Analysis Overview
SHA256
81ecb3b3f6307ab77fa8242cf6942cea00d2bd435a78e12e18a517cbad0311c6
Threat Level: Known bad
The file ayoubpayload.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
StormKitty payload
AsyncRat
Quasar payload
StormKitty
Async RAT payload
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Looks up geolocation information via web service
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-23 17:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-23 17:45
Reported
2023-08-23 17:47
Platform
win7-20230712-en
Max time kernel
106s
Max time network
94s
Command Line
Signatures
AsyncRat
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quasare.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\CASHELP = "C:\\Users\\Admin\\AppData\\Roaming\\CASHELP.exe" | C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winhelp = "C:\\Users\\Admin\\AppData\\Roaming\\Winhelp.exe" | C:\Users\Admin\AppData\Local\Temp\Quasare.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1752 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1640 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\Quasare.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Quasare.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe
"C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell set-mppreference -exclusionpath C:\
C:\Users\Admin\AppData\Local\Temp\Quasare.exe
"C:\Users\Admin\AppData\Local\Temp\Quasare.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell set-mppreference -exclusionpath C:\
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 95.214.24.37:80 | 95.214.24.37 | tcp |
| US | 95.214.24.37:80 | 95.214.24.37 | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.68:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 185.238.3.205:6669 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/1752-1-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1752-0-0x00000000010B0000-0x00000000012E6000-memory.dmp
memory/1752-2-0x0000000004FC0000-0x0000000005000000-memory.dmp
memory/1752-3-0x0000000004FC0000-0x0000000005000000-memory.dmp
memory/1752-4-0x00000000060E0000-0x00000000061A8000-memory.dmp
memory/1752-5-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-6-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-8-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-10-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-12-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-14-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-16-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-18-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-20-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-22-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-24-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-26-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-28-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-30-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-32-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-34-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-36-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-38-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-40-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-42-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-44-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-46-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-48-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-50-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-52-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-54-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-56-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-58-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-60-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-62-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-64-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-66-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-68-0x00000000060E0000-0x00000000061A1000-memory.dmp
memory/1752-582-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1752-683-0x0000000004FC0000-0x0000000005000000-memory.dmp
memory/1752-1083-0x00000000009B0000-0x00000000009B1000-memory.dmp
memory/1752-1084-0x0000000000DC0000-0x0000000000E02000-memory.dmp
memory/1752-1085-0x0000000004F60000-0x0000000004FAC000-memory.dmp
memory/1752-1088-0x0000000004FC0000-0x0000000005000000-memory.dmp
memory/2300-1089-0x000000006F910000-0x000000006FEBB000-memory.dmp
memory/2300-1090-0x000000006F910000-0x000000006FEBB000-memory.dmp
memory/2300-1091-0x00000000023B0000-0x00000000023F0000-memory.dmp
memory/2300-1092-0x00000000023B0000-0x00000000023F0000-memory.dmp
memory/2300-1093-0x000000006F910000-0x000000006FEBB000-memory.dmp
\Users\Admin\AppData\Local\Temp\Quasare.exe
| MD5 | 0ff35d7798741aea293c375c71843c37 |
| SHA1 | 798dd1f2b843978274596e64d572df3897c94749 |
| SHA256 | 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36 |
| SHA512 | 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a |
C:\Users\Admin\AppData\Local\Temp\Quasare.exe
| MD5 | 0ff35d7798741aea293c375c71843c37 |
| SHA1 | 798dd1f2b843978274596e64d572df3897c94749 |
| SHA256 | 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36 |
| SHA512 | 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a |
C:\Users\Admin\AppData\Local\Temp\Quasare.exe
| MD5 | 0ff35d7798741aea293c375c71843c37 |
| SHA1 | 798dd1f2b843978274596e64d572df3897c94749 |
| SHA256 | 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36 |
| SHA512 | 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a |
memory/1640-1102-0x0000000001070000-0x0000000001078000-memory.dmp
memory/1640-1103-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1640-1104-0x0000000000420000-0x0000000000460000-memory.dmp
memory/1360-1117-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1752-1119-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1360-1118-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1360-1120-0x0000000004C80000-0x0000000004CC0000-memory.dmp
memory/1640-1121-0x0000000005DF0000-0x0000000005EC0000-memory.dmp
memory/1640-1601-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1640-1812-0x0000000000420000-0x0000000000460000-memory.dmp
