Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
29-01-2025 14:10
Static task
static1
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20240903-en
General
-
Target
random.exe
-
Size
2.6MB
-
MD5
6416961fe33e1461e8f5c455c2cf0ec9
-
SHA1
190754691dffb4d873bd32f48722d150d338f51d
-
SHA256
616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1
-
SHA512
8fe2fa84a62cf92d1136110e0b39bfb7f07646816ff9d9944a0d8523d26d2f2d46653ec2a9f1153fac6b3c585e0f742753959d496cab1f5a62c761dd0db1fc18
-
SSDEEP
49152:Ux8Gt7KDrJd8spKaFxZWVAItl6dXg84Hk6BOUjbqmQnN/DAP8khk2d4zV:C974P57k6dQ8bIO2uN/DAP8khkj
Malware Config
Extracted
quasar
1.4.1
1
87.228.57.81:4782
f832b3aa-9229-4dd0-81ec-c101146b1831
-
encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/2872-83-0x000000001C2D0000-0x000000001C5F4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\International\Geo\Nation random.tmp -
Executes dropped EXE 2 IoCs
pid Process 4224 random.tmp 4264 random.tmp -
Loads dropped DLL 8 IoCs
pid Process 4224 random.tmp 4224 random.tmp 4264 random.tmp 4264 random.tmp 4636 regsvr32.exe 2872 regsvr32.exe 1144 regsvr32.EXE 4080 regsvr32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to execute payload.
pid Process 4932 powershell.exe 2444 powershell.exe 3836 powershell.exe 4512 powershell.exe 2444 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4264 random.tmp 4264 random.tmp 2872 regsvr32.exe 2872 regsvr32.exe 4932 powershell.exe 4932 powershell.exe 2444 powershell.exe 2444 powershell.exe 2872 regsvr32.exe 2872 regsvr32.exe 1144 regsvr32.EXE 1144 regsvr32.EXE 3836 powershell.exe 3836 powershell.exe 1144 regsvr32.EXE 1144 regsvr32.EXE 4080 regsvr32.EXE 4080 regsvr32.EXE 4512 powershell.exe 4512 powershell.exe 4080 regsvr32.EXE 4080 regsvr32.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4932 powershell.exe Token: SeIncreaseQuotaPrivilege 4932 powershell.exe Token: SeSecurityPrivilege 4932 powershell.exe Token: SeTakeOwnershipPrivilege 4932 powershell.exe Token: SeLoadDriverPrivilege 4932 powershell.exe Token: SeSystemProfilePrivilege 4932 powershell.exe Token: SeSystemtimePrivilege 4932 powershell.exe Token: SeProfSingleProcessPrivilege 4932 powershell.exe Token: SeIncBasePriorityPrivilege 4932 powershell.exe Token: SeCreatePagefilePrivilege 4932 powershell.exe Token: SeBackupPrivilege 4932 powershell.exe Token: SeRestorePrivilege 4932 powershell.exe Token: SeShutdownPrivilege 4932 powershell.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeSystemEnvironmentPrivilege 4932 powershell.exe Token: SeRemoteShutdownPrivilege 4932 powershell.exe Token: SeUndockPrivilege 4932 powershell.exe Token: SeManageVolumePrivilege 4932 powershell.exe Token: 33 4932 powershell.exe Token: 34 4932 powershell.exe Token: 35 4932 powershell.exe Token: 36 4932 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeIncreaseQuotaPrivilege 2444 powershell.exe Token: SeSecurityPrivilege 2444 powershell.exe Token: SeTakeOwnershipPrivilege 2444 powershell.exe Token: SeLoadDriverPrivilege 2444 powershell.exe Token: SeSystemProfilePrivilege 2444 powershell.exe Token: SeSystemtimePrivilege 2444 powershell.exe Token: SeProfSingleProcessPrivilege 2444 powershell.exe Token: SeIncBasePriorityPrivilege 2444 powershell.exe Token: SeCreatePagefilePrivilege 2444 powershell.exe Token: SeBackupPrivilege 2444 powershell.exe Token: SeRestorePrivilege 2444 powershell.exe Token: SeShutdownPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeSystemEnvironmentPrivilege 2444 powershell.exe Token: SeRemoteShutdownPrivilege 2444 powershell.exe Token: SeUndockPrivilege 2444 powershell.exe Token: SeManageVolumePrivilege 2444 powershell.exe Token: 33 2444 powershell.exe Token: 34 2444 powershell.exe Token: 35 2444 powershell.exe Token: 36 2444 powershell.exe Token: SeIncreaseQuotaPrivilege 2444 powershell.exe Token: SeSecurityPrivilege 2444 powershell.exe Token: SeTakeOwnershipPrivilege 2444 powershell.exe Token: SeLoadDriverPrivilege 2444 powershell.exe Token: SeSystemProfilePrivilege 2444 powershell.exe Token: SeSystemtimePrivilege 2444 powershell.exe Token: SeProfSingleProcessPrivilege 2444 powershell.exe Token: SeIncBasePriorityPrivilege 2444 powershell.exe Token: SeCreatePagefilePrivilege 2444 powershell.exe Token: SeBackupPrivilege 2444 powershell.exe Token: SeRestorePrivilege 2444 powershell.exe Token: SeShutdownPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeSystemEnvironmentPrivilege 2444 powershell.exe Token: SeRemoteShutdownPrivilege 2444 powershell.exe Token: SeUndockPrivilege 2444 powershell.exe Token: SeManageVolumePrivilege 2444 powershell.exe Token: 33 2444 powershell.exe Token: 34 2444 powershell.exe Token: 35 2444 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4264 random.tmp 2872 regsvr32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2872 regsvr32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2872 regsvr32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2248 wrote to memory of 4224 2248 random.exe 83 PID 2248 wrote to memory of 4224 2248 random.exe 83 PID 2248 wrote to memory of 4224 2248 random.exe 83 PID 4224 wrote to memory of 4548 4224 random.tmp 84 PID 4224 wrote to memory of 4548 4224 random.tmp 84 PID 4224 wrote to memory of 4548 4224 random.tmp 84 PID 4548 wrote to memory of 4264 4548 random.exe 85 PID 4548 wrote to memory of 4264 4548 random.exe 85 PID 4548 wrote to memory of 4264 4548 random.exe 85 PID 4264 wrote to memory of 4636 4264 random.tmp 86 PID 4264 wrote to memory of 4636 4264 random.tmp 86 PID 4264 wrote to memory of 4636 4264 random.tmp 86 PID 4636 wrote to memory of 2872 4636 regsvr32.exe 87 PID 4636 wrote to memory of 2872 4636 regsvr32.exe 87 PID 2872 wrote to memory of 4932 2872 regsvr32.exe 88 PID 2872 wrote to memory of 4932 2872 regsvr32.exe 88 PID 2872 wrote to memory of 2444 2872 regsvr32.exe 91 PID 2872 wrote to memory of 2444 2872 regsvr32.exe 91 PID 1144 wrote to memory of 3836 1144 regsvr32.EXE 95 PID 1144 wrote to memory of 3836 1144 regsvr32.EXE 95 PID 4080 wrote to memory of 4512 4080 regsvr32.EXE 98 PID 4080 wrote to memory of 4512 4080 regsvr32.EXE 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\is-HLTAH.tmp\random.tmp"C:\Users\Admin\AppData\Local\Temp\is-HLTAH.tmp\random.tmp" /SL5="$7014C,2299112,208384,C:\Users\Admin\AppData\Local\Temp\random.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\is-LQ6E0.tmp\random.tmp"C:\Users\Admin\AppData\Local\Temp\is-LQ6E0.tmp\random.tmp" /SL5="$501CA,2299112,208384,C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\system32\regsvr32.exe/s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv' }) { exit 0 } else { exit 1 }"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{ACF8C0CD-AB3A-4F59-B223-8CA4269FFE44}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
-
-
-
-
-
C:\Windows\system32\regsvr32.EXE"C:\Windows\system32\regsvr32.EXE" /S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv' }) { exit 0 } else { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3836
-
-
C:\Windows\system32\regsvr32.EXE"C:\Windows\system32\regsvr32.EXE" /S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv' }) { exit 0 } else { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD5178170c54a9081cc3aaac9ee2318211e
SHA194b0fd6cb5834be48fa39a95997a8852a6b64cc4
SHA256906632fc1b247d32a6a2130ccf9062231984e8f2e7beddd511bbd19901fdb054
SHA51271231d4c7d670dd444fc9a392b33ed1008fb815a03760357f43c43c77adf1d83b05a94dee240a50d1ba3f1cad5055c181aa3351f8719fb6d3939b785a224db15
-
Filesize
1KB
MD5d8d7aa0fa134f748201458c017b5682f
SHA1eab823b449a0926042f47f97039aad611aff3bc3
SHA2567f5640202e6963b46d96139c361ebb7b6949951b9bac1c771d329cad75199324
SHA5122f0b9e67c8362b536b25fd47e74a17c0693b0c0b9509cf1e70011da0d16fa70b080111fc0992884ec6e6da4a4fb7304a3b49acf88d334672c960235620078d43
-
Filesize
1KB
MD5a9d5a55646a268805a98533fe53dd0c0
SHA18e870960de2f16d5688b6d7d8d9f88507220bd8f
SHA25604f95e259d0a862c42bbf0b81e79cf760a8e223781cb4259f8ca8127d41fe488
SHA51294a9ac797018a1ca784edffa7452a66b48d46f853904e3789ac0693b6d350a0ab64c3b72e7aa0e33ab884b54c0c87ad3444b41e6fa484eb3159b97fb4424a5e8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
1.2MB
MD51db83d1bc949e72509f0e752316ec5d0
SHA1154d7bd59581ea106d8a02586feaf5c38f806d39
SHA25657c68e06bd351b2fde4f25f04c89fc265c0c3ce3184fb0caca3410b6eac04a49
SHA512ff0eba3e3a9407107d2e5875d4369be68c1f1f43144aea8c9b530824f3b9c837705ecd0c7d94bbaadfa59bb273b7e59392bef3d9aaf643353e4b935f8745d4b2
-
Filesize
4.1MB
MD56fb91b9f96c8a0f6e20e75377152363a
SHA1be3ed35dee6b517b9e846bc431197c2d6239f8e1
SHA256be67966b82dcb5e838095d0ebcccbc854b6eae9d6ac30329457019f2d7d119ae
SHA512da994e4ee32aee52d98d21ab69887d94efe186d9e0a34b2cc09e0da949fb25a10de464136c305a66c332457d876e5e6ce2acaf6c4f1ba00f7e6345cdda030996