Analysis

  • max time kernel
    141s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2023, 15:38

General

  • Target

    b5b0a0a082b9f9ed7e1216805dce73dc.exe

  • Size

    502KB

  • MD5

    b5b0a0a082b9f9ed7e1216805dce73dc

  • SHA1

    ebc4c036a30a003a399c6c1a6fd96fbd60cbbf35

  • SHA256

    486a7709a844ef4a1770299b51b3bdd519c8881ea3190705ab7890780998e84a

  • SHA512

    4c025030525fcbb0de7b7890ccf8c9b9c9e09bb25e1adbdc9f8e5e49097531c7bf4ebde85ec36409e743c3b079133d9527aae70c6bb5dc733aa2a671889b4158

  • SSDEEP

    6144:ITEgdc0YYXAGbgiIN2RSBMUZz6wudTEDQK6DkQfocEgOb8F9vWlM3lBi0U3vLcTQ:ITEgdfYqbgjqDkwp9WCY0UfLcdm

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

xsaz3412.duckdns.org:4782

Mutex

339a0ca9-655c-474f-ae0b-8b93c0a5acb0

Attributes
  • encryption_key

    5BA53C22C08AF30F643D1CE3AEA974DFD7C76979

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
    "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkyHZXGv6TsR.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1904
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:472
        • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
          "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1112
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\7VbLAAQpN2rk.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1364
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:1856
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:1020
              • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1608
                • C:\Windows\system32\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0LY2d5Tiaab7.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1224
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:1376
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • Runs ping.exe
                      PID:2008
                    • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                      "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                      7⤵
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1308
                      • C:\Windows\system32\cmd.exe
                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGOdG5JQRtBM.bat" "
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:960
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          9⤵
                            PID:1560
                          • C:\Windows\system32\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • Runs ping.exe
                            PID:1752
                          • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                            "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                            9⤵
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1668
                            • C:\Windows\system32\cmd.exe
                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\Jfp5A4Gc3Wpd.bat" "
                              10⤵
                              • Suspicious use of WriteProcessMemory
                              PID:760
                              • C:\Windows\system32\chcp.com
                                chcp 65001
                                11⤵
                                  PID:1716
                                • C:\Windows\system32\PING.EXE
                                  ping -n 10 localhost
                                  11⤵
                                  • Runs ping.exe
                                  PID:1616
                                • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                  "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                  11⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:316
                                  • C:\Windows\system32\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\L8lAiZ6HXr4I.bat" "
                                    12⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:916
                                    • C:\Windows\system32\chcp.com
                                      chcp 65001
                                      13⤵
                                        PID:616
                                      • C:\Windows\system32\PING.EXE
                                        ping -n 10 localhost
                                        13⤵
                                        • Runs ping.exe
                                        PID:1780
                                      • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                        "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                        13⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:360
                                        • C:\Windows\system32\cmd.exe
                                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\0d0OrJimuLju.bat" "
                                          14⤵
                                            PID:1608
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              15⤵
                                                PID:852
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                15⤵
                                                • Runs ping.exe
                                                PID:1788
                                              • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                                "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                                15⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1192
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\f23xtBzx7SBw.bat" "
                                                  16⤵
                                                    PID:1764
                                                    • C:\Windows\system32\chcp.com
                                                      chcp 65001
                                                      17⤵
                                                        PID:1688
                                                      • C:\Windows\system32\PING.EXE
                                                        ping -n 10 localhost
                                                        17⤵
                                                        • Runs ping.exe
                                                        PID:528
                                                      • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                                        17⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:960
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\DU2rtXozgH2L.bat" "
                                                          18⤵
                                                            PID:1160
                                                            • C:\Windows\system32\chcp.com
                                                              chcp 65001
                                                              19⤵
                                                                PID:1716
                                                              • C:\Windows\system32\PING.EXE
                                                                ping -n 10 localhost
                                                                19⤵
                                                                • Runs ping.exe
                                                                PID:1352
                                                              • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                                                19⤵
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1712
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QzoNwL5GGTkQ.bat" "
                                                                  20⤵
                                                                    PID:1032
                                                                    • C:\Windows\system32\chcp.com
                                                                      chcp 65001
                                                                      21⤵
                                                                        PID:1760
                                                                      • C:\Windows\system32\PING.EXE
                                                                        ping -n 10 localhost
                                                                        21⤵
                                                                        • Runs ping.exe
                                                                        PID:1924

