Analysis
-
max time kernel
91s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe
Resource
win7-20241010-en
General
-
Target
dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe
-
Size
83.0MB
-
MD5
4117eceb35a8705eba8b0ed2148ad7d7
-
SHA1
1f0f47d0f8fc9f7d11467681473c563bf3624834
-
SHA256
dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949
-
SHA512
ad1fb197cf8fc7ebc536bd8787b655e8bd947e23ea64ad7a6da16238f5d4b4f8b3f0e30efc01ce0c0bc27f31dad1afdd97bb13aae3992a78e5214c7b761c4fe0
-
SSDEEP
393216:T4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2W:TKRVQxhu0P8Lq1LEvxOOx5Sk
Malware Config
Extracted
quasar
1.4.1
Staking
51.15.17.193:4782
ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4
-
encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/2276-39-0x00000137E4F60000-0x00000137E5284000-memory.dmp family_quasar -
System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs
Abuse Regasm to proxy execution of malicious code.
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\RegAsm.exe dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempup.url dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe -
Executes dropped EXE 1 IoCs
pid Process 2276 RegAsm.exe -
pid Process 2552 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2552 powershell.exe 2552 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2276 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2876 wrote to memory of 4756 2876 dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe 84 PID 2876 wrote to memory of 4756 2876 dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe 84 PID 4756 wrote to memory of 540 4756 cmd.exe 85 PID 4756 wrote to memory of 540 4756 cmd.exe 85 PID 4756 wrote to memory of 2552 4756 cmd.exe 86 PID 4756 wrote to memory of 2552 4756 cmd.exe 86 PID 2552 wrote to memory of 3928 2552 powershell.exe 87 PID 2552 wrote to memory of 3928 2552 powershell.exe 87 PID 3928 wrote to memory of 1648 3928 csc.exe 88 PID 3928 wrote to memory of 1648 3928 csc.exe 88 PID 2876 wrote to memory of 5016 2876 dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe 89 PID 2876 wrote to memory of 5016 2876 dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe 89 PID 5016 wrote to memory of 2276 5016 cmd.exe 90 PID 5016 wrote to memory of 2276 5016 cmd.exe 90 PID 2876 wrote to memory of 5028 2876 dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe 91 PID 2876 wrote to memory of 5028 2876 dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe"C:\Users\Admin\AppData\Local\Temp\dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe"1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"2⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "3⤵PID:540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nkeblmsi\nkeblmsi.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7B7.tmp" "c:\Users\Admin\AppData\Local\Temp\nkeblmsi\CSC846EB28DA9CE48E7A217821F679F181.TMP"5⤵PID:1648
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"2⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\RegAsm.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\BTCTools1.exe"2⤵PID:5028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9B
MD59d1ead73e678fa2f51a70a933b0bf017
SHA1d205cbd6783332a212c5ae92d73c77178c2d2f28
SHA2560019dfc4b32d63c1392aa264aed2253c1e0c2fb09216f8e2cc269bbfb8bb49b5
SHA512935b3d516e996f6d25948ba8a54c1b7f70f7f0e3f517e36481fdf0196c2c5cfc2841f86e891f3df9517746b7fb605db47cdded1b8ff78d9482ddaa621db43a34
-
Filesize
1KB
MD536f54519e3bbf770c59398f2ced3a64c
SHA1fd9fd56628bc87d2ab2351b57a4b242c9841008b
SHA2561df807e9b8176f3d1942308456520b8261b84844f0f6fa8b460ac9d61aa01d25
SHA512f9354b35dab5842284f265347f7174a6aa3c3b564d05de8cc38fe6f735bbed287b8a52b9878c883ba9af760f43140ff6650cc57b0e74ecb4ced5ef9fa50a2719
-
Filesize
4.8MB
MD59a7cea63db91937ec2fa0c4a40dcde82
SHA1dbc121740eb6aa3221beadd3ae69df1ce095c441
SHA256687c5903af67e7ae2df617f249ef22502998e4524ccb34a27eaac389b8e61728
SHA51236e6a806125b1d80e97482f0b03a7481a136f01d2808169f171d89c54d2faf6f5b6913f4751dc737d5dc672f63622e379fd87f306cec2e076d8a5e73d33059dd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD530cecef8e1e6fd9c0a261b52d9151303
SHA1576d05f75ac06a6fa2cd37e29c9448e295b49747
SHA256fd3b75b8e36e746c7d40279bce9d467665c1d186ff4188fa51739150080abd73
SHA51266d2ae4a6e0c7dffdf71a51ed7b06142dde8afb50e28a9945531e69e9bd5ddf5ac93ac4d1c9a3a868e19ff4697b875000f669ed5a01ff77ece16173142c6d3d8
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
652B
MD574cdb11092e0f9aa051424f381419af7
SHA1e9865c8dfa19704d0517b79d2738debd4cc4e489
SHA2569266e692899f73f668a38165da7042e6a38f3edbc9d5de58ee510ef2f9b7eca0
SHA512b55051acd4bc87e03cc638f824c6364e4d538807547dbcd7d18a57d100b2ef232272d8158252bc0e7fdcf9e5c502350c8c2d5043bd9c7ee896b71d29332ddcb7
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD5c64a3d54c3679267e0a565444fbb299e
SHA1875abadeca59b22b523c57a1214f43328b535ba5
SHA256e87b7572791ab1f23dc437fffdcf0f7de97ab1acb9ae4f2fdc3432d58bb852be
SHA51266fab87334e4d44a0b746b14adb4955353315d3b56ea5f8751b420ca8560035e918a74a786e649e19ef361ca6ef25adb91775d1b396a77e403f6167dba3441c1