Analysis
-
max time kernel
48s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 17:34
Behavioral task
behavioral1
Sample
bound.exe
Resource
win7-20240508-en
General
-
Target
bound.exe
-
Size
348KB
-
MD5
0ae23c1f2280f21b756d59c3590f1f9e
-
SHA1
b2f42f4f3cc053a41c2c5a4b981e3951ece66632
-
SHA256
e2ccf4d25499df5ed69b0b1a8d78c159c6873a86bfe8b3e07eae41516b3d6709
-
SHA512
5989bd7704a9f7cfb608d347f2c4ad262165f093078a55675418953b81a1346a80fb8c61031b8a2ed6d8548376691b1f2d8e076b0d77964d17178292d931aae2
-
SSDEEP
6144:nm2NHXf500MCB/7JWQ7vVjvVDpGbMODP43YxpG+kN8/xM/y:Nd5089W8pMDPZxJ085uy
Malware Config
Extracted
quasar
1.3.0.0
NEW
hanezack.ddns.net:1005
QSR_MUTEX_pnKSaWFUwQX1pUWVc9
-
encryption_key
dFDp0i8Pk4OpqeTcstEK
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2344-1-0x0000000000B60000-0x0000000000BBE000-memory.dmp family_quasar -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2548 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bound.exedescription pid process Token: SeDebugPrivilege 2344 bound.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bound.exepid process 2344 bound.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bound.execmd.exedescription pid process target process PID 2344 wrote to memory of 2548 2344 bound.exe cmd.exe PID 2344 wrote to memory of 2548 2344 bound.exe cmd.exe PID 2344 wrote to memory of 2548 2344 bound.exe cmd.exe PID 2344 wrote to memory of 2548 2344 bound.exe cmd.exe PID 2548 wrote to memory of 1552 2548 cmd.exe chcp.com PID 2548 wrote to memory of 1552 2548 cmd.exe chcp.com PID 2548 wrote to memory of 1552 2548 cmd.exe chcp.com PID 2548 wrote to memory of 1552 2548 cmd.exe chcp.com PID 2548 wrote to memory of 2956 2548 cmd.exe PING.EXE PID 2548 wrote to memory of 2956 2548 cmd.exe PING.EXE PID 2548 wrote to memory of 2956 2548 cmd.exe PING.EXE PID 2548 wrote to memory of 2956 2548 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bound.exe"C:\Users\Admin\AppData\Local\Temp\bound.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\12a65O83u0Rb.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\12a65O83u0Rb.batFilesize
257B
MD58683ea09aee1d7a56a06c46e1d8144a7
SHA10912520fd9d16e6514f23920d26af071766e650e
SHA256cc7e1b8463385e328cb5892cf4be88873d5155eb9a25c480fa55f6b40589b73c
SHA512df833c7dc8076f833a5c461fce928b49193b359403eb86b6645f5ec622dd34beec4e55ef8da3a6a5cc2081793fe47e48ebe06ae7fd87fd68978a19ff6c3f05c0
-
C:\Users\Admin\AppData\Roaming\Logs\07-02-~1Filesize
224B
MD5400614406d464d9db2ac2df8c36e013a
SHA1575624fb44150324e78ee114dc90d2ff47110176
SHA2568abcc4293f2b33bdde6504dd1ce04345a3a08f3875f7b5ec4def2d03797fe5f2
SHA512eb3ec09ae61e9215a6d522e0cb3e00b33b2df255f562e29d17da0af930cf3898c920465f0dd508cfa15bf9f871e4df21607e31cbcc857309e7b436b6118cdf89
-
memory/2344-0-0x000000007476E000-0x000000007476F000-memory.dmpFilesize
4KB
-
memory/2344-1-0x0000000000B60000-0x0000000000BBE000-memory.dmpFilesize
376KB
-
memory/2344-2-0x0000000074760000-0x0000000074E4E000-memory.dmpFilesize
6.9MB
-
memory/2344-4-0x000000007476E000-0x000000007476F000-memory.dmpFilesize
4KB
-
memory/2344-5-0x0000000074760000-0x0000000074E4E000-memory.dmpFilesize
6.9MB
-
memory/2344-15-0x0000000074760000-0x0000000074E4E000-memory.dmpFilesize
6.9MB