Analysis Overview
SHA256
d2835aa9243d529d8d44846d383f97f1bb7b976bc4c378d29d2387d1ba6c1d09
Threat Level: Known bad
The file Syences.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Executes dropped EXE
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-14 08:15
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-14 08:15
Reported
2023-12-14 08:18
Platform
win7-20231130-en
Max time kernel
147s
Max time network
122s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Syences.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2836 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\Syences.exe | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe |
| PID 2836 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\Syences.exe | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe |
| PID 2836 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\Syences.exe | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Syences.exe
"C:\Users\Admin\AppData\Local\Temp\Syences.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp |
Files
memory/2836-0-0x0000000000080000-0x00000000003A6000-memory.dmp
memory/2836-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
memory/2836-2-0x000000001B2B0000-0x000000001B330000-memory.dmp
memory/2164-7-0x00000000013C0000-0x00000000016E6000-memory.dmp
memory/2164-8-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe
| MD5 | 1f67224f6ee752d3c444263351ca600c |
| SHA1 | 32938293d6ef272fe4cbb0f605020bd3caf24929 |
| SHA256 | 0ef1f9014c07fc422e7d9d767bd3fc012e138e2429ee63c752d838407fcba66d |
| SHA512 | 51ff4c3cf0cc149b1a8ddb6460828119972c7437de7aa142e1f02f64265609629e76732e1254f61bbda392f30d0659ee9bf58273680297e6fd18e602ba660e26 |
C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe
| MD5 | 494b53b10bb481411a100d25903b13d0 |
| SHA1 | e6275e6476f69dfd041130a2c3d233f9a8272813 |
| SHA256 | bc13fef4c2983cb34cfe6d4aa7b479661bdcb9ee0d9634eeb2a7831dbd5e4f36 |
| SHA512 | e3244b86e62814a29a8bec2d4b21714c24a3df3312df8cc44b49e27d35edf9b7ac9a645fd3eaef564f0e62717170ff5c8d4e6b32d8b79d3b809f92b45e5f0f2d |
memory/2164-9-0x000000001B160000-0x000000001B1E0000-memory.dmp
memory/2836-10-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
memory/2164-11-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
memory/2164-12-0x000000001B160000-0x000000001B1E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-14 08:15
Reported
2023-12-14 08:18
Platform
win10v2004-20231130-en
Max time kernel
147s
Max time network
146s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Syences.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\Syences.exe | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe |
| PID 2804 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\Syences.exe | C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Syences.exe
"C:\Users\Admin\AppData\Local\Temp\Syences.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp |
Files
memory/2804-0-0x0000000000530000-0x0000000000856000-memory.dmp
memory/2804-2-0x000000001B310000-0x000000001B320000-memory.dmp
memory/2804-1-0x00007FFE7E760000-0x00007FFE7F221000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe
| MD5 | 523ebf55bb54cad7f0c3b4eacfcd8b22 |
| SHA1 | 73ea23668211e458f724aebc555ec239e8a79d94 |
| SHA256 | c7a497234ef3234ff24926a4a5100a6bf4ecc535d07929c797f3f00a3283c73c |
| SHA512 | 109c3d758f9e8cef2599b8e4b6a8bc6f0574dcda4e8a204364effe85d381a2eae4626e00296ea7946395d3f0ad07b57b7bf8dbd032a0779d5a3bd6911e533636 |
C:\Users\Admin\AppData\Roaming\SubDir\Synecs.exe
| MD5 | f6e7f94b768e105a8f9ad2360b51b658 |
| SHA1 | a0e121e1747a8623010ca53ee5cc5fb31f61420c |
| SHA256 | 46f40e435e6c00c0b355a8fdc711a20cbb8998c48221a038fe818745246c1e8a |
| SHA512 | c23656a9e954800a1fa0629e13ea6b62d4336cc17d5754b0401344a24eb6f105b745ded3fa65a9f7c6ca144cc43c807a59bd2a1c052adeecae811a1003932e4d |
memory/2300-8-0x00007FFE7E760000-0x00007FFE7F221000-memory.dmp
memory/2300-9-0x00000000019C0000-0x00000000019D0000-memory.dmp
memory/2804-10-0x00007FFE7E760000-0x00007FFE7F221000-memory.dmp
memory/2300-11-0x000000001BBC0000-0x000000001BC10000-memory.dmp
memory/2300-12-0x000000001C2E0000-0x000000001C392000-memory.dmp
memory/2300-13-0x00007FFE7E760000-0x00007FFE7F221000-memory.dmp
memory/2300-14-0x00000000019C0000-0x00000000019D0000-memory.dmp