Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
Resource
win7-20240903-en
General
-
Target
2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
-
Size
85.2MB
-
MD5
207d3610cb4305546ae3730c433cec24
-
SHA1
dbaa88cff0954154133da02cfe8945660fed53f7
-
SHA256
2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0
-
SHA512
0f803879d9feba1053b9a4306d62a9c9175cc0e96bf90dfa10cae8f909925a735e35d46d8bef44bd8a3a657dd27634d65cee3dcdc6400540d9819a09f394edf5
-
SSDEEP
393216:54TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2o:5KRVQxhu0P8Lq1LEvxOOx5Sba
Malware Config
Extracted
quasar
1.4.1
NEURO
51.15.17.193:4782
1f6c9ecc-c030-43a4-bbf2-21326400cbb5
-
encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/2228-36-0x00000259EF5E0000-0x00000259EF904000-memory.dmp family_quasar -
System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs
Abuse Regasm to proxy execution of malicious code.
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\RegAsm.exe 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempup.url 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe -
Executes dropped EXE 1 IoCs
pid Process 2228 RegAsm.exe -
pid Process 4936 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4936 powershell.exe 4936 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 2228 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2112 wrote to memory of 316 2112 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 84 PID 2112 wrote to memory of 316 2112 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 84 PID 316 wrote to memory of 1764 316 cmd.exe 85 PID 316 wrote to memory of 1764 316 cmd.exe 85 PID 316 wrote to memory of 4936 316 cmd.exe 86 PID 316 wrote to memory of 4936 316 cmd.exe 86 PID 4936 wrote to memory of 4720 4936 powershell.exe 87 PID 4936 wrote to memory of 4720 4936 powershell.exe 87 PID 4720 wrote to memory of 3416 4720 csc.exe 88 PID 4720 wrote to memory of 3416 4720 csc.exe 88 PID 2112 wrote to memory of 3372 2112 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 89 PID 2112 wrote to memory of 3372 2112 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 89 PID 3372 wrote to memory of 2228 3372 cmd.exe 90 PID 3372 wrote to memory of 2228 3372 cmd.exe 90 PID 2112 wrote to memory of 4740 2112 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 105 PID 2112 wrote to memory of 4740 2112 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe"C:\Users\Admin\AppData\Local\Temp\2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe"1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"2⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "3⤵PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3t4m1e23\3t4m1e23.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9867.tmp" "c:\Users\Admin\AppData\Local\Temp\3t4m1e23\CSC3C6186B4C41450FA3D0C3A36A896F1D.TMP"5⤵PID:3416
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"2⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\RegAsm.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\Neurocoin.exe"2⤵PID:4740
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestglonas.amIN AResponseglonas.amIN A172.67.220.55glonas.amIN A104.21.78.102
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.220.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request193.17.15.51.in-addr.arpaIN PTRResponse193.17.15.51.in-addr.arpaIN PTR51-15-17-193revponeytelecomeu
-
Remote address:8.8.8.8:53Requestipwho.isIN AResponseipwho.isIN A195.201.57.90
-
Remote address:195.201.57.90:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Host: ipwho.is
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: ipwhois
Access-Control-Allow-Headers: *
X-Robots-Tag: noindex
-
Remote address:8.8.8.8:53Request90.57.201.195.in-addr.arpaIN PTRResponse90.57.201.195.in-addr.arpaIN PTRstatic9057201195clientsyour-serverde
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request91.16.208.104.in-addr.arpaIN PTRResponse
-
172.67.220.55:443glonas.amtls2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe1.2kB 4.5kB 13 13
-
2.0kB 2.8kB 19 15
-
923 B 6.3kB 10 10
HTTP Request
GET https://ipwho.is/HTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
55 B 87 B 1 1
DNS Request
glonas.am
DNS Response
172.67.220.55104.21.78.102
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
55.220.67.172.in-addr.arpa
-
71 B 117 B 1 1
DNS Request
193.17.15.51.in-addr.arpa
-
54 B 70 B 1 1
DNS Request
ipwho.is
DNS Response
195.201.57.90
-
72 B 129 B 1 1
DNS Request
90.57.201.195.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
91.16.208.104.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5924a15f4076d94ff8f75c2b0f5bcce65
SHA15204a0ab62b88f51016ca843ce716cb2b51eb080
SHA2568c614a20a413ae66b190a1da0c3bbb4e8e4c772c2c02e7d82b9db6e21584e4de
SHA512a70b591de23a4b3bbf1b9133a22e95b32fc252417e566671cd33eb0ff99293fd2c94d93683422190b9eb44f90b2692b9082f0705fc133db1db3b248b569ce4e3
-
Filesize
47B
MD5447e47ca1fe8ea0ee113c82580a90752
SHA1b353067d653aa17150deb0e5943f517948070b21
SHA2565684d1afb88220efeba965a9e28eac2f830e22a3d57348e66e4a5d4e799664f5
SHA5124b52747210cada19b4d1964c7d6d6d7697570497e1084b153835ae8a67b5e284178fc807ddbf32cfffac564ccf69a21d7a80b407fc55799d23c71d1fe68c3b3d
-
Filesize
1KB
MD5cebb23c6230eb1dd795900c01ff51f15
SHA1e2f81ed46a7edb69d01e1c9e4f737be552306c07
SHA256418171c7829ed91c539e6ac9db199998852f3f4b8b4ca6d6dcb6e4af4a560daf
SHA51288ebd570c1e7705501d731ab8dc851264c4571edce2d44e9eb4666e3b198b64904f0e01373b4f4fe10c428b536042d15a766cc4b9e2c26b41e0de1794085ca67
-
Filesize
5.6MB
MD5c549fe02bb65c0c2977c741c7ed4fd80
SHA18475e459ba2fe572c53b08c061a5b24e074832a1
SHA256d0d221d0a152430a62531fd46b7c1f43721110da2bb3ee2f5688e484b143aceb
SHA512b51e81d073dc1bbdeea1f0dcf66901f2996faa5f30657e354c0c9271ad0f58ce0cc20744f8287afd81904d10148032038f2bad33e45d49685f7dce73e0a52b3a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD5d538f172385b266e42c9892e36c24025
SHA188306c444e383d081cdda42f2a78e0ff30510809
SHA256900b87a2e4eec9cde5d93efad5ca946e51e43d75ca0ed392253e11755ae6e445
SHA512c0ab0e359fae609949716199b485e80ee8e2109881329c7f751604729e4eda4e4aa371e888268ace7d645f0ae9d86404e672768fb4de0316617acfc04179b575
-
Filesize
652B
MD5c46e7c029b5d85edbaad8133984458d6
SHA168b8b585bd7e29318369089f969fccca5e6ba59f
SHA256478c96f1afc96d1852aec09c76fe583e12a78c1fcd4372a90e227700ce7f47bc
SHA51263de85dc1141e99fb4db840bfec0aacb702ddba966f8d62e8016c190856c2c96aa872773a49e6456efddcfb66f03878e13f93ddd00e49596e3ff9a6d430f925b