quasar | 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

Analysis

max time kernel
98s
max time network
196s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
Size

348KB
MD5

be1958cb2bbcde1fa0ebbdc73a579fff
SHA1

d91235298ccc73a1712407db6ff7b83225e66c82
SHA256

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512

e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Score

10^/10

quasar infected persistence spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

INFECTED

mpapwpodllalw:4787

Mutex

QSR_MUTEX_ZHiYRTyEwnDVythpPG

Attributes

encryption_key
JJ24c9vhc2iN2AuqTdrZ
install_name
lclsrv.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Microsoft SMB Filter 2.0
subdirectory
Windows

Signatures

Quasar Payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/964-54-0x0000000000D20000-0x0000000000D7E000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
behavioral1/memory/1164-61-0x0000000000260000-0x00000000002BE000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

1704 schtasks.exe
2 ip-api.com
6 api.ipify.org
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata
Executes dropped EXE 2 IoCs

Processes:

lclsrv.exelclsrv.exe

pid process

1164 lclsrv.exe
436 lclsrv.exe

pid	process
1704	schtasks.exe
2	ip-api.com
6	api.ipify.org

pid	process
1164	lclsrv.exe
436	lclsrv.exe

Loads dropped DLL 6 IoCs

Processes:

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exeWerFault.exe

pid	process
964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
1380	WerFault.exe
1380	WerFault.exe
1380	WerFault.exe
1380	WerFault.exe
1380	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft SMB Filter 2.0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe\""	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
6 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1380 1164 WerFault.exe lclsrv.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1704 schtasks.exe
584 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1264 PING.EXE

flow	ioc
2	ip-api.com
6	api.ipify.org

pid	pid_target	process	target process
1380	1164	WerFault.exe	lclsrv.exe

pid	process
1704	schtasks.exe
584	schtasks.exe

pid	process
1264	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exelclsrv.exe

description	pid	process
Token: SeDebugPrivilege	964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
Token: SeDebugPrivilege	1164	lclsrv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lclsrv.exe

pid process

1164 lclsrv.exe

pid	process
1164	lclsrv.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exelclsrv.execmd.exe

description	pid	process	target process
PID 964 wrote to memory of 1704	964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	schtasks.exe
PID 964 wrote to memory of 1704	964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	schtasks.exe
PID 964 wrote to memory of 1704	964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	schtasks.exe
PID 964 wrote to memory of 1704	964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	schtasks.exe
PID 964 wrote to memory of 1164	964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	lclsrv.exe
PID 964 wrote to memory of 1164	964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	lclsrv.exe
PID 964 wrote to memory of 1164	964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	lclsrv.exe
PID 964 wrote to memory of 1164	964	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	lclsrv.exe
PID 1164 wrote to memory of 584	1164	lclsrv.exe	schtasks.exe
PID 1164 wrote to memory of 584	1164	lclsrv.exe	schtasks.exe
PID 1164 wrote to memory of 584	1164	lclsrv.exe	schtasks.exe
PID 1164 wrote to memory of 584	1164	lclsrv.exe	schtasks.exe
PID 1164 wrote to memory of 1280	1164	lclsrv.exe	cmd.exe
PID 1164 wrote to memory of 1280	1164	lclsrv.exe	cmd.exe
PID 1164 wrote to memory of 1280	1164	lclsrv.exe	cmd.exe
PID 1164 wrote to memory of 1280	1164	lclsrv.exe	cmd.exe
PID 1280 wrote to memory of 1112	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 1112	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 1112	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 1112	1280	cmd.exe	chcp.com
PID 1164 wrote to memory of 1380	1164	lclsrv.exe	WerFault.exe
PID 1164 wrote to memory of 1380	1164	lclsrv.exe	WerFault.exe
PID 1164 wrote to memory of 1380	1164	lclsrv.exe	WerFault.exe
PID 1164 wrote to memory of 1380	1164	lclsrv.exe	WerFault.exe
PID 1280 wrote to memory of 1264	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 1264	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 1264	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 1264	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 436	1280	cmd.exe	lclsrv.exe
PID 1280 wrote to memory of 436	1280	cmd.exe	lclsrv.exe
PID 1280 wrote to memory of 436	1280	cmd.exe	lclsrv.exe
PID 1280 wrote to memory of 436	1280	cmd.exe	lclsrv.exe

C:\Users\Admin\AppData\Local\Temp\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
"C:\Users\Admin\AppData\Local\Temp\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:1704

C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oG177jQhFjkx.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1112

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1264

C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"
4⤵
- Executes dropped EXE
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1488
3⤵
- Loads dropped DLL
- Program crash
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oG177jQhFjkx.bat
Filesize
208B

MD5
2795bdd1f8721a1e403c935297702bbd

SHA1
df8a2a8cac4246b963605ab69b4e30aedbd22149

SHA256
4c699dc2033d735895852eaf1538fa5adb9e4ba39bfe322bef1593296b1a565f

SHA512
49e765b215061c412d796496e9d39a08722eea2e96188ad10c7b828ca0f9438cb529879cfdee58a3ec0065d591178d70cfc21cd4c5c525e6c55f6564751ce38c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
memory/436-74-0x0000000000000000-mapping.dmp

Download
memory/584-63-0x0000000000000000-mapping.dmp

Download
memory/964-54-0x0000000000D20000-0x0000000000D7E000-memory.dmp

Filesize
376KB

Download
memory/964-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1112-66-0x0000000000000000-mapping.dmp

Download
memory/1164-61-0x0000000000260000-0x00000000002BE000-memory.dmp

Filesize
376KB

Download
memory/1164-58-0x0000000000000000-mapping.dmp

Download
memory/1264-72-0x0000000000000000-mapping.dmp

Download
memory/1280-64-0x0000000000000000-mapping.dmp

Download
memory/1380-67-0x0000000000000000-mapping.dmp

Download
memory/1704-56-0x0000000000000000-mapping.dmp

Download