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\0LY2d5Tiaab7.bat

                                Filesize

                                229B

                                MD5

                                380812886c3ab0761efeda0128ffb7e2

                                SHA1

                                fb289352c8aafaadd7911a906db0c47cec1a064b

                                SHA256

                                1f627971a27d8865483cbf2e76e70b6bf8b50416d2f84473ffa8dae35c4a36a2

                                SHA512

                                c0fbce0ca1cd28a8b2f16c7116eb0a9a4ba4b521ede17bda51828bfab75cd2c7d6158aee3fe0714d17965c5b1ff1bace0ed83ed18876d4ff8772c4297d5353c4

                              • C:\Users\Admin\AppData\Local\Temp\0d0OrJimuLju.bat

                                Filesize

                                229B

                                MD5

                                fc16046049e28a70616b7250c950e721

                                SHA1

                                d9bdebe1a209067205d1899fd9e47f7e8927c437

                                SHA256

                                639433c6119f8031e796654be8ec32eb1308bf437e7f5a96b677159e355d6dfc

                                SHA512

                                56aca8ed785f08b4aef31cc11d20da1e9bec6a7b712aa380d5cb5048745e3b265a22f4dd01c3e6f997fa7b40edb3d496721b90f0bd7391d461df326bc6f87aa4

                              • C:\Users\Admin\AppData\Local\Temp\7VbLAAQpN2rk.bat

                                Filesize

                                229B

                                MD5

                                2cf6a76968c464a93424251299050c27

                                SHA1

                                e8edc3c89689aa68368e19a2f781dbb5dc00789c

                                SHA256

                                e54457cfabdc37b18a596cf6bd0a07a574b4ce8e5f152a2e00b6391e4a3b5b5d

                                SHA512

                                bdd173a5ac84f1ef4791a259241dc5854b765c7c342e812b01146074d6e8f7670d9ebf64095e9098d38e7edee39417fe90a936d3a2a6d1e0853a5844763df55f

                              • C:\Users\Admin\AppData\Local\Temp\DU2rtXozgH2L.bat

                                Filesize

                                229B

                                MD5

                                0061bef0579ad82c9464479b770e36ca

                                SHA1

                                ff186a9595b1f3c819d0ae21905d8f9f43ad6f11

                                SHA256

                                049868ebc586754a35d767cb9fc167a09ca2b39ef39cd26a527b99dfe0e5720a

                                SHA512

                                02033856441d0289d2da90fa8bd501968a0af29ce8eb2f73fdd253a322380d2ab8e8b407f167ab3c58ff64bff9a60f07b5612ba6364b7cc221022dfc87a984f5

                              • C:\Users\Admin\AppData\Local\Temp\Jfp5A4Gc3Wpd.bat

                                Filesize

                                229B

                                MD5

                                b786555f80f1fc43d5ea9a1077cb3ccc

                                SHA1

                                49e2a771099adea53ea571845b71a46ce95d32d3

                                SHA256

                                b5b7a8dfd063fea057e89004ed708dbeaea6d32a75a04b400cf2358416633e47

                                SHA512

                                92c06123f42a3b21cb44e0cbab5adf597b426fb93b22468f3471c5c76fec543285384c4dba387dac4bd720a7658b3cf3667aa4f57d8effb3ef45c5191cdb144a

