Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231201-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2023 02:15

General

  • Target

    aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe

  • Size

    155.0MB

  • MD5

    64282b6b4d579449c2ad7799f06f86b6

  • SHA1

    2b468af1d1a656d666d8137cb1ca42476d975643

  • SHA256

    aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c

  • SHA512

    1474b425d80eae5507d76235ff08dde303d1d4ef8287ef408621530fe9ae7983a5face388968b078671b6db0bc85053e80a600eeaafddd67b7b980ded9579977

  • SSDEEP

    1572864:gFysNpDQKKr7VskunAMTp9d6vN2EzzyPsYpeU9EK:g4snQ/rxsnnAw6vUEzlYB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.10.145:4782

Mutex

4f9fc524-eb7d-412c-82e9-60d973f2e68b

Attributes
  • encryption_key

    25C16D5BA2F06B33ED6B1D041FCCCC89A74FFA91

  • install_name

    System32.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe
    "C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe
      "C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\system32\SubDir\System32.exe
        "C:\Windows\system32\SubDir\System32.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3976
    • C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\D3DCompiler_47_cor3.dll

    Filesize

    4.7MB

    MD5

    2191e768cc2e19009dad20dc999135a3

    SHA1

    f49a46ba0e954e657aaed1c9019a53d194272b6a

    SHA256

    7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

    SHA512

    5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

  • C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\PresentationNative_cor3.dll

    Filesize

    1.2MB

    MD5

    c7bcc68b81e965fe74ef58d503c58deb

    SHA1

    99990f204f7318eeb8de6f9664ebcd0d42ea81b7

    SHA256

    06cb4da78f5cfddece86329241a2af9d6390ce1082b02f7db2e3bf320215a23e

    SHA512

    cab2bc27eca0ee097324a2471c8228f1723cfef5df9971359eec7710082c122b26a7aa1d1e6faab75389438a358bbff2973ad67e8dd9046455b4c4ac880d858c

  • C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\wpfgfx_cor3.dll

    Filesize

    1.9MB

    MD5

    1b01746fe61beb761a643050823190b0

    SHA1

    927b12e4a733bcc51545c6a005838a24b8dc4dda

    SHA256

    f8c4d6eb1cfa9c5b6fb322a0c818a4f5d5ee44043c259e0262c0460513953fb8

    SHA512

    83eeb187e554588a5a4efbce0fcb7e9c30e718ec9f6d797a7add28036e3d4506cd3e78386522467d7ac967a60ac509a23edd79a1b9032a7e230d980b9f36080a

  • C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

    Filesize

    152.1MB

    MD5

    6196a6ac54713dc0d11c7ebab96bc6d0

    SHA1

    594c07c73f5844f74dc80b79f9d29ae0c9591f3f

    SHA256

    74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175

    SHA512

    613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

  • C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

    Filesize

    152.1MB

    MD5

    6196a6ac54713dc0d11c7ebab96bc6d0

    SHA1

    594c07c73f5844f74dc80b79f9d29ae0c9591f3f

    SHA256

    74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175

    SHA512

    613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

  • C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

    Filesize

    152.1MB

    MD5

    6196a6ac54713dc0d11c7ebab96bc6d0

    SHA1

    594c07c73f5844f74dc80b79f9d29ae0c9591f3f

    SHA256

    74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175

    SHA512

    613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

  • C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • C:\Windows\System32\SubDir\System32.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • C:\Windows\system32\SubDir\System32.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • memory/1996-92-0x0000029F6EEB0000-0x0000029F6EEC8000-memory.dmp

