quasar | b46a76c6240983b927fa789dbfd5214bb513285da9205c52539736286346ddaf

Analysis

max time kernel
95s
max time network
145s
platform
windows7_x64
resource
win7
submitted
10/07/2020, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Design Drawing.exe
Size

616KB
MD5

f5c5c0ac89d31ce5f74c54ec5788ea8e
SHA1

29c098ffdcbd86961dfdd8e733cf89ea0e8cfc03
SHA256

b46a76c6240983b927fa789dbfd5214bb513285da9205c52539736286346ddaf
SHA512

878fb77271eeddf5db88b41e9f10350d24691d71115523067ebb023b0b2ce76d57399b79378cfdee089ecd7e6fe58edc8c44f4799b8b3fb5285fc7dc201be517

Score

10^/10

evasion spyware trojan quasar

Malware Config

Signatures

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 284 wrote to memory of 1080	284	Design Drawing.exe	24
PID 284 wrote to memory of 1080	284	Design Drawing.exe	24
PID 284 wrote to memory of 1080	284	Design Drawing.exe	24
PID 284 wrote to memory of 1080	284	Design Drawing.exe	24
PID 284 wrote to memory of 1472	284	Design Drawing.exe	26
PID 284 wrote to memory of 1472	284	Design Drawing.exe	26
PID 284 wrote to memory of 1472	284	Design Drawing.exe	26
PID 284 wrote to memory of 1472	284	Design Drawing.exe	26
PID 284 wrote to memory of 1472	284	Design Drawing.exe	26
PID 284 wrote to memory of 1472	284	Design Drawing.exe	26
PID 284 wrote to memory of 1472	284	Design Drawing.exe	26
PID 284 wrote to memory of 1472	284	Design Drawing.exe	26
PID 284 wrote to memory of 1472	284	Design Drawing.exe	26
PID 1472 wrote to memory of 1900	1472	Design Drawing.exe	28
PID 1472 wrote to memory of 1900	1472	Design Drawing.exe	28
PID 1472 wrote to memory of 1900	1472	Design Drawing.exe	28
PID 1472 wrote to memory of 1900	1472	Design Drawing.exe	28
PID 1472 wrote to memory of 1920	1472	Design Drawing.exe	30
PID 1472 wrote to memory of 1920	1472	Design Drawing.exe	30
PID 1472 wrote to memory of 1920	1472	Design Drawing.exe	30
PID 1472 wrote to memory of 1920	1472	Design Drawing.exe	30
PID 1472 wrote to memory of 1948	1472	Design Drawing.exe	31
PID 1472 wrote to memory of 1948	1472	Design Drawing.exe	31
PID 1472 wrote to memory of 1948	1472	Design Drawing.exe	31
PID 1472 wrote to memory of 1948	1472	Design Drawing.exe	31
PID 1472 wrote to memory of 1580	1472	Design Drawing.exe	33
PID 1472 wrote to memory of 1580	1472	Design Drawing.exe	33
PID 1472 wrote to memory of 1580	1472	Design Drawing.exe	33
PID 1472 wrote to memory of 1580	1472	Design Drawing.exe	33
PID 1580 wrote to memory of 1536	1580	cmd.exe	35
PID 1580 wrote to memory of 1536	1580	cmd.exe	35
PID 1580 wrote to memory of 1536	1580	cmd.exe	35
PID 1580 wrote to memory of 1536	1580	cmd.exe	35
PID 1472 wrote to memory of 1592	1472	Design Drawing.exe	36
PID 1472 wrote to memory of 1592	1472	Design Drawing.exe	36
PID 1472 wrote to memory of 1592	1472	Design Drawing.exe	36
PID 1472 wrote to memory of 1592	1472	Design Drawing.exe	36
PID 1920 wrote to memory of 1068	1920	Client.exe	40
PID 1920 wrote to memory of 1068	1920	Client.exe	40
PID 1920 wrote to memory of 1068	1920	Client.exe	40
PID 1920 wrote to memory of 1068	1920	Client.exe	40
PID 1920 wrote to memory of 1444	1920	Client.exe	42
PID 1920 wrote to memory of 1444	1920	Client.exe	42
PID 1920 wrote to memory of 1444	1920	Client.exe	42
PID 1920 wrote to memory of 1444	1920	Client.exe	42
PID 1920 wrote to memory of 1444	1920	Client.exe	42
PID 1920 wrote to memory of 1444	1920	Client.exe	42
PID 1920 wrote to memory of 1444	1920	Client.exe	42
PID 1920 wrote to memory of 1444	1920	Client.exe	42
PID 1920 wrote to memory of 1444	1920	Client.exe	42
PID 1444 wrote to memory of 1032	1444	Client.exe	43
PID 1444 wrote to memory of 1032	1444	Client.exe	43
PID 1444 wrote to memory of 1032	1444	Client.exe	43
PID 1444 wrote to memory of 1032	1444	Client.exe	43

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 284 set thread context of 1472	284	Design Drawing.exe	26
PID 1920 set thread context of 1444	1920	Client.exe	42

Loads dropped DLL 2 IoCs

pid	Process
1472	Design Drawing.exe
1920	Client.exe

Executes dropped EXE 2 IoCs

pid	Process
1920	Client.exe
1444	Client.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Design Drawing.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Design Drawing.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Design Drawing.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Design Drawing.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	Design Drawing.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1920	Client.exe
Token: SeDebugPrivilege	1444	Client.exe
Token: SeDebugPrivilege	1444	Client.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1948	powershell.exe
1948	powershell.exe
1472	Design Drawing.exe
1472	Design Drawing.exe
1472	Design Drawing.exe
1472	Design Drawing.exe
1472	Design Drawing.exe
1472	Design Drawing.exe
1472	Design Drawing.exe
1920	Client.exe

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1472-4-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1472-6-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1472-7-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Design Drawing.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Design Drawing.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1080	schtasks.exe
1900	schtasks.exe
1068	schtasks.exe
1032	schtasks.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	Design Drawing.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Design Drawing.exe

C:\Users\Admin\AppData\Local\Temp\Design Drawing.exe
"C:\Users\Admin\AppData\Local\Temp\Design Drawing.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:284
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vfzyVUJGZmoC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8861.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\Design Drawing.exe
  "C:\Users\Admin\AppData\Local\Temp\Design Drawing.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Loads dropped DLL
  - Modifies Windows Defender Real-time Protection settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Modifies system certificate store
  - Windows security modification
  PID:1472
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Design Drawing.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1900
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    - Suspicious use of SetThreadContext
    - Loads dropped DLL
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:1920
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vfzyVUJGZmoC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF259.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1068
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1444
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwTLRWnQ2LSD.bat" "
    3⤵
    PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1472-6-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1472-4-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download