Overview

overview

10

Static

static

f6f83ba3f1...0f.exe

windows7-x64

10

f6f83ba3f1...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 04:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6f83ba3f1e87503941e50b3e50d390f.exe

  • Size

    17KB

  • MD5

    f6f83ba3f1e87503941e50b3e50d390f

  • SHA1

    6983d00bc9cda93f0da126504d99a851ffef6cea

  • SHA256

    3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8

  • SHA512

    d9afb2024c16229d1245d1c8faf1a5fb7b1c2a4c2e379078e0c70493c8dedc7fb76be3233c4e9757168382b27b8ae4f17726209af893297fe67838472443e3d4

  • SSDEEP

    384:O0CqWx4t+dWNzuY7/aAygucwhb6v/uFi:O0CL4sBTguJmei

Score
10/10
quasaroffice04persistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

51.89.157.248:4782

Mutex

MvfU8Y7jQptTEqcSWG

Attributes
  • encryption_key

    gfcyUhYEMEq5BWNn8aVX

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6f83ba3f1e87503941e50b3e50d390f.exe
    "C:\Users\Admin\AppData\Local\Temp\f6f83ba3f1e87503941e50b3e50d390f.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2852
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    4280e36a29fa31c01e4d8b2ba726a0d8

    SHA1

    c485c2c9ce0a99747b18d899b71dfa9a64dabe32

    SHA256

    e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

    SHA512

    494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    06ad34f9739c5159b4d92d702545bd49

    SHA1

    9152a0d4f153f3f40f7e606be75f81b582ee0c17

    SHA256

    474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

    SHA512

    c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    a57a8a4b059139a91487d5abfc50afa1

    SHA1

    efda38603c53adf419f09faca0e975bd97f044a4

    SHA256

    21f356bc513114b6c139ea7872ad3b2e37e6a36804bc3cbe6b8f1b79251a406d

    SHA512

    4ec0d7bc736b282216ea2f88b22485365016511280d9abff4bb5ba2dcfb9842349bbd197e42984d203eabf57896fd544b68f722d39c595890f75a7e4266eabbd

    Download Submit
  • memory/1064-158-0x0000000006010000-0x000000000601A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1064-156-0x0000000005CA0000-0x0000000005CDC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1064-155-0x0000000005860000-0x0000000005872000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1064-149-0x0000000004930000-0x00000000049C2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1064-148-0x0000000004E30000-0x00000000053D4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1064-146-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1064-145-0x0000000000000000-mapping.dmp
    Download
  • memory/2640-142-0x0000000000000000-mapping.dmp
    Download
  • memory/2852-153-0x0000000006C40000-0x0000000006C5E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2852-154-0x0000000007A40000-0x0000000007A4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2852-161-0x0000000007BE0000-0x0000000007BE8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2852-160-0x0000000007C00000-0x0000000007C1A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2852-159-0x0000000006570000-0x000000000657E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2852-143-0x0000000000000000-mapping.dmp
    Download
  • memory/2852-157-0x0000000007C80000-0x0000000007D16000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2852-151-0x0000000006C70000-0x0000000006CA2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2852-152-0x0000000071060000-0x00000000710AC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4652-133-0x0000000005D50000-0x0000000005D72000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4652-132-0x0000000000590000-0x000000000059A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/5040-138-0x0000000005E10000-0x0000000005E76000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5040-135-0x0000000002B10000-0x0000000002B46000-memory.dmp
    Filesize

    216KB

    Download
  • memory/5040-134-0x0000000000000000-mapping.dmp
    Download
  • memory/5040-136-0x00000000055D0000-0x0000000005BF8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/5040-137-0x0000000005C70000-0x0000000005CD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5040-139-0x0000000006440000-0x000000000645E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/5040-140-0x0000000007C90000-0x000000000830A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/5040-141-0x0000000006940000-0x000000000695A000-memory.dmp
    Filesize

    104KB

    Download