Overview

overview

10

Static

static

10

ShellExper...st.exe

windows7-x64

10

ShellExper...st.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2023 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ShellExperienceHost.exe

  • Size

    3.1MB

  • MD5

    66f2cd749924ebcd3cd4e8e6882b50de

  • SHA1

    9a188abd5c98c3fec2da7b9dd5fed1927a191164

  • SHA256

    017154018a7290c534578cdbb64110339cff0d69f1e40f89db8176681b47981d

  • SHA512

    7deb88001b59a7364099d014fa655d8dc23ef28c6b8d5cf3a111506dee08945e52f2e432e2583751484e87310a83b10aa08c7c3a8c5ab3f4080f149abfee0962

  • SSDEEP

    49152:Hv3hBYjCO4Dt2d5aKCuVPzlEmVQL0wvwka3mhEmzfSoGdOTHHB72eh2NT:Hvnt2d5aKCuVPzlEmVQ0wvwf3mhs

Score
10/10
quasarmy vmspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

My VM

C2

myownvm.anondns.net:13832

37.120.141.165:13832
Mutex

071e2576-e94a-492e-8303-baae1cb4641c

Attributes
  • encryption_key

    402F6F1B2F63357285F585A5880FBC2C0F468F55

  • install_name

    ShellExperienceHost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Shell Experience Host

  • subdirectory

    drivers

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe
    "C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Shell Experience Host" /sc ONLOGON /tr "C:\Windows\system32\drivers\ShellExperienceHost.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4252
    • C:\Windows\system32\drivers\ShellExperienceHost.exe
      "C:\Windows\system32\drivers\ShellExperienceHost.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Shell Experience Host" /sc ONLOGON /tr "C:\Windows\system32\drivers\ShellExperienceHost.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log
    Filesize

    1KB

    MD5

    baf55b95da4a601229647f25dad12878

    SHA1

    abc16954ebfd213733c4493fc1910164d825cac8

    SHA256

    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

    SHA512

    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

    Download Submit

  • C:\Windows\System32\drivers\ShellExperienceHost.exe
    Filesize

    3.1MB

    MD5

    66f2cd749924ebcd3cd4e8e6882b50de

    SHA1

    9a188abd5c98c3fec2da7b9dd5fed1927a191164

    SHA256

    017154018a7290c534578cdbb64110339cff0d69f1e40f89db8176681b47981d

    SHA512

    7deb88001b59a7364099d014fa655d8dc23ef28c6b8d5cf3a111506dee08945e52f2e432e2583751484e87310a83b10aa08c7c3a8c5ab3f4080f149abfee0962

    Download Submit

  • C:\Windows\system32\drivers\ShellExperienceHost.exe
    Filesize

    3.1MB

    MD5

    66f2cd749924ebcd3cd4e8e6882b50de

    SHA1

    9a188abd5c98c3fec2da7b9dd5fed1927a191164

    SHA256

    017154018a7290c534578cdbb64110339cff0d69f1e40f89db8176681b47981d

    SHA512

    7deb88001b59a7364099d014fa655d8dc23ef28c6b8d5cf3a111506dee08945e52f2e432e2583751484e87310a83b10aa08c7c3a8c5ab3f4080f149abfee0962

    Download Submit

  • memory/3120-10-0x00007FFA9E050000-0x00007FFA9EB11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3120-2-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3120-1-0x00007FFA9E050000-0x00007FFA9EB11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3120-0-0x00000000000A0000-0x00000000003C4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3972-11-0x00007FFA9E050000-0x00007FFA9EB11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3972-12-0x00000000015C0000-0x00000000015D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3972-13-0x00000000030F0000-0x0000000003140000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3972-14-0x000000001C6E0000-0x000000001C792000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3972-15-0x00007FFA9E050000-0x00007FFA9EB11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3972-16-0x00000000015C0000-0x00000000015D0000-memory.dmp

    Filesize

    64KB

    Download