Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://anonfiles.co...

windows10-1703-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    222s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-02-2023 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://anonfiles.com/zaQ7z0W0y8/Titanic_Executor_zip

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

carolina-electro.at.ply.gg:23401:23401

Mutex

OkYd8B8aPhYGPmBnJV

Attributes
  • encryption_key

    ifxqeoBwByp64Ea77ScW

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windowsprogramm

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 8 IoCs
  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/zaQ7z0W0y8/Titanic_Executor_zip
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3808
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2412
    • C:\Users\Admin\AppData\Local\Temp\Temp1_Titanic Executor.zip\Titanic Executor\Titanic.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_Titanic Executor.zip\Titanic Executor\Titanic.exe"
      1⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "windowsprogramm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Temp1_Titanic Executor.zip\Titanic Executor\Titanic.exe" /rl HIGHEST /f
        2⤵
        • Creates scheduled task(s)
        PID:4836
      • C:\Windows\SysWOW64\SubDir\Client.exe
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\system32\schtasks.exe
          "schtasks" /create /tn "windowsprogramm" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4176
    • C:\Users\Admin\Downloads\Titanic Executor\Titanic Executor\Titanic.exe
      "C:\Users\Admin\Downloads\Titanic Executor\Titanic Executor\Titanic.exe"
      1⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "windowsprogramm" /sc ONLOGON /tr "C:\Users\Admin\Downloads\Titanic Executor\Titanic Executor\Titanic.exe" /rl HIGHEST /f
        2⤵
        • Creates scheduled task(s)
        PID:4484
      • C:\Windows\SysWOW64\SubDir\Client.exe
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3136
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "windowsprogramm" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:1792

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
      Filesize

      717B

      MD5

      ec8ff3b1ded0246437b1472c69dd1811

      SHA1

      d813e874c2524e3a7da6c466c67854ad16800326

      SHA256

      e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

      SHA512

      e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      aee722fcdc90fcfba473126bf8bed12b

      SHA1

      df62a695b671a248b19f76cd6d420d1bcee9c27d

      SHA256

      e759250bcfe36a1a745bc1cc241dea84b6c791141e93b322bd5027d62d3a4807

      SHA512

      e51c09b66f06f247289841147cc6ebf2b70308cfac2c500915ed2b4775813e48422e60779e50351ac668bab548afaccb822a1486ae8242bc37697f16f3a994cf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83C70E8C88F4EDFCC5A1D8BB501E4F5F
      Filesize

      503B

      MD5

      25d33dae751cbd07365603e16286611f

      SHA1

      ad58f8b465b89966be060cd2a8535f5ce0489900

      SHA256

      93a323259ec08332b80ea989e17eba54d9c5c38e854e2818a1bf465a456cff08

      SHA512

      4e6b2e08d0ff35b313d56cb823b883a64df757592fdfe36a11ddf6c457fa36e81a32e5ba437e600275edf5a5d95acc6e16cf7849a86a3ddfe93b16ba500750cd

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
      Filesize

      192B

      MD5

      0d07cd17f037901194d56ab168245056

      SHA1

      ef5554c262c8a2d1bdf7dd908a89b8daae4a3bf7

      SHA256

      c8aa0362c19c64c7c312da308f8c93bbac7e5075b0382894802a5a771ef83f4c

      SHA512

      3940d9c35bc6938fe01dcbe1246902a1c558e9442e8454e1ce6b39136d884213f4f69257453f0f1211e08f92a1373960063099c27164602128995a2128feef53

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      5d4c0ecd101eaac0db438a5aaabe657c

      SHA1

      4b439061269d1ef6f4bb8f422008463d033b36fd

      SHA256

      25041e8a1279a465f3a6d68c24e10abbcd786754c3cc7326b6e7338c65ebf6a7

      SHA512

      49502d31310d24ff096e5a35a7852829b9c6224f15f58921762dacf69494d144d14e78fc9511ff49b4cea91b1c9068522c0e98d2ee3a578fa59d45aac6336db8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83C70E8C88F4EDFCC5A1D8BB501E4F5F
      Filesize

      548B

      MD5

      f92237e4ffbd70a15578cf70744214d8

      SHA1

      7102599b0f225c3a4103793e5da908a9dcd6414c

      SHA256

      04965c14c63bee0917991f7bd826ec7ebb1484d10ad592185b9e5cba42d46b92

      SHA512

      32a37226483a5433dff1572babf7b7921d333ed963e720fff2cb8a0815e6e781191dcfc7c76638006b30bae7c04ae06e55fdb2e872d4b936f0ab0685bb2584b3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
      Filesize

      1KB

      MD5

      2084114b78ccf73ee8078ef5bf4b7d74

      SHA1

      eded76fd1d86bbe9d65af3b4cc96e7132f2263f2

      SHA256

      30be0a591fba0f80b7721a762bac72bacf0be5621013f3042f4df91218973353

      SHA512

      257bf8db85935743ee6dcee5fb596d67d613da2b32167f505217aa82eddabf2a45430e5f36739780cef5481d21f8e74736f6cae542b913b9849b2151d2d81f7d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Titanic.exe.log
      Filesize

