quasar | e4b0092942132b80858e5364222a3da3303456764192aeb3717311b54610b7fd

Analysis

max time kernel
151s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 05:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

vcac.exe
Size

24.2MB
MD5

60db2af267aaa16ab82007ce5dc80685
SHA1

2c9ea81aac005653e0f49deaf7635d69300ef644
SHA256

e4b0092942132b80858e5364222a3da3303456764192aeb3717311b54610b7fd
SHA512

3b127f1f0cc3381a61344cc319e2d99af1a906717c485972df881096a36b7c567c26d71b65424d34e4ca84624ee8924de6bf376edb47c819cadf2d6b93a9d101
SSDEEP

98304:qKBbBWIgWljGxRB/LL6vc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:P4xRBjgB7j4U6gl

Score

10^/10

quasar bootkit discovery exploit persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2580-1-0x0000000000EC0000-0x00000000026FC000-memory.dmp	family_quasar

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2676	takeown.exe
2896	icacls.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe

Executes dropped EXE 3 IoCs

pid	Process
2640	lm.exe
2784	mbr.exe
2804	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2788	cmd.exe
2640	lm.exe
2640	lm.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2676	takeown.exe
2896	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\mbr.exe"	mbr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lm.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogonUI.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe
2580	vcac.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	vcac.exe
Token: SeTakeOwnershipPrivilege	2676	takeown.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2636	2580	vcac.exe	28
PID 2580 wrote to memory of 2636	2580	vcac.exe	28
PID 2580 wrote to memory of 2636	2580	vcac.exe	28
PID 2580 wrote to memory of 2636	2580	vcac.exe	28
PID 2580 wrote to memory of 2788	2580	vcac.exe	31
PID 2580 wrote to memory of 2788	2580	vcac.exe	31
PID 2580 wrote to memory of 2788	2580	vcac.exe	31
PID 2580 wrote to memory of 2788	2580	vcac.exe	31
PID 2788 wrote to memory of 2640	2788	cmd.exe	32
PID 2788 wrote to memory of 2640	2788	cmd.exe	32
PID 2788 wrote to memory of 2640	2788	cmd.exe	32
PID 2788 wrote to memory of 2640	2788	cmd.exe	32
PID 2580 wrote to memory of 2784	2580	vcac.exe	36
PID 2580 wrote to memory of 2784	2580	vcac.exe	36
PID 2580 wrote to memory of 2784	2580	vcac.exe	36
PID 2580 wrote to memory of 2784	2580	vcac.exe	36
PID 2580 wrote to memory of 2804	2580	vcac.exe	33
PID 2580 wrote to memory of 2804	2580	vcac.exe	33
PID 2580 wrote to memory of 2804	2580	vcac.exe	33
PID 2580 wrote to memory of 2804	2580	vcac.exe	33
PID 2784 wrote to memory of 2204	2784	mbr.exe	35
PID 2784 wrote to memory of 2204	2784	mbr.exe	35
PID 2784 wrote to memory of 2204	2784	mbr.exe	35
PID 2784 wrote to memory of 2204	2784	mbr.exe	35
PID 2804 wrote to memory of 2708	2804	svchost.exe	37
PID 2804 wrote to memory of 2708	2804	svchost.exe	37
PID 2804 wrote to memory of 2708	2804	svchost.exe	37
PID 2708 wrote to memory of 2676	2708	cmd.exe	39
PID 2708 wrote to memory of 2676	2708	cmd.exe	39
PID 2708 wrote to memory of 2676	2708	cmd.exe	39
PID 2708 wrote to memory of 2896	2708	cmd.exe	40
PID 2708 wrote to memory of 2896	2708	cmd.exe	40
PID 2708 wrote to memory of 2896	2708	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\vcac.exe
"C:\Users\Admin\AppData\Local\Temp\vcac.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Roaming\lm.exe
    lm.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:2640
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2676
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /grant "Admin:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2896
- C:\Users\Admin\AppData\Roaming\mbr.exe
  "C:\Users\Admin\AppData\Roaming\mbr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:2784

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
1⤵
- Creates scheduled task(s)
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\VCRUNTIME140D.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
C:\Users\Admin\AppData\Roaming\boot.bin

Filesize
512B

MD5
0d2bce4d7f3785154b3e812d8d0b851e

SHA1
abc4463e007f8973f80099e08458bd22702c8ca6

SHA256
76bc6fab3dc4304e4c70adbad5eaf04a021aa50c4b9b5938ec705774e56060d5

SHA512
817cf4bad32b61c1beef98aad49c31feb796cfc7c9f7173ebf6f674408b8575be6e421fdf147293c487640d3992a67215d4dc871509065ac89735149d648e524

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\settings.bat

Filesize
67B

MD5
a204d9e5059a5449af7af765d371d6ea

SHA1
cfc6f78545bdc6a1c82491500f1bacfb38bef28c

SHA256
d39e88bebdb89ec08c55d320622784e0e131b7c75bd810305daa313c2baa3d26

SHA512
d46f0f2282f98116b6e365dc65538a77a39495b7bdd8c910a98226d30bac79026e7c9d6402ed81023a31b7ff8cea316362d8fa909e9edd50b9c6e711d39ddc92

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
\Users\Admin\AppData\Roaming\vcruntime140d.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
memory/2580-3-0x0000000005C10000-0x0000000005C50000-memory.dmp

Filesize
256KB

Download
memory/2580-48-0x0000000005C10000-0x0000000005C50000-memory.dmp

Filesize
256KB

Download
memory/2580-2-0x0000000005C10000-0x0000000005C50000-memory.dmp

Filesize
256KB

Download
memory/2580-0-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-47-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-1-0x0000000000EC0000-0x00000000026FC000-memory.dmp

Filesize
24.2MB

Download
memory/2640-21-0x0000000000DF0000-0x0000000000E10000-memory.dmp

Filesize
128KB

Download
memory/2640-15-0x0000000000DF0000-0x0000000000E10000-memory.dmp

Filesize
128KB

Download
memory/2784-38-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2788-14-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/2804-39-0x0000000001360000-0x0000000001370000-memory.dmp

Filesize
64KB

Download
memory/2804-40-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-41-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2804-43-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2804-49-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-50-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2804-51-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download