Analysis Overview
SHA256
9d3b91e313cc1183cbc94c36a1aa0b50e5a2e2178293240e935d5626c4994db2
Threat Level: Known bad
The file myproject.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-16 06:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-16 06:00
Reported
2023-08-16 06:03
Platform
win7-20230712-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Roaming\\winrar.exe" | C:\Users\Admin\AppData\Local\Temp\myproject.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2472 set thread context of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\myproject.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myproject.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\myproject.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\myproject.exe
"C:\Users\Admin\AppData\Local\Temp\myproject.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp | |
| US | 5.249.163.32:4782 | tcp |
Files
memory/2472-54-0x0000000000C50000-0x0000000000E3E000-memory.dmp
memory/2472-53-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/2472-55-0x0000000004D70000-0x0000000004DB0000-memory.dmp
memory/2472-56-0x0000000005160000-0x000000000533A000-memory.dmp
memory/2472-58-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-57-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-60-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-62-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-64-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-66-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-68-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-70-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-72-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-74-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-76-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-78-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-80-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-82-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-84-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-86-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-88-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-90-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-92-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-94-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-96-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-98-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-100-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-102-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-106-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-104-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-108-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-110-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-112-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-114-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-116-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-118-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-120-0x0000000005160000-0x0000000005334000-memory.dmp
memory/2472-162-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/2472-390-0x0000000004D70000-0x0000000004DB0000-memory.dmp
memory/2472-1135-0x0000000000430000-0x0000000000431000-memory.dmp
memory/2472-1136-0x0000000005730000-0x0000000005884000-memory.dmp
memory/2472-1137-0x00000000009D0000-0x0000000000A1C000-memory.dmp
memory/2472-1146-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/748-1150-0x0000000074570000-0x0000000074C5E000-memory.dmp
memory/748-1151-0x0000000000400000-0x0000000000724000-memory.dmp
memory/748-1152-0x0000000004BE0000-0x0000000004C20000-memory.dmp
memory/748-1153-0x0000000074570000-0x0000000074C5E000-memory.dmp
memory/748-1154-0x0000000004BE0000-0x0000000004C20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-16 06:00
Reported
2023-08-16 06:03
Platform
win10v2004-20230703-en
Max time kernel
123s
Max time network
131s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Roaming\\winrar.exe" | C:\Users\Admin\AppData\Local\Temp\myproject.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3080 set thread context of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\myproject.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myproject.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\myproject.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\myproject.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\myproject.exe
"C:\Users\Admin\AppData\Local\Temp\myproject.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 5.249.163.32:4782 | tcp | |
| US | 8.8.8.8:53 | ipwho.is | udp |
| CA | 108.181.98.179:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 32.163.249.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.98.181.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
memory/3080-134-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/3080-135-0x0000000000F50000-0x000000000113E000-memory.dmp
memory/3080-136-0x0000000006150000-0x00000000066F4000-memory.dmp
memory/3080-137-0x0000000005BA0000-0x0000000005C32000-memory.dmp
memory/3080-138-0x0000000005B60000-0x0000000005B70000-memory.dmp
memory/3080-139-0x0000000005B20000-0x0000000005B2A000-memory.dmp
memory/3080-141-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-140-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-143-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-145-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-147-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-149-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-151-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-153-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-155-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-157-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-159-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-161-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-163-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-165-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-167-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-169-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-171-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-173-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-175-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-177-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-179-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-181-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-183-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-185-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-187-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-189-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-191-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-193-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-195-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-197-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-199-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-201-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-203-0x0000000007190000-0x0000000007364000-memory.dmp
memory/3080-722-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/3080-800-0x0000000005B60000-0x0000000005B70000-memory.dmp
memory/3080-1218-0x0000000005F40000-0x0000000005F41000-memory.dmp
memory/1208-1223-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/1208-1222-0x0000000000400000-0x0000000000724000-memory.dmp
memory/3080-1224-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/1208-1225-0x0000000004FF0000-0x0000000005000000-memory.dmp
memory/1208-1226-0x00000000069D0000-0x0000000006FE8000-memory.dmp
memory/1208-1227-0x0000000006560000-0x00000000065B0000-memory.dmp
memory/1208-1228-0x00000000067C0000-0x0000000006872000-memory.dmp
memory/1208-1231-0x0000000007790000-0x00000000077A2000-memory.dmp
memory/1208-1232-0x00000000077F0000-0x000000000782C000-memory.dmp
memory/1208-1233-0x00000000078A0000-0x0000000007906000-memory.dmp
memory/1208-1234-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/1208-1235-0x0000000004FF0000-0x0000000005000000-memory.dmp