Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2023, 17:09

General

  • Target

    svchost.exe

  • Size

    348KB

  • MD5

    99a2e914bbf4c8410c8c57bf24901919

  • SHA1

    8af5cc6ebba0bd365fa8accd92610c71380d93f7

  • SHA256

    1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616

  • SHA512

    f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc

  • SSDEEP

    6144:+uwb/c2L0tR/i/3d96vxbh+fy3+ExETXWg3WKwt4d:hH2L+ive3r+0EqgmK24d

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

188.119.45.143:9896

microsoftstolewindows.duckdns.org:9896

192.168.1.52:9896

Mutex

QSR_MUTEX_cXyKUgoh2Hpnny6zAV

Attributes
  • encryption_key

    GTemocnTKzZZHIqpqBGg

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:584
    • C:\Windows\SysWOW64\SubDir\svchost.exe
      "C:\Windows\SysWOW64\SubDir\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\svchost.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\SubDir\svchost.exe

    Filesize

    348KB

    MD5

    99a2e914bbf4c8410c8c57bf24901919

    SHA1

    8af5cc6ebba0bd365fa8accd92610c71380d93f7

    SHA256

    1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616

    SHA512

    f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc

  • C:\Windows\SysWOW64\SubDir\svchost.exe

    Filesize

    348KB

    MD5

    99a2e914bbf4c8410c8c57bf24901919

    SHA1

    8af5cc6ebba0bd365fa8accd92610c71380d93f7

    SHA256

    1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616

    SHA512

    f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc

  • \Windows\SysWOW64\SubDir\svchost.exe

    Filesize

    348KB

    MD5

    99a2e914bbf4c8410c8c57bf24901919

    SHA1

    8af5cc6ebba0bd365fa8accd92610c71380d93f7

    SHA256

    1fc3469378a92b852065e463b99e5b0cab8d8ba9d2fde12c05baa1454673b616

    SHA512

    f3b667faecf82c2b0528be0febcb9d2c21f54725fc2b9be03616c8398d849664571f04dda5364af6dc63d3351f51f5906f9f31fcec8e4b99ea18189d55d824cc

  • memory/540-61-0x00000000012A0000-0x00000000012FE000-memory.dmp

    Filesize

    376KB

  • memory/1264-54-0x0000000000CF0000-0x0000000000D4E000-memory.dmp

    Filesize

    376KB

  • memory/1264-55-0x0000000075A31000-0x0000000075A33000-memory.dmp

    Filesize

    8KB