Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 11:34
Static task
static1
Behavioral task
behavioral1
Sample
2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
Resource
win7-20240708-en
General
-
Target
2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
-
Size
85.2MB
-
MD5
207d3610cb4305546ae3730c433cec24
-
SHA1
dbaa88cff0954154133da02cfe8945660fed53f7
-
SHA256
2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0
-
SHA512
0f803879d9feba1053b9a4306d62a9c9175cc0e96bf90dfa10cae8f909925a735e35d46d8bef44bd8a3a657dd27634d65cee3dcdc6400540d9819a09f394edf5
-
SSDEEP
393216:54TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2o:5KRVQxhu0P8Lq1LEvxOOx5Sba
Malware Config
Extracted
quasar
1.4.1
NEURO
51.15.17.193:4782
1f6c9ecc-c030-43a4-bbf2-21326400cbb5
-
encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/2120-36-0x0000021A20C30000-0x0000021A20F54000-memory.dmp family_quasar -
System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs
Abuse Regasm to proxy execution of malicious code.
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\RegAsm.exe 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempup.url 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe -
Executes dropped EXE 1 IoCs
pid Process 2120 RegAsm.exe -
pid Process 2276 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2276 powershell.exe 2276 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2120 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2676 wrote to memory of 4488 2676 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 84 PID 2676 wrote to memory of 4488 2676 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 84 PID 4488 wrote to memory of 2032 4488 cmd.exe 85 PID 4488 wrote to memory of 2032 4488 cmd.exe 85 PID 4488 wrote to memory of 2276 4488 cmd.exe 86 PID 4488 wrote to memory of 2276 4488 cmd.exe 86 PID 2276 wrote to memory of 1872 2276 powershell.exe 87 PID 2276 wrote to memory of 1872 2276 powershell.exe 87 PID 1872 wrote to memory of 2912 1872 csc.exe 88 PID 1872 wrote to memory of 2912 1872 csc.exe 88 PID 2676 wrote to memory of 1140 2676 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 89 PID 2676 wrote to memory of 1140 2676 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 89 PID 1140 wrote to memory of 2120 1140 cmd.exe 90 PID 1140 wrote to memory of 2120 1140 cmd.exe 90 PID 2676 wrote to memory of 3480 2676 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 104 PID 2676 wrote to memory of 3480 2676 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe"C:\Users\Admin\AppData\Local\Temp\2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe"1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"2⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "3⤵PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\224roxre\224roxre.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC870.tmp" "c:\Users\Admin\AppData\Local\Temp\224roxre\CSC6B2D58CED1B24907A471F863E6FA48B9.TMP"5⤵PID:2912
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"2⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\RegAsm.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\Neurocoin.exe"2⤵PID:3480
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestglonas.amIN AResponseglonas.amIN A104.21.78.102glonas.amIN A172.67.220.55
-
Remote address:8.8.8.8:53Request102.78.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestipwho.isIN AResponseipwho.isIN A195.201.57.90
-
Remote address:195.201.57.90:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Host: ipwho.is
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: ipwhois
Access-Control-Allow-Headers: *
X-Robots-Tag: noindex
-
Remote address:8.8.8.8:53Request193.17.15.51.in-addr.arpaIN PTRResponse193.17.15.51.in-addr.arpaIN PTR51-15-17-193revponeytelecomeu
-
Remote address:8.8.8.8:53Request90.57.201.195.in-addr.arpaIN PTRResponse90.57.201.195.in-addr.arpaIN PTRstatic9057201195clientsyour-serverde
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
104.21.78.102:443glonas.amtls2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe1.2kB 4.5kB 13 13
-
2.0kB 2.9kB 20 17
-
923 B 6.3kB 10 10
HTTP Request
GET https://ipwho.is/HTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
55 B 87 B 1 1
DNS Request
glonas.am
DNS Response
104.21.78.102172.67.220.55
-
72 B 134 B 1 1
DNS Request
102.78.21.104.in-addr.arpa
-
54 B 70 B 1 1
DNS Request
ipwho.is
DNS Response
195.201.57.90
-
71 B 117 B 1 1
DNS Request
193.17.15.51.in-addr.arpa
-
72 B 129 B 1 1
DNS Request
90.57.201.195.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d495af8b53f29f1d04f3b3d4136a95d8
SHA1c25324b91f298778bbe372f18a9c8dc9ca47df4c
SHA256848571c101ed39bd8d6d1a1b2be66d376fe7fcde5865e3210237b7bbc101a013
SHA5120b04373e9e545a2a7cc46bf36b52e851e0a7c382d90397c98474264f0a47fd6c63265f0cc432ceb1432f56c81c7d05f19b6ce38be0cbd871c316892daa43ca8c
-
Filesize
47B
MD5447e47ca1fe8ea0ee113c82580a90752
SHA1b353067d653aa17150deb0e5943f517948070b21
SHA2565684d1afb88220efeba965a9e28eac2f830e22a3d57348e66e4a5d4e799664f5
SHA5124b52747210cada19b4d1964c7d6d6d7697570497e1084b153835ae8a67b5e284178fc807ddbf32cfffac564ccf69a21d7a80b407fc55799d23c71d1fe68c3b3d
-
Filesize
1KB
MD5f21b2bb52d2ce2a3fc0af3067a26e95e
SHA1403e901893afbdb97bebb3e2329d63da99153130
SHA25619934e336d19c617d23cc4665ace0ae0767b7f40d8f183735fe8cf8b420c43f1
SHA51209a5df69506fc70a104e4e71340f3939dd62a6469d7f81ef04810b3be6fcdea391ef9000e4770822401770134957cdeb7291b8d5cf7112f4c2f0c7339da0c12c
-
Filesize
5.6MB
MD5c549fe02bb65c0c2977c741c7ed4fd80
SHA18475e459ba2fe572c53b08c061a5b24e074832a1
SHA256d0d221d0a152430a62531fd46b7c1f43721110da2bb3ee2f5688e484b143aceb
SHA512b51e81d073dc1bbdeea1f0dcf66901f2996faa5f30657e354c0c9271ad0f58ce0cc20744f8287afd81904d10148032038f2bad33e45d49685f7dce73e0a52b3a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD576ba342126a0665a25a06b26260dd144
SHA1248e13c80281802a75a9ef70fce5966635a83b4b
SHA2567c31cdeaf2c5686bbf34b23c8932b6e90b8cd6e7518e89ed004d5280946ad7cc
SHA512ad5f7bedf237672af193fa9c33651c29132cd1a5c536797a02416db5fe8b6cc240d14d97a78376a0f59cc04101c905eaf155e0067c1c953768a89de36a4ae1c9
-
Filesize
652B
MD50a282bc4b88b9da8fd4ccf7b31b64664
SHA1c1dde99fc49fdbf3e53a0e37246cd8aec03dab7e
SHA2563c7dc0e224bca15f2504a70a3fd13feedff29f4eceeb3e67c19da0c4846aac96
SHA5125644332cd3b5e5468d967a5f30cd92b82605cb585a5d3b3266b1e7f13d03fda31f6b7248f3030e1a89dc71e759c9f1c0f1c1fd9ff455b173fac3dbcb14c6f06c