99e71f2bbdb92685582985ece2e7694d02799cd315b78
-
SSDEEP
49152:wBeT66BYzsKDeAo4hJFXMOqlI9XGhvPEpCaZKfpObuLkEnmnK0QnFRhe5+ET8QVY:TTF7GbIlDvPEpz4ptnHhK87nhUnIJb
Malware Config
Extracted
quasar
1.4.1
JEKWU
Zyg.ydns.eu:5829
Opy.ydns.eu:5829
9c58b2ba-07eb-415a-b48b-21bbb68d32285e
-
encryption_key
C5B555A83D127A9553D4FB1FCECB35CE8E91A447
-
install_name
outlooks.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Outlooks
-
subdirectory
WindowsUpdates
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3144-48-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid Process 3716 powershell.exe 2176 powershell.exe 5020 powershell.exe 3956 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
outlooks.exee14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation outlooks.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe -
Executes dropped EXE 2 IoCs
Processes:
outlooks.exeoutlooks.exepid Process 4324 outlooks.exe 4964 outlooks.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exeoutlooks.exedescription pid Process procid_target PID 2256 set thread context of 3144 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 104 PID 4324 set thread context of 4964 4324 outlooks.exe 117 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
schtasks.exeschtasks.exeoutlooks.exepowershell.exeschtasks.exee14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exepowershell.exepowershell.exeschtasks.exee14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exepowershell.exeoutlooks.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language outlooks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language outlooks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 3652 schtasks.exe 3192 schtasks.exe 3432 schtasks.exe 4124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exee14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exepowershell.exepowershell.exepid Process 3716 powershell.exe 2176 powershell.exe 3716 powershell.exe 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 2176 powershell.exe 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 3956 powershell.exe 5020 powershell.exe 5020 powershell.exe 3956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exee14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exee14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exepowershell.exepowershell.exeoutlooks.exedescription pid Process Token: SeDebugPrivilege 3716 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe Token: SeDebugPrivilege 3144 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 3956 powershell.exe Token: SeDebugPrivilege 4964 outlooks.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
outlooks.exepid Process 4964 outlooks.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exee14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exeoutlooks.exeoutlooks.exedescription pid Process procid_target PID 2256 wrote to memory of 3716 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 96 PID 2256 wrote to memory of 3716 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 96 PID 2256 wrote to memory of 3716 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 96 PID 2256 wrote to memory of 2176 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 98 PID 2256 wrote to memory of 2176 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 98 PID 2256 wrote to memory of 2176 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 98 PID 2256 wrote to memory of 3432 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 100 PID 2256 wrote to memory of 3432 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 100 PID 2256 wrote to memory of 3432 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 100 PID 2256 wrote to memory of 1584 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 102 PID 2256 wrote to memory of 1584 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 102 PID 2256 wrote to memory of 1584 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 102 PID 2256 wrote to memory of 4632 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 103 PID 2256 wrote to memory of 4632 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 103 PID 2256 wrote to memory of 4632 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 103 PID 2256 wrote to memory of 3144 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 104 PID 2256 wrote to memory of 3144 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 104 PID 2256 wrote to memory of 3144 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 104 PID 2256 wrote to memory of 3144 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 104 PID 2256 wrote to memory of 3144 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 104 PID 2256 wrote to memory of 3144 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 104 PID 2256 wrote to memory of 3144 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 104 PID 2256 wrote to memory of 3144 2256 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 104 PID 3144 wrote to memory of 4124 3144 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 105 PID 3144 wrote to memory of 4124 3144 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 105 PID 3144 wrote to memory of 4124 3144 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 105 PID 3144 wrote to memory of 4324 3144 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 107 PID 3144 wrote to memory of 4324 3144 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 107 PID 3144 wrote to memory of 4324 3144 e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe 107 PID 4324 wrote to memory of 5020 4324 outlooks.exe 111 PID 4324 wrote to memory of 5020 4324 outlooks.exe 111 PID 4324 wrote to memory of 5020 4324 outlooks.exe 111 PID 4324 wrote to memory of 3956 4324 outlooks.exe 113 PID 4324 wrote to memory of 3956 4324 outlooks.exe 113 PID 4324 wrote to memory of 3956 4324 outlooks.exe 113 PID 4324 wrote to memory of 3652 4324 outlooks.exe 115 PID 4324 wrote to memory of 3652 4324 outlooks.exe 115 PID 4324 wrote to memory of 3652 4324 outlooks.exe 115 PID 4324 wrote to memory of 4964 4324 outlooks.exe 117 PID 4324 wrote to memory of 4964 4324 outlooks.exe 117 PID 4324 wrote to memory of 4964 4324 outlooks.exe 117 PID 4324 wrote to memory of 4964 4324 outlooks.exe 117 PID 4324 wrote to memory of 4964 4324 outlooks.exe 117 PID 4324 wrote to memory of 4964 4324 outlooks.exe 117 PID 4324 wrote to memory of 4964 4324 outlooks.exe 117 PID 4324 wrote to memory of 4964 4324 outlooks.exe 117 PID 4964 wrote to memory of 3192 4964 outlooks.exe 118 PID 4964 wrote to memory of 3192 4964 outlooks.exe 118 PID 4964 wrote to memory of 3192 4964 outlooks.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EPhabVgXw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8AD.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3432
-
-
C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"2⤵PID:1584
-
-
C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"2⤵PID:4632
-
-
C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4124
-
-
C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EPhabVgXw.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C2C.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3652
-
-
C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3192
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
18KB
MD595f089cf3921fa2bef7477dfcdf928f8
SHA1d602326d800c15edfab19b325724a1a266edaf2c
SHA256a569406b26f7f06495f847cf338c4e4b4951681a095a1790681ea903f365eeb9
SHA5125325543cbe055e7512c91a1cb89b6dbd88a8cc42b2e7c1bb0dcd223e6d034e15c77d85b6e316a560fa57c368b46ac54c064f58e7186aadb62fbbd6d645d07cf4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5cbf1eeddbeec76ffe36e6923b55268c7
SHA15ec8f1aa05a304c1ee92ea86c11069c01936808b
SHA256091042ad1f4894e5fe51a7636f03bb2582bf26d1e28fe00e1b1595cfe3809071
SHA5126c90140c5998d6cb38b132f05c10d531a04c7df8d33917dedec02895e279aa0e7e5ef97d2e95ad07a2a80ee2982f61839f5de2931aa719343580c0b7250e0b27
-
Filesize
3.7MB
MD596493f8a0252e4e492de924d83db5a8a
SHA109dad264469e86a858f0183ed6e5bfe2d53781f4
SHA256e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879
SHA51229d6192b4aae0af83fe15d015be5cf3e1b8832e154c6e847d71de1834c30421f435192490fc9f5b868c99e71f2bbdb92685582985ece2e7694d02799cd315b78