Analysis

  • max time kernel
    57s
  • max time network
    54s
  • platform
    windows10-1703_x64
  • resource
    win10-20231129-en
  • resource tags

    arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-12-2023 18:10

General

  • Target

    Electron.exe

  • Size

    3.2MB

  • MD5

    5dd7500f21add8f9bc322529a35cb55f

  • SHA1

    b12eec8fdf6224f65e27fb9d9b06dc4375e1b37b

  • SHA256

    48d2d3e579bbcddda54aa5bd48197b179ca7b75018d05ce12ff3cf9e7b78e40e

  • SHA512

    dfbbb5b026e46dd5569814f6e8558678808bf9d4d7c8d4949f8943bb7eb92ecea8f2abfc0f9f2becdd0d2f04b61000262f20e2af87a11e3fc8d4931879633e3b

  • SSDEEP

    98304:/veL26AaNeWgPhlmVqkQ7XSKB3OzLRCL:3e4SlPgL

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

limehag920-33288.portmap.host:33288

Mutex

9818b060-d6e3-4e48-b21e-c9ef7bc65511

Attributes
  • encryption_key

    E97F64327412A3864CF0B0BE4A85415B949C39AD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Electron.exe
    "C:\Users\Admin\AppData\Local\Temp\Electron.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ibwSTP4WYaLg.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4164
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3744
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:5032
        • C:\Users\Admin\AppData\Local\Temp\Electron.exe
          "C:\Users\Admin\AppData\Local\Temp\Electron.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5084
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6U0YYLN4nnIN.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3136
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              5⤵
              • Runs ping.exe
              PID:3980
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:4596
              • C:\Users\Admin\AppData\Local\Temp\Electron.exe
                "C:\Users\Admin\AppData\Local\Temp\Electron.exe"
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4660
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jl6l5CSnegqR.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2368
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:880
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • Runs ping.exe
                      PID:1156

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Electron.exe.log

          Filesize

          2KB

          MD5

          1dcda70572487b230bb9e47148a0946d

          SHA1

          06f9b414b54eb9a816d9b37a2b54c82a94197a05

          SHA256

          9e6e954e3f620c078e96da9f741090719a3b6b282704a1e54942b683223de4ed

          SHA512

          7de9c424f82129e049ca6830c6ae1f23489738d487999e773f1593494f1caddc9dd9c77f85c3a01e05ee37653de3ab17da8c3fdf75adc0c0c2fb38a938246179

        • C:\Users\Admin\AppData\Local\Temp\6U0YYLN4nnIN.bat

          Filesize

          205B

          MD5

          95e9bbc0b27dba76e402d0a2a154c9c0

          SHA1

          0ff0ab71e1d8127ed783375132fdd99f123a0219

          SHA256

          89a8dded3f920654ba78d80f1027fe685d3f7305192f486287952413c6602012

          SHA512

          e880fbd82033c1516028b17370094ba3a545d70ab03e00b78307d35623e9e65fc9d61483738be39cea8c08f54501d72c1f37468ea46acd32c60dd23271b24fb3

        • C:\Users\Admin\AppData\Local\Temp\ibwSTP4WYaLg.bat

          Filesize

          205B

          MD5

          9e6ef90e3dbace5bdc11be4d4085662f

          SHA1

          f68cb4e3afa64f353f9517297009efcdc96a7355

          SHA256

          75df2c23291ed6f3aed9aed6bc18b02a466465d4fda8f6973b7591fb1dac3136

          SHA512

          fa2fa0dff8707107fcae584ce52f71ec21e47d143ea4c516a451a4efa7c79d9573390bbb6d0ae7e79e3978f7f4ddd4deae826722dbb3f10a773390f3cbf8b40e

        • C:\Users\Admin\AppData\Local\Temp\jl6l5CSnegqR.bat

          Filesize

          205B

          MD5

          68fa1fd4d5152108ab7b3700a3db0606

          SHA1

          7da764c3e81d963da50e0b8ebfa0152d879b1e36

          SHA256

          2a76f1b13bfdd7be065ab72c506710c258457d1cb8892a2a6225e60eb1cf833d

          SHA512

          c29b160e3b9ee21cafcb9e3d86cd1d5b7f21cec61ad54c65627551be8d7113ededd69480cd48ec17c60e1276454b8ea247ca79cab007bed405c1d030c0063177

        • memory/4660-24-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp

          Filesize

          9.9MB

        • memory/4660-19-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp

          Filesize

          9.9MB

        • memory/4660-20-0x000000001BCC0000-0x000000001BCD0000-memory.dmp

          Filesize

          64KB

        • memory/4724-4-0x000000001C4F0000-0x000000001C5A2000-memory.dmp

          Filesize

          712KB

        • memory/4724-10-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp

          Filesize

          9.9MB

        • memory/4724-0-0x0000000000E30000-0x0000000001164000-memory.dmp

          Filesize

          3.2MB

        • memory/4724-3-0x000000001C3E0000-0x000000001C430000-memory.dmp

          Filesize

          320KB

        • memory/4724-2-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

          Filesize

          64KB

        • memory/4724-1-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp

          Filesize

          9.9MB

        • memory/5084-12-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp

          Filesize

          9.9MB

        • memory/5084-13-0x000000001BE40000-0x000000001BE50000-memory.dmp

          Filesize

          64KB

        • memory/5084-17-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp

          Filesize

          9.9MB