Analysis
-
max time kernel
157s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
17/11/2023, 01:38
General
-
Target
NEAS.665e38a9c0c37947cfe9d92290da2380.exe
-
Size
344KB
-
MD5
665e38a9c0c37947cfe9d92290da2380
-
SHA1
98088121719427b7e911c899f639ae007e624368
-
SHA256
dd338ea97fec386923cdfecf3ff4aecac8ac51e494ba8c7e208a1ba51f8f0242
-
SHA512
8e476e58f15f53807f7223b8d418177f3c4a6449713dadf9c20ed779c22f5d27ec47263dae698be3a2cfeb65c9db49d120d38301d47c2715ba9a440bb709190d
-
SSDEEP
6144:fDezYKB9auYv4+B475uBvn1M41NaIFJBdRGLYW3/8ruxIQuGgs8s6Bqyq0Au7pXg:fSzvQv4+BNv1MEaIFJ1WYQ/VIQv8ASlw
Malware Config
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.665e38a9c0c37947cfe9d92290da2380.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.665e38a9c0c37947cfe9d92290da2380.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows.Troubleshooter" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\NEAS.665e38a9c0c37947cfe9d92290da2380.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows.Troubleshooter" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /sc MINUTE /MO 13⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\SubDir\Client.exeC:\Windows\SysWOW64\SubDir\Client.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SubDir\Client.exeC:\Windows\SysWOW64\SubDir\Client.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52362dcc9d262d0969898b143fb7fc91a
SHA12240860a675c86425f5702b501eac121bfb744eb
SHA2564f7cff601d97caf1e0040bc2d63ccadd27294b2e551ff4167e0b080c69a915b0
SHA51259cb7e53dc9cc02f25216cc87115403ed67fb5d24947ef2e803cd54e9f118d5d65a71817b05642c238ca48eb7bfd228d008d92e42023f2c15755c64c88f5b0d6
-
Filesize
344KB
MD5665e38a9c0c37947cfe9d92290da2380
SHA198088121719427b7e911c899f639ae007e624368
SHA256dd338ea97fec386923cdfecf3ff4aecac8ac51e494ba8c7e208a1ba51f8f0242
SHA5128e476e58f15f53807f7223b8d418177f3c4a6449713dadf9c20ed779c22f5d27ec47263dae698be3a2cfeb65c9db49d120d38301d47c2715ba9a440bb709190d
-
Filesize
344KB
MD5665e38a9c0c37947cfe9d92290da2380
SHA198088121719427b7e911c899f639ae007e624368
SHA256dd338ea97fec386923cdfecf3ff4aecac8ac51e494ba8c7e208a1ba51f8f0242
SHA5128e476e58f15f53807f7223b8d418177f3c4a6449713dadf9c20ed779c22f5d27ec47263dae698be3a2cfeb65c9db49d120d38301d47c2715ba9a440bb709190d
-
Filesize
344KB
MD5665e38a9c0c37947cfe9d92290da2380
SHA198088121719427b7e911c899f639ae007e624368
SHA256dd338ea97fec386923cdfecf3ff4aecac8ac51e494ba8c7e208a1ba51f8f0242
SHA5128e476e58f15f53807f7223b8d418177f3c4a6449713dadf9c20ed779c22f5d27ec47263dae698be3a2cfeb65c9db49d120d38301d47c2715ba9a440bb709190d
-
Filesize
344KB
MD5665e38a9c0c37947cfe9d92290da2380
SHA198088121719427b7e911c899f639ae007e624368
SHA256dd338ea97fec386923cdfecf3ff4aecac8ac51e494ba8c7e208a1ba51f8f0242
SHA5128e476e58f15f53807f7223b8d418177f3c4a6449713dadf9c20ed779c22f5d27ec47263dae698be3a2cfeb65c9db49d120d38301d47c2715ba9a440bb709190d
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
240KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
632KB