Overview

overview

10

Static

static

10

intelservice.exe

windows7-x64

10

intelservice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1566s
  • max time network
    1780s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2023, 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    intelservice.exe

  • Size

    348KB

  • MD5

    2f890b7ca2e7b4b24bb534c28e54d7cf

  • SHA1

    e8d9f966c18f10f1eff01478d41dabacd0300da5

  • SHA256

    92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7

  • SHA512

    666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841

  • SSDEEP

    6144:60qQ4i1FFiEKDvLJavf52ibVcbVKglEb0ouAYyj9jZV293DIa:rpliTVOf56WBYylc3DIa

Score
10/10
quasarhackeespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

hackee

C2

20.205.140.63:1024

Mutex

QSR_MUTEX_5Tlo4RbwyDWBOOlMEb

Attributes
  • encryption_key

    zFGtr8G9lnuwN5OHbzbL

  • install_name

    intelservice.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Intel CPU Service

  • subdirectory

    intelcpu

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\intelservice.exe
    "C:\Users\Admin\AppData\Local\Temp\intelservice.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Intel CPU Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\intelservice.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2316
    • C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe
      "C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Intel CPU Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe
    Filesize

    348KB

    MD5

    2f890b7ca2e7b4b24bb534c28e54d7cf

    SHA1

    e8d9f966c18f10f1eff01478d41dabacd0300da5

    SHA256

    92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7

    SHA512

    666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841

    Download Submit

  • C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe
    Filesize

    348KB

    MD5

    2f890b7ca2e7b4b24bb534c28e54d7cf

    SHA1

    e8d9f966c18f10f1eff01478d41dabacd0300da5

    SHA256

    92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7

    SHA512

    666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841

    Download Submit

  • \Users\Admin\AppData\Roaming\intelcpu\intelservice.exe
    Filesize

    348KB

    MD5

    2f890b7ca2e7b4b24bb534c28e54d7cf

    SHA1

    e8d9f966c18f10f1eff01478d41dabacd0300da5

    SHA256

    92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7

    SHA512

    666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841

    Download Submit

  • memory/1384-0-0x0000000001270000-0x00000000012CE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1384-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1384-2-0x0000000000600000-0x0000000000640000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1384-13-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2728-11-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2728-10-0x0000000000F20000-0x0000000000F7E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2728-12-0x0000000004970000-0x00000000049B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-15-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2728-16-0x0000000004970000-0x00000000049B0000-memory.dmp

    Filesize

    256KB

    Download