memory/1360-2021-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1360-2160-0x0000000004C80000-0x0000000004CC0000-memory.dmp
memory/1640-2202-0x0000000000420000-0x0000000000460000-memory.dmp
memory/1640-2203-0x0000000000460000-0x0000000000461000-memory.dmp
memory/1640-2204-0x0000000004D90000-0x0000000004DDC000-memory.dmp
C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 525553eb79a476a58db2d3cf3a84ce81 |
| SHA1 | d60a58ea1932e78eb9ba5ecbe8d727b435d1647a |
| SHA256 | 48ef5d57b94ef4ce03413c79bd26d741d95489dc957beed47e94e58851a2c2be |
| SHA512 | 862f2afdd35963ef72d83a92ecc8cfc9121bccd577623e3aae277614c86b71bbffbef0cb31eeccce1e22c07322aebb5ad6acc25a6f4e716fa1aa1a7ac8efbfe7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AH658KE0DOLDASBY20WJ.temp
| MD5 | 580b94a8814e938466e46bb627ae4083 |
| SHA1 | 11974e447c5b08d7138586e0dc230d5a4f588514 |
| SHA256 | b562ffc0ab1c4b93bdea9c2a15f0f53cf44ef134414d5b713f73a449d2f80d32 |
| SHA512 | 0b56fda423a7eabaa72ad5a47513f0823809843719c634719b90c24ecf93f66acfd6986e19e39e4dfce0ea5ec211511218d60e70a08c609fd3b143bc366f4c96 |
memory/2684-2254-0x000000006F630000-0x000000006FBDB000-memory.dmp
memory/2684-2255-0x00000000027D0000-0x0000000002810000-memory.dmp
memory/2684-2259-0x000000006F630000-0x000000006FBDB000-memory.dmp
memory/2684-2260-0x00000000027D0000-0x0000000002810000-memory.dmp
memory/2684-2273-0x000000006F630000-0x000000006FBDB000-memory.dmp
memory/1360-2285-0x0000000004C80000-0x0000000004CC0000-memory.dmp
memory/1640-2289-0x0000000000420000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8658.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
memory/1360-2308-0x0000000004C80000-0x0000000004CC0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | e56ec378251cd65923ad88c1e14d0b6e |
| SHA1 | 7f5d986e0a34dd81487f6439fb0446ffa52a712e |
| SHA256 | 32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0 |
| SHA512 | 2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa |
C:\Users\Admin\AppData\Local\Temp\Tar892D.tmp
| MD5 | 19399ab248018076e27957e772bcfbab |
| SHA1 | faef897e02d9501146beb49f75da1caf12967b88 |
| SHA256 | 326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9 |
| SHA512 | 6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ea4e428b575f139fe292cd43aafa774 |
| SHA1 | be0fe849f086e026f9d504671b4a1d1899d0b37e |
| SHA256 | 8b7dfae23bcd58bb811b0c8bc435318776d7c794962482f59e7028ecee49f569 |
| SHA512 | 021f81b11e0fcd9a1e9cd71ad86cc4e449b9b10af46503edb38eaab0dd55e77cec6cbc0b96756f7c1f75d527018e2801c9aef608f53a30d2ecb28ccf394061d8 |
C:\Users\Admin\AppData\Local\2403cbf8839cadce596bc81c9d82c2b0\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Roaming\Winhelp.exe
| MD5 | 0ff35d7798741aea293c375c71843c37 |
| SHA1 | 798dd1f2b843978274596e64d572df3897c94749 |
| SHA256 | 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36 |
| SHA512 | 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a |
memory/1640-2375-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/2484-2377-0x0000000000400000-0x000000000044E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-23 17:45
Reported
2023-08-23 17:47
Platform
win10v2004-20230703-en
Max time kernel
97s
Max time network
97s
Command Line
Signatures
AsyncRat
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quasare.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CASHELP = "C:\\Users\\Admin\\AppData\\Roaming\\CASHELP.exe" | C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winhelp = "C:\\Users\\Admin\\AppData\\Roaming\\Winhelp.exe" | C:\Users\Admin\AppData\Local\Temp\Quasare.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4692 set thread context of 4064 | N/A | C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1300 set thread context of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\Quasare.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Quasare.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe
"C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell set-mppreference -exclusionpath C:\
C:\Users\Admin\AppData\Local\Temp\Quasare.exe
"C:\Users\Admin\AppData\Local\Temp\Quasare.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell set-mppreference -exclusionpath C:\
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.252.72.23.in-addr.arpa | udp |
| US | 95.214.24.37:80 | 95.214.24.37 | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.24.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 95.214.24.37:80 | 95.214.24.37 | tcp |
| US | 8.8.8.8:53 | 121.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 97.114.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 185.238.3.205:6669 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.3.238.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/4692-0-0x0000000000710000-0x0000000000946000-memory.dmp
memory/4692-1-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/4692-2-0x0000000005820000-0x0000000005DC4000-memory.dmp
memory/4692-3-0x0000000005310000-0x00000000053A2000-memory.dmp
memory/4692-4-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/4692-5-0x00000000053B0000-0x00000000053BA000-memory.dmp
memory/4692-6-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-7-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-9-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-11-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-13-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-15-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-17-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-19-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-21-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-23-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-25-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-27-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-29-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-31-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-33-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-35-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-37-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-39-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-41-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-43-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-45-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-47-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-49-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-51-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-53-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-55-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-57-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-59-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-61-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-63-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-65-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-67-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-69-0x0000000008ED0000-0x0000000008F91000-memory.dmp