    Filesize

    96KB

  • memory/1996-74-0x0000029F4CEE0000-0x0000029F4CEE5000-memory.dmp

    Filesize

    20KB

  • memory/1996-222-0x00007FF7F96C0000-0x00007FF7F9FED000-memory.dmp

    Filesize

    9.2MB

  • memory/1996-113-0x0000029F737E0000-0x0000029F73FFC000-memory.dmp

    Filesize

    8.1MB

  • memory/1996-110-0x0000029F6EF70000-0x0000029F6EF9A000-memory.dmp

    Filesize

    168KB

  • memory/1996-104-0x0000029F6EE60000-0x0000029F6EE68000-memory.dmp

    Filesize

    32KB

  • memory/1996-107-0x0000029F6F410000-0x0000029F6F457000-memory.dmp

    Filesize

    284KB

  • memory/1996-89-0x0000029F6EFA0000-0x0000029F6EFE0000-memory.dmp

    Filesize

    256KB

  • memory/1996-101-0x0000029F6F510000-0x0000029F6F604000-memory.dmp

    Filesize

    976KB

  • memory/1996-46-0x0000000180000000-0x0000000180A25000-memory.dmp

    Filesize

    10.1MB

  • memory/1996-50-0x00007FF7F96C0000-0x00007FF7F9FED000-memory.dmp

    Filesize

    9.2MB

  • memory/1996-49-0x0000029F6FDD0000-0x0000029F70D58000-memory.dmp

    Filesize

    15.5MB

  • memory/1996-53-0x0000029F6F080000-0x0000029F6F2A8000-memory.dmp

    Filesize

    2.2MB

  • memory/1996-56-0x0000029F6F2B0000-0x0000029F6F40E000-memory.dmp

    Filesize

    1.4MB

  • memory/1996-59-0x0000029F4E7D0000-0x0000029F4E814000-memory.dmp

    Filesize

    272KB

  • memory/1996-62-0x0000029F4E820000-0x0000029F4E85E000-memory.dmp

    Filesize

    248KB

  • memory/1996-65-0x0000029F70D60000-0x0000029F715A2000-memory.dmp

    Filesize

    8.3MB

  • memory/1996-68-0x0000029F6EED0000-0x0000029F6EF4F000-memory.dmp

    Filesize

    508KB

  • memory/1996-71-0x0000029F4CED0000-0x0000029F4CEDD000-memory.dmp

    Filesize

    52KB

  • memory/1996-95-0x0000029F6EF50000-0x0000029F6EF62000-memory.dmp

    Filesize

    72KB

  • memory/1996-83-0x0000029F6EE70000-0x0000029F6EE89000-memory.dmp

    Filesize

    100KB

  • memory/1996-80-0x0000029F4CEF0000-0x0000029F4CEF7000-memory.dmp

    Filesize

    28KB

  • memory/1996-86-0x0000029F6EE90000-0x0000029F6EEA6000-memory.dmp

    Filesize

    88KB

  • memory/1996-77-0x0000029F4E860000-0x0000029F4E873000-memory.dmp

    Filesize

    76KB

  • memory/3976-23-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

    Filesize

    10.8MB

  • memory/3976-25-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

    Filesize

    64KB

  • memory/3976-221-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

    Filesize

    64KB

  • memory/3976-220-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

    Filesize

    10.8MB

  • memory/3976-26-0x000000001BCE0000-0x000000001BD30000-memory.dmp

    Filesize

    320KB

  • memory/3976-27-0x000000001BDF0000-0x000000001BEA2000-memory.dmp

    Filesize

    712KB

  • memory/4640-2-0x000000001FE80000-0x000000001FE90000-memory.dmp

    Filesize

    64KB

  • memory/4640-1-0x0000000000070000-0x000000000407C000-memory.dmp

    Filesize

    64.0MB

  • memory/4640-45-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

    Filesize

    10.8MB

  • memory/4640-0-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

    Filesize

    10.8MB

  • memory/5112-16-0x000000001B8F0000-0x000000001B900000-memory.dmp

    Filesize

    64KB

  • memory/5112-14-0x0000000000810000-0x0000000000B34000-memory.dmp

    Filesize

    3.1MB

  • memory/5112-24-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

    Filesize

    10.8MB

  • memory/5112-15-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

    Filesize

    10.8MB