Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
-
submitted
07/11/2023, 13:10
General
-
Target
surrogate.exe
-
Size
3.1MB
-
MD5
9fa12d20004165ea56457120cc040515
-
SHA1
231e35f6914f2acb10d3fb587214bc0c7e4b2cd4
-
SHA256
8bc7b03305871f613e3e6435ad6ef4d284350e44f77ee67104bb1d0193557497
-
SHA512
d51db655e00ffcc318e18f61f398206582830836c4a140e19de27b53c3004bcd0fc6a705d5a46dca232af9328de90135040a91253dd550f73311683aaffdf5d2
-
SSDEEP
49152:3vAz92YpaQI6oPZlhP3ReybewoQmxNESE0k/iVLoGdQTTHHB72eh2NT:3va92YpaQI6oPZlhP3YybewoRxrtg
Malware Config
Extracted
quasar
1.4.1
newborn
cock.holyshithowmanydomainandproxycanigettorunmyserver.info:4782
88.209.197.253:4782
5680e0b1-d1d4-41d1-ab33-74f7f95f53fd
-
encryption_key
CEAEA9FD2F3E18352164BB4D9A6F56EFF5E2D896
-
install_name
COM Surrogate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
System32
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\surrogate.exe"C:\Users\Admin\AppData\Local\Temp\surrogate.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\System32\COM Surrogate.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\System32\COM Surrogate.exe"C:\Windows\system32\System32\COM Surrogate.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\System32\COM Surrogate.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59fa12d20004165ea56457120cc040515
SHA1231e35f6914f2acb10d3fb587214bc0c7e4b2cd4
SHA2568bc7b03305871f613e3e6435ad6ef4d284350e44f77ee67104bb1d0193557497
SHA512d51db655e00ffcc318e18f61f398206582830836c4a140e19de27b53c3004bcd0fc6a705d5a46dca232af9328de90135040a91253dd550f73311683aaffdf5d2
-
Filesize
3.1MB
MD59fa12d20004165ea56457120cc040515
SHA1231e35f6914f2acb10d3fb587214bc0c7e4b2cd4
SHA2568bc7b03305871f613e3e6435ad6ef4d284350e44f77ee67104bb1d0193557497
SHA512d51db655e00ffcc318e18f61f398206582830836c4a140e19de27b53c3004bcd0fc6a705d5a46dca232af9328de90135040a91253dd550f73311683aaffdf5d2
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
512KB
-
Filesize
9.9MB