Overview

overview

10

Static

static

d9f5f1872c...6c.exe

windows7_x64

10

d9f5f1872c...6c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 00:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9f5f1872cebecbcaa556c1d5371961731a7614fd141ba5040091a6e37b9346c.exe

  • Size

    1.5MB

  • MD5

    f822f2ba51ac484e1e32cabfcf78e240

  • SHA1

    5388a244ef7be66d3fc8e58e54c9f44dfc2e6396

  • SHA256

    d9f5f1872cebecbcaa556c1d5371961731a7614fd141ba5040091a6e37b9346c

  • SHA512

    671108fcb2b89bc06430df1cdd2ffc95ab9340bd01d394ba1c026b84689e54dadf1ac659852270a14a49d6a22fa6ac8f3192264f51c1c5dd36bc7df9375ee87c

Score
10/10
quasaroffice01spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office01

C2

174.139.46.13:4782

Mutex

QSR_MUTEX_mK2M7xovgh7rCUSa7M

Attributes
  • encryption_key

    0icGYPYyleDgljf1p7Zu

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Store

  • subdirectory

    Windows

Signatures

  • Quasar Payload 5 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9f5f1872cebecbcaa556c1d5371961731a7614fd141ba5040091a6e37b9346c.exe
    "C:\Users\Admin\AppData\Local\Temp\d9f5f1872cebecbcaa556c1d5371961731a7614fd141ba5040091a6e37b9346c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Users\Admin\AppData\Local\Temp\dll.exe
      "C:\Users\Admin\AppData\Local\Temp\dll.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Microsoft Store" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dll.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2876
      • C:\Users\Admin\AppData\Roaming\Windows\Client.exe
        "C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Microsoft Store" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:3944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dll.exe
    Filesize

    548KB

    MD5

    55a9c9861d5058eeffa6a7e8f80da7f4

    SHA1

    c18171180b61081a6087bf544c5150a26894896c

    SHA256

    7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

    SHA512

    e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\dll.exe
    Filesize

    548KB

    MD5

    55a9c9861d5058eeffa6a7e8f80da7f4

    SHA1

    c18171180b61081a6087bf544c5150a26894896c

    SHA256

    7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

    SHA512

    e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Windows\Client.exe
    Filesize

    548KB

    MD5

    55a9c9861d5058eeffa6a7e8f80da7f4

    SHA1

    c18171180b61081a6087bf544c5150a26894896c

    SHA256

    7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

    SHA512

    e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Windows\Client.exe
    Filesize

    548KB

    MD5

    55a9c9861d5058eeffa6a7e8f80da7f4

    SHA1

    c18171180b61081a6087bf544c5150a26894896c

    SHA256

    7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

    SHA512

    e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

    Download Submit
  • memory/952-145-0x0000000006330000-0x000000000636C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/952-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1584-140-0x00000000062B0000-0x00000000062C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1584-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1584-138-0x0000000000B90000-0x0000000000C20000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1584-139-0x0000000005660000-0x00000000056C6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2308-133-0x00000000051D0000-0x00000000051DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2308-130-0x0000000000600000-0x0000000000790000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2308-131-0x00000000057B0000-0x0000000005D54000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2308-132-0x0000000005120000-0x00000000051B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2308-134-0x00000000075F0000-0x000000000768C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2876-141-0x0000000000000000-mapping.dmp
    Download
  • memory/3944-146-0x0000000000000000-mapping.dmp
    Download