Analysis

  • max time kernel
    113s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231201-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2023 10:19

General

  • Target

    94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

  • Size

    829KB

  • MD5

    2abed91ee9611fdd5cd6118f465e18e9

  • SHA1

    0fe598bbc219da65715fe26a4722a427c63ac5b7

  • SHA256

    94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1

  • SHA512

    f1ef8e168c19e1840aef0a2db653cd12c3955dbe7fc389fc0ba307b05638d0340704a724c7154920351462ea7b61e71ab24f8b20450696605d275ebbd8a81e0f

  • SSDEEP

    12288:XueH5qgRSJZl5v7ehH0Xg3hLZ4miAJMY72RUC9lXudcXuXhUguwL0t8WIp7VMyam:FqgRml5j0UXgxl4mZDkUCDgEvm

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

labtek.duckdns.org:4782

Mutex

QSR_MUTEX_Pc805LzmblzcJtBoEi

Attributes
  • encryption_key

    9WuVWCumPUdQwI1jN0XT

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
    "C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
      "C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5xo8NZstSVh8.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3220
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:5100
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:4808
          • C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
            "C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5064
            • C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
              "C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"
              5⤵
              • Checks computer location settings
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3192
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZExp6vhs0Mq4.bat" "
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1028
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • Runs ping.exe
                  PID:3492
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  7⤵
                    PID:1404
                  • C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
                    "C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"
                    7⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3684
                    • C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
                      "C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"
                      8⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4828
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 2216
                        9⤵
                        • Program crash
                        PID:4928
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hou6aILpYJCV.bat" "
                        9⤵
                          PID:4292
                          • C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
                            "C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"
                            10⤵
                              PID:3640
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1704
                      6⤵
                      • Program crash
                      PID:3328
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 2212
                3⤵
                • Program crash
                PID:2032
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2176 -ip 2176
            1⤵
              PID:3544
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3192 -ip 3192
              1⤵
                PID:4104
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                1⤵
                • Runs ping.exe
                PID:2380
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                1⤵
                  PID:2372
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4828 -ip 4828
                  1⤵
                    PID:3896

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe.log

                    Filesize

                    1KB

                    MD5

                    8ec831f3e3a3f77e4a7b9cd32b48384c

                    SHA1

                    d83f09fd87c5bd86e045873c231c14836e76a05c

                    SHA256

                    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

                    SHA512

                    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

                  • C:\Users\Admin\AppData\Local\Temp\5xo8NZstSVh8.bat

                    Filesize

                    261B

                    MD5

                    b77848cd2f970e4be87f0a7a24a015d9

                    SHA1

                    1332d30ab73c8f551f85719602b76194189c49ee

                    SHA256

                    9adc2117f8ffc971fa44af9ca123c343c1406a41ebcd293ed6ef658d01f81a3a

                    SHA512

                    20a2b2302d1a9f4a14778e725fba60e88a8c71d33d2d3bef35c00a8746167440b2399cc6ad274b1978d63652c4f410f98ca125ebac5f9a42afed4bda31056aa3

                  • C:\Users\Admin\AppData\Local\Temp\ZExp6vhs0Mq4.bat

                    Filesize

                    261B

                    MD5

                    758b08a5f9dacf0c173a9b5f4cdc5175

                    SHA1

                    99bf49f38773215ca2819a60441b14784ef8ed7e

                    SHA256

                    d280e2142ecfa497be8e18dc76d05bae8bf0cfbf8cade7e4d141a948a0410839

                    SHA512

                    29a05ec3b00bbd07fc32a97bec1d44d25d3f4f9adbd8140169a8baafb99c92329dd88bcd24aa09968d8ea0d6475c2ae4950b05748e2c4d21ca962b124762316f

                  • C:\Users\Admin\AppData\Local\Temp\hou6aILpYJCV.bat

                    Filesize

                    261B

                    MD5

                    753d86d9020ac6e2742e7bcb0f113bea

                    SHA1

                    62dadbcce565c262ab19fded1c2dc414b3559fef

                    SHA256

                    c245ff277e382ffebd48f67e0c39e1d773afe89c7945fed07b563d35059b21f7

                    SHA512

                    37ab612560a0bff6582c2199b1b9263825948cea3c721856cde3b81f60b7b68ec483cf82d315b8b290e68754940094e33e41848f51c6adb8b468a23f08d35ea3

                  • C:\Users\Admin\AppData\Roaming\Logs\12-06-2023

                    Filesize

                    224B

                    MD5

                    7cf9fd0bb2712da5374c6377c2ae000e

                    SHA1

                    dc606622b48cf227f48f1269e8a1f1eeeb39b831

                    SHA256

                    69ba63dcc7ea6f6f859a4d86e433b583916c5b356d71cc84d36c86fd30e3c1d3

                    SHA512

                    bf7f29f94d51d24ab3d3f1cf6bc31619676b6bc06cd84d502547f01a9d455c937a31d18314bfeed9215bc82da630790374375c62dc264ef41f08923ce091e119

                  • memory/2176-12-0x0000000000400000-0x000000000045E000-memory.dmp

                    Filesize

                    376KB

                  • memory/2176-23-0x0000000074570000-0x0000000074D20000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2176-17-0x00000000057A0000-0x00000000057B2000-memory.dmp

                    Filesize

                    72KB

                  • memory/2176-16-0x0000000005120000-0x0000000005186000-memory.dmp

                    Filesize

                    408KB

                  • memory/2176-14-0x0000000074570000-0x0000000074D20000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2792-7-0x0000000005C90000-0x0000000005C98000-memory.dmp

                    Filesize

                    32KB

                  • memory/2792-11-0x0000000074570000-0x0000000074D20000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2792-15-0x0000000074570000-0x0000000074D20000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2792-10-0x0000000009990000-0x0000000009A2C000-memory.dmp

                    Filesize

                    624KB

                  • memory/2792-9-0x00000000073A0000-0x0000000007438000-memory.dmp

                    Filesize

                    608KB

                  • memory/2792-8-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

                    Filesize

                    40KB

                  • memory/2792-1-0x0000000074570000-0x0000000074D20000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2792-6-0x0000000005C40000-0x0000000005C5A000-memory.dmp

                    Filesize

                    104KB

                  • memory/2792-5-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

                    Filesize

                    40KB

                  • memory/2792-2-0x00000000060C0000-0x0000000006664000-memory.dmp

                    Filesize

                    5.6MB

                  • memory/2792-0-0x0000000000FE0000-0x00000000010B6000-memory.dmp

                    Filesize

                    856KB

                  • memory/2792-4-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2792-3-0x0000000005B10000-0x0000000005BA2000-memory.dmp

                    Filesize

                    584KB

                  • memory/3192-31-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/3192-32-0x0000000005380000-0x0000000005390000-memory.dmp

                    Filesize

                    64KB

                  • memory/3192-39-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/3640-55-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/3640-56-0x0000000005040000-0x0000000005050000-memory.dmp

                    Filesize

                    64KB

                  • memory/3684-40-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/3684-41-0x00000000054A0000-0x00000000054B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3684-42-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/3684-43-0x00000000054A0000-0x00000000054B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3684-46-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4828-45-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4828-47-0x00000000055C0000-0x00000000055D0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4828-54-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/5064-30-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/5064-28-0x0000000005730000-0x0000000005740000-memory.dmp

                    Filesize

                    64KB

                  • memory/5064-27-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/5064-26-0x0000000005730000-0x0000000005740000-memory.dmp

                    Filesize

                    64KB

                  • memory/5064-25-0x0000000074610000-0x0000000074DC0000-memory.dmp

                    Filesize

                    7.7MB