      1KB

      MD5

      2084114b78ccf73ee8078ef5bf4b7d74

      SHA1

      eded76fd1d86bbe9d65af3b4cc96e7132f2263f2

      SHA256

      30be0a591fba0f80b7721a762bac72bacf0be5621013f3042f4df91218973353

      SHA512

      257bf8db85935743ee6dcee5fb596d67d613da2b32167f505217aa82eddabf2a45430e5f36739780cef5481d21f8e74736f6cae542b913b9849b2151d2d81f7d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DRT5BYOV.cookie
      Filesize

      615B

      MD5

      a1e266d8cc1b9da1071524502f3f21ea

      SHA1

      9aa7be3300f49903cda8ae5a2a58a402054acf43

      SHA256

      600b71aeffa7d31e7e9ec10ebb21e80975c23c6e91a53124d99f7391bdb3666a

      SHA512

      1837be13f4a65df04fe835fca59c227c5bc71a4bed0b0799699028fbf028c9f3f2aa142e2f9a04e4b53b8de5bc45c1ccc5abbbb4a0afc201ba1bf79eaee26508

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YEQ7XTTE.cookie
      Filesize

      179B

      MD5

      48f7533ebae91f1dff4731330aa784dc

      SHA1

      0cdddb314cc30cbe15b6517cb0e24e2be6bbd156

      SHA256

      d1c2cbe1d826e24ab9c60f17d06f0821f8a6b2324f49bc7b0e7e88554076c6e5

      SHA512

      f6119af8c87d16d11ae5d13ef3de2c521bc5cf89fa03f043efff03c96fc189e406f5dfdf84c9c86219feda30fe0fc80185f9abdfed84e52863fcaeb1183f3741

      Download Submit
    • C:\Users\Admin\Downloads\Titanic Executor.zip.0lm00y9.partial
      Filesize

      1.4MB

      MD5

      6d14da8713af771ddbf18cf2fb6bdbcf

      SHA1

      77c5c34a792365fe4750d5eb88a95921a1cfbc2e

      SHA256

      4e3858077015ee9f76644a201950ec32a8cbeca990249ecbf9557c07f3755054

      SHA512

      cbfaad81dc70d79bd93563c23d0413a59fff92c927fdd90980a456479caefae17fb7eab838965937de705e3c9c5a364a3f306524ab73aed72e6a7abbc98e51ce

      Download Submit
    • C:\Windows\SysWOW64\SubDir\Client.exe
      Filesize

      144KB

      MD5

      15a30a813f678a8ab9aca4be692f4c65

      SHA1

      765b2c3ee5767deb5391eb279638d4fdc9be2f84

      SHA256

      6e53086e992ec6cc22daa224c5b6919e8a990f5ab4d73cd66db1454c395fd7b7

      SHA512

      d1af6f894ef06625cc86998f5e302eda5c9968d90c33ba9c5f5f4c739fda49fb13e7045ff8b19b5e7347b208689c8a4f7b2dfef8379ef9394fea8876ce853e93

      Download Submit
    • C:\Windows\SysWOW64\SubDir\Client.exe
      Filesize

      144KB

      MD5

      15a30a813f678a8ab9aca4be692f4c65

      SHA1

      765b2c3ee5767deb5391eb279638d4fdc9be2f84

      SHA256

      6e53086e992ec6cc22daa224c5b6919e8a990f5ab4d73cd66db1454c395fd7b7

      SHA512

      d1af6f894ef06625cc86998f5e302eda5c9968d90c33ba9c5f5f4c739fda49fb13e7045ff8b19b5e7347b208689c8a4f7b2dfef8379ef9394fea8876ce853e93

      Download Submit
    • C:\Windows\SysWOW64\SubDir\Client.exe
      Filesize

      144KB

      MD5

      15a30a813f678a8ab9aca4be692f4c65

      SHA1

      765b2c3ee5767deb5391eb279638d4fdc9be2f84

      SHA256

      6e53086e992ec6cc22daa224c5b6919e8a990f5ab4d73cd66db1454c395fd7b7

      SHA512

      d1af6f894ef06625cc86998f5e302eda5c9968d90c33ba9c5f5f4c739fda49fb13e7045ff8b19b5e7347b208689c8a4f7b2dfef8379ef9394fea8876ce853e93

      Download Submit
    • C:\Windows\SysWOW64\SubDir\Client.exe
      Filesize

      144KB

      MD5

      15a30a813f678a8ab9aca4be692f4c65

      SHA1

      765b2c3ee5767deb5391eb279638d4fdc9be2f84

      SHA256

      6e53086e992ec6cc22daa224c5b6919e8a990f5ab4d73cd66db1454c395fd7b7

      SHA512

      d1af6f894ef06625cc86998f5e302eda5c9968d90c33ba9c5f5f4c739fda49fb13e7045ff8b19b5e7347b208689c8a4f7b2dfef8379ef9394fea8876ce853e93

      Download Submit
    • memory/1340-123-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1340-125-0x0000000000FF0000-0x000000000102E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1340-124-0x0000000000F90000-0x0000000000FA2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1340-122-0x00000000006D0000-0x00000000006D8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1792-140-0x0000000000000000-mapping.dmp
      Download
    • memory/3136-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4176-130-0x0000000000000000-mapping.dmp
      Download
    • memory/4484-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4836-126-0x0000000000000000-mapping.dmp
      Download
    • memory/5004-127-0x0000000000000000-mapping.dmp
      Download