                              • C:\Users\Admin\AppData\Local\Temp\L8lAiZ6HXr4I.bat

                                Filesize

                                229B

                                MD5

                                1e7f748b6bd6ab549c9290a0a100face

                                SHA1

                                1b53ead68e7ad676ae2284d7b76295da4d35913c

                                SHA256

                                31c1fca669515d77804e1394096ee4133eb1673a62ab3d95090d22ba5a9cb613

                                SHA512

                                b48a046c6dd08e9dd8435704ae407827ad7bd314af00dd2b1f2dbc9ef59237b429276af6951a42607998794b74e6583ade6f80fd44c3af812cc7d9b06557bb9d

                              • C:\Users\Admin\AppData\Local\Temp\QzoNwL5GGTkQ.bat

                                Filesize

                                229B

                                MD5

                                c1cd380e43107175b23b5a73396244ff

                                SHA1

                                b8778e75f1f5eb329428fde45f3c240f81c3d537

                                SHA256

                                efa152c728ab1237d6e911c5fdd767ddf9bad20fc7c1f8ce70e82d11bf8a702f

                                SHA512

                                5cb15de29f1f65d83bb09788663acd466eb238374ac0c308bd72d1bf2398b7545e84718c0df7c046b7257d1ee0a50b84c41ce100da2be1e19e94dc0853715c27

                              • C:\Users\Admin\AppData\Local\Temp\YkyHZXGv6TsR.bat

                                Filesize

                                229B

                                MD5

                                5fa41d94434097a4877ced62f1560b7b

                                SHA1

                                859cd2d711cf7f5051d44862cc49b5a6c6f274b9

                                SHA256

                                6bd6afb90db6c381aaf7511f1af41a1b139172eb74eea2ed2123f49684df4487

                                SHA512

                                6381bdadea3573cfa8065ee3c87d5246440a72a3f0869144e8942db9e3f5870a162ac3b32e52381869433765c74a87861f456bc2d8fbc56c83282314638a98aa

                              • C:\Users\Admin\AppData\Local\Temp\f23xtBzx7SBw.bat

                                Filesize

                                229B

                                MD5

                                1edf9995ac0f9162d2395b39e1501983

                                SHA1

                                b43f18c3781cb2237f4d2f1913968c6645136015

                                SHA256

                                3e6d0d6d16b8fe15bfe5caa978dcf25d4f8b7e6fc96db11d601cce0f28a5b588

                                SHA512

                                eb87f94bbaadbf93dd5a24095ca2aff284952fc9dda5b82f5143f73fb84ffaf1e632d065498965aa7297be0dc8b25e5c7f1790b7906f8c5beb3cb014b5d82f07

                              • C:\Users\Admin\AppData\Local\Temp\xGOdG5JQRtBM.bat

                                Filesize

                                229B

                                MD5

                                cd55f74a62d556a87a61d5aebad8a1c1

                                SHA1

                                296451e9a9ab89477bae557fd1888678dc270acf

                                SHA256

                                aac4b080555a69fb77a1842459fe153f8a5ca583e5be1cce63afc93d288b4ba1

                                SHA512

                                eaca5921be3222ea529a246a82e7afafa054b78c603bbae01a571fc29fb4a9c344ff902fc8c2be1383cf010d1684f8e0205d7c34425210e78e5ef96012a638b1

                              • memory/960-108-0x0000000000200000-0x0000000000284000-memory.dmp

                                Filesize

                                528KB

                              • memory/1112-61-0x0000000000FD0000-0x0000000001054000-memory.dmp

                                Filesize

                                528KB

                              • memory/1308-74-0x00000000002D0000-0x0000000000354000-memory.dmp

                                Filesize

                                528KB

                              • memory/1668-82-0x00000000012A0000-0x0000000001324000-memory.dmp

                                Filesize

                                528KB

                              • memory/1704-54-0x0000000000B10000-0x0000000000B94000-memory.dmp

                                Filesize

                                528KB

                              • memory/1704-55-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

                                Filesize

                                8KB

                              • memory/1712-116-0x0000000001270000-0x00000000012F4000-memory.dmp

                                Filesize

                                528KB