quasar | cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb

Analysis

max time kernel
7s
max time network
63s
platform
windows10_x64
resource
win10
submitted
17-07-2020 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Timsistem_Product_Specifications - 2020.07.17.exe
Size

759KB
MD5

6998368a7e9f5e063f5b5a0090112545
SHA1

c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256

cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512

d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e

Score

10^/10

quasar spyware trojan upx

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Executes dropped EXE 10 IoCs

pid	Process
3236	taskmgr.exe
3488	taskmgr.exe
3812	taskmgr.exe
3008	svchost.exe
2668	taskmgr.exe
3692	taskmgr.exe
664	taskmgr.exe
2116	taskmgr.exe
3808	taskmgr.exe
996	taskmgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3488-4-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/3488-8-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/3488-9-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs	notepad.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA	taskmgr.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	taskmgr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3236 set thread context of 3488	3236	taskmgr.exe	69
PID 2668 set thread context of 3692	2668	taskmgr.exe	77
PID 2116 set thread context of 3808	2116	taskmgr.exe	80

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3280	schtasks.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe:ZoneIdentifier	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3748	Timsistem_Product_Specifications - 2020.07.17.exe
3748	Timsistem_Product_Specifications - 2020.07.17.exe
3236	taskmgr.exe
3236	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3236	taskmgr.exe
2668	taskmgr.exe
2116	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	taskmgr.exe
Token: SeDebugPrivilege	3692	taskmgr.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 3956	3748	Timsistem_Product_Specifications - 2020.07.17.exe	67
PID 3748 wrote to memory of 3956	3748	Timsistem_Product_Specifications - 2020.07.17.exe	67
PID 3748 wrote to memory of 3956	3748	Timsistem_Product_Specifications - 2020.07.17.exe	67
PID 3748 wrote to memory of 3956	3748	Timsistem_Product_Specifications - 2020.07.17.exe	67
PID 3748 wrote to memory of 3956	3748	Timsistem_Product_Specifications - 2020.07.17.exe	67
PID 3956 wrote to memory of 3236	3956	notepad.exe	68
PID 3956 wrote to memory of 3236	3956	notepad.exe	68
PID 3956 wrote to memory of 3236	3956	notepad.exe	68
PID 3236 wrote to memory of 3488	3236	taskmgr.exe	69
PID 3236 wrote to memory of 3488	3236	taskmgr.exe	69
PID 3236 wrote to memory of 3488	3236	taskmgr.exe	69
PID 3236 wrote to memory of 3812	3236	taskmgr.exe	70
PID 3236 wrote to memory of 3812	3236	taskmgr.exe	70
PID 3236 wrote to memory of 3812	3236	taskmgr.exe	70
PID 3488 wrote to memory of 3280	3488	taskmgr.exe	72
PID 3488 wrote to memory of 3280	3488	taskmgr.exe	72
PID 3488 wrote to memory of 3280	3488	taskmgr.exe	72
PID 3488 wrote to memory of 3008	3488	taskmgr.exe	74
PID 3488 wrote to memory of 3008	3488	taskmgr.exe	74
PID 3488 wrote to memory of 3008	3488	taskmgr.exe	74
PID 3008 wrote to memory of 496	3008	svchost.exe	75
PID 3008 wrote to memory of 496	3008	svchost.exe	75
PID 3008 wrote to memory of 496	3008	svchost.exe	75
PID 3008 wrote to memory of 496	3008	svchost.exe	75
PID 3008 wrote to memory of 496	3008	svchost.exe	75
PID 3812 wrote to memory of 2668	3812	taskmgr.exe	76
PID 3812 wrote to memory of 2668	3812	taskmgr.exe	76
PID 3812 wrote to memory of 2668	3812	taskmgr.exe	76
PID 2668 wrote to memory of 3692	2668	taskmgr.exe	77
PID 2668 wrote to memory of 3692	2668	taskmgr.exe	77
PID 2668 wrote to memory of 3692	2668	taskmgr.exe	77
PID 2668 wrote to memory of 664	2668	taskmgr.exe	78
PID 2668 wrote to memory of 664	2668	taskmgr.exe	78
PID 2668 wrote to memory of 664	2668	taskmgr.exe	78
PID 496 wrote to memory of 2116	496	notepad.exe	79
PID 496 wrote to memory of 2116	496	notepad.exe	79
PID 496 wrote to memory of 2116	496	notepad.exe	79
PID 2116 wrote to memory of 3808	2116	taskmgr.exe	80
PID 2116 wrote to memory of 3808	2116	taskmgr.exe	80
PID 2116 wrote to memory of 3808	2116	taskmgr.exe	80
PID 2116 wrote to memory of 996	2116	taskmgr.exe	81
PID 2116 wrote to memory of 996	2116	taskmgr.exe	81
PID 2116 wrote to memory of 996	2116	taskmgr.exe	81

C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.17.exe
"C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.17.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Drops startup file
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3280
    - - C:\Windows\SysWOW64\SubDir\svchost.exe
        
        "C:\Windows\SysWOW64\SubDir\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        6⤵
        Drops startup file
        NTFS ADS
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        8⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 3808 68046
        8⤵
        Executes dropped EXE
        
        PID:996
  - - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 3488 63671
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3812
    - - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
      - C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 3692 67515
        6⤵
        Executes dropped EXE
        
        PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3488-4-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3488-8-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3488-12-0x00000000022E2000-0x00000000022E3000-memory.dmp

Filesize
4KB

Download
memory/3488-11-0x00000000021D0000-0x0000000002232000-memory.dmp

Filesize
392KB

Download
memory/3488-9-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3692-30-0x0000000000B12000-0x0000000000B13000-memory.dmp

Filesize
4KB

Download
memory/3692-28-0x0000000002220000-0x0000000002282000-memory.dmp

Filesize
392KB

Download
memory/3808-40-0x00000000021E0000-0x0000000002242000-memory.dmp

Filesize
392KB

Download
memory/3808-42-0x0000000002272000-0x0000000002273000-memory.dmp

Filesize
4KB

Download