Overview

overview

10

Static

static

10

vcac.exe

windows7-x64

10

vcac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 05:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vcac.exe

  • Size

    24.2MB

  • MD5

    60db2af267aaa16ab82007ce5dc80685

  • SHA1

    2c9ea81aac005653e0f49deaf7635d69300ef644

  • SHA256

    e4b0092942132b80858e5364222a3da3303456764192aeb3717311b54610b7fd

  • SHA512

    3b127f1f0cc3381a61344cc319e2d99af1a906717c485972df881096a36b7c567c26d71b65424d34e4ca84624ee8924de6bf376edb47c819cadf2d6b93a9d101

  • SSDEEP

    98304:qKBbBWIgWljGxRB/LL6vc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:P4xRBjgB7j4U6gl

Score
10/10
quasarbootkitdiscoveryexploitpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    1

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vcac.exe
    "C:\Users\Admin\AppData\Local\Temp\vcac.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Users\Admin\AppData\Roaming\lm.exe
        lm.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        PID:3968
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
      2⤵
        PID:2224
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\System32
            4⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:2176
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\System32 /grant "Admin:F"
            4⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:1652
      • C:\Users\Admin\AppData\Roaming\mbr.exe
        "C:\Users\Admin\AppData\Roaming\mbr.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of WriteProcessMemory
        PID:3180
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
      1⤵
      • Creates scheduled task(s)
      PID:4192

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\VCRUNTIME140D.dll
      Filesize

      111KB

      MD5

      b59b0f6193bcc7e78a3b2fc730196be3

      SHA1

      045469fec2df2a9c75b550984a0ed32db2e9f846

      SHA256

      003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

      SHA512

      73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

      Download Submit

    • C:\Users\Admin\AppData\Roaming\boot.bin
      Filesize

      512B

      MD5

      cc2f3c59dad81bed8413fac671ee0223

      SHA1

      f3f4408db7a6e4c57666c226c401210dc330d4b0

      SHA256

      ee1b2f8b8cd346061ce487a8a684029d362437743782c29e1d157e0cf9920a0b

      SHA512

      b5ef9332d01cfccdda745b5cd391d3be74247cae1eb1d047de4de70f80ec399b250b3729cb480679ffb4255e32543330f59a96b3dee2c16b42274251a425bfdf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\lm.exe
      Filesize

      39KB

      MD5

      86e3192ad129a388e4f0ac864e84df78

      SHA1

      70a2b1422b583c2d768a6f816905bc85687ced52

      SHA256

      4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

      SHA512

      f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\lm.exe
      Filesize

      39KB

      MD5

      86e3192ad129a388e4f0ac864e84df78

      SHA1

      70a2b1422b583c2d768a6f816905bc85687ced52

      SHA256

      4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

      SHA512

      f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\mbr.exe
      Filesize

      101KB

      MD5

      00e306f18b8cc56f347f34a7ebaf7f9f

      SHA1

      2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

      SHA256

      ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

      SHA512

      2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\mbr.exe
      Filesize

      101KB

      MD5

      00e306f18b8cc56f347f34a7ebaf7f9f

      SHA1

      2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

      SHA256

      ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

      SHA512

      2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\mbr.exe
      Filesize

      101KB

      MD5

      00e306f18b8cc56f347f34a7ebaf7f9f

      SHA1

      2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

      SHA256

      ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

      SHA512

      2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\settings.bat
      Filesize

      67B

      MD5

      a204d9e5059a5449af7af765d371d6ea

      SHA1

      cfc6f78545bdc6a1c82491500f1bacfb38bef28c

      SHA256

      d39e88bebdb89ec08c55d320622784e0e131b7c75bd810305daa313c2baa3d26

      SHA512

      d46f0f2282f98116b6e365dc65538a77a39495b7bdd8c910a98226d30bac79026e7c9d6402ed81023a31b7ff8cea316362d8fa909e9edd50b9c6e711d39ddc92

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      41KB

      MD5

      84177654d8bbd32fe8132265e7a598ec

      SHA1

      73bbb239d1449b3af2d7f53614ba456c1add4c9a

      SHA256

      af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

      SHA512

      6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      41KB

      MD5

      84177654d8bbd32fe8132265e7a598ec

      SHA1

      73bbb239d1449b3af2d7f53614ba456c1add4c9a

      SHA256

      af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

      SHA512

      6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      41KB

      MD5

      84177654d8bbd32fe8132265e7a598ec

      SHA1

      73bbb239d1449b3af2d7f53614ba456c1add4c9a

      SHA256

      af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

      SHA512

      6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ucrtbased.dll
      Filesize

      1.4MB

      MD5

      ceeda0b23cdf173bf54f7841c8828b43

      SHA1

      1742f10b0c1d1281e5dec67a9f6659c8816738ad

      SHA256

      c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

      SHA512

      f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ucrtbased.dll
      Filesize

      1.4MB

      MD5

      ceeda0b23cdf173bf54f7841c8828b43

      SHA1

      1742f10b0c1d1281e5dec67a9f6659c8816738ad

      SHA256

      c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

      SHA512

      f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ucrtbased.dll
      Filesize

      1.4MB

      MD5

      ceeda0b23cdf173bf54f7841c8828b43

      SHA1

      1742f10b0c1d1281e5dec67a9f6659c8816738ad

      SHA256

      c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

      SHA512

      f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

      Download Submit

    • C:\Users\Admin\AppData\Roaming\vcruntime140d.dll
      Filesize

      111KB

      MD5

      b59b0f6193bcc7e78a3b2fc730196be3

      SHA1

      045469fec2df2a9c75b550984a0ed32db2e9f846

      SHA256

      003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

      SHA512

      73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

      Download Submit

    • memory/3180-44-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3968-15-0x0000000000920000-0x0000000000940000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3968-25-0x0000000000920000-0x0000000000940000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4976-45-0x0000027C679D0000-0x0000027C679E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4976-46-0x00007FF8BE570000-0x00007FF8BF031000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4976-55-0x00007FF8BE570000-0x00007FF8BF031000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4996-4-0x0000000006940000-0x0000000006950000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-2-0x0000000006D20000-0x00000000072C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4996-3-0x0000000006770000-0x0000000006802000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4996-1-0x0000000000450000-0x0000000001C8C000-memory.dmp

      Filesize

      24.2MB

      Download

    • memory/4996-5-0x0000000006670000-0x000000000667A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4996-52-0x0000000074780000-0x0000000074F30000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4996-53-0x0000000006940000-0x0000000006950000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-54-0x0000000006940000-0x0000000006950000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-0-0x0000000074780000-0x0000000074F30000-memory.dmp

      Filesize

      7.7MB

      Download