memory/4692-1082-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/4692-1084-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/4692-1085-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/4692-1083-0x00000000073B0000-0x00000000073B1000-memory.dmp
memory/4692-1086-0x00000000091B0000-0x0000000009216000-memory.dmp
memory/776-1087-0x0000000002740000-0x0000000002776000-memory.dmp
memory/776-1088-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/776-1089-0x0000000002840000-0x0000000002850000-memory.dmp
memory/776-1090-0x00000000051E0000-0x0000000005808000-memory.dmp
memory/776-1091-0x0000000005910000-0x0000000005932000-memory.dmp
memory/776-1097-0x00000000059B0000-0x0000000005A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y525mf0g.v2b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/776-1102-0x0000000006090000-0x00000000060AE000-memory.dmp
memory/776-1103-0x0000000002840000-0x0000000002850000-memory.dmp
memory/776-1104-0x000000007F9A0000-0x000000007F9B0000-memory.dmp
memory/776-1105-0x0000000006640000-0x0000000006672000-memory.dmp
memory/776-1106-0x000000006F440000-0x000000006F48C000-memory.dmp
memory/776-1116-0x0000000006620000-0x000000000663E000-memory.dmp
memory/776-1117-0x00000000079E0000-0x000000000805A000-memory.dmp
memory/776-1118-0x0000000007390000-0x00000000073AA000-memory.dmp
memory/776-1119-0x0000000007400000-0x000000000740A000-memory.dmp
memory/4692-1120-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/776-1121-0x0000000007610000-0x00000000076A6000-memory.dmp
memory/776-1122-0x00000000075C0000-0x00000000075CE000-memory.dmp
memory/776-1123-0x00000000076D0000-0x00000000076EA000-memory.dmp
memory/776-1124-0x00000000076B0000-0x00000000076B8000-memory.dmp
memory/776-1127-0x0000000074930000-0x00000000750E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Quasare.exe
| MD5 | 0ff35d7798741aea293c375c71843c37 |
| SHA1 | 798dd1f2b843978274596e64d572df3897c94749 |
| SHA256 | 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36 |
| SHA512 | 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a |
C:\Users\Admin\AppData\Local\Temp\Quasare.exe
| MD5 | 0ff35d7798741aea293c375c71843c37 |
| SHA1 | 798dd1f2b843978274596e64d572df3897c94749 |
| SHA256 | 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36 |
| SHA512 | 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a |
C:\Users\Admin\AppData\Local\Temp\Quasare.exe
| MD5 | 0ff35d7798741aea293c375c71843c37 |
| SHA1 | 798dd1f2b843978274596e64d572df3897c94749 |
| SHA256 | 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36 |
| SHA512 | 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a |
memory/4064-1141-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1300-1143-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/1300-1144-0x00000000003B0000-0x00000000003B8000-memory.dmp
memory/4064-1145-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/4064-1146-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/4692-1147-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/1300-1592-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/4064-1667-0x0000000074930000-0x00000000750E0000-memory.dmp
C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/4064-1965-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/1300-2136-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1300-2316-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1300-2314-0x0000000005DF0000-0x0000000005DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/1500-2333-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/1500-2334-0x0000000005110000-0x0000000005120000-memory.dmp
memory/1500-2336-0x0000000005110000-0x0000000005120000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5b506af502cc4ed2a97e3de413bd364b |
| SHA1 | 4f594c858fd821d875e4b26bcb6f827e720fa9b9 |
| SHA256 | 8fe0859c10bf7ef449f57a93f8431bf233450e08ff44f01c407c52f9a7acff2b |
| SHA512 | 35495d95bd92fb51601c641e631b30b1e4771852bfd45c55836724d14ba1e0f0cef3cb69ede073712a679bacb45b66d496d4abdef21d14e9862be58d42f7ee9f |
memory/1500-2355-0x0000000005110000-0x0000000005120000-memory.dmp
memory/1500-2359-0x000000007F4D0000-0x000000007F4E0000-memory.dmp
memory/1500-2360-0x000000006F410000-0x000000006F45C000-memory.dmp
memory/1500-2382-0x0000000074930000-0x00000000750E0000-memory.dmp
C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\System\Process.txt
| MD5 | c9c1e706a0068ceb98df750c066be210 |
| SHA1 | 93f462e5c7b34b909c39e4c70409da309b7fe5a6 |
| SHA256 | 870690a18b43c5c6002efa2973e56bad99a4aa342e88aaf3df14c0e707875043 |
| SHA512 | 6b1fcf981e37c23301c75e3f21ab165ca9babf44fd4bfe23fb9100b5563c72cefa6ff03cb4894d0352581c253c9adfaa58bc97a868f58ade7515d55f6721f19a |
memory/4064-2404-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/1300-2403-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/4064-2408-0x00000000067E0000-0x00000000067EA000-memory.dmp
C:\Users\Admin\AppData\Local\4e1bfbbe75e0995c0042f5060ad2363f\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4064-2414-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/4064-2415-0x0000000005E30000-0x0000000005E42000-memory.dmp
memory/1300-2443-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/4088-2445-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/4088-2444-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4088-2446-0x0000000005210000-0x0000000005220000-memory.dmp
memory/4088-2447-0x0000000006210000-0x0000000006222000-memory.dmp
memory/4088-2448-0x0000000006650000-0x000000000668C000-memory.dmp
memory/4088-2450-0x0000000074930000-0x00000000750E0000-memory.dmp