Analysis

  • max time kernel
    25s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 23:59

General

  • Target

    07d0c0de71b135af74f710585f13aa33.exe

  • Size

    659KB

  • MD5

    07d0c0de71b135af74f710585f13aa33

  • SHA1

    33c94cc78d9c48c04bda301c6d24069ddab11c63

  • SHA256

    d977d80c3735df4761faf5e37f8f4874b36d2c1d6aaa731f4e37b36c813e5754

  • SHA512

    326fc2a1a015c9d45cb271d86d3d6e738c33f93ad38aa462aad9ea8d7de8a0a052fb53327fd8dd73013b51d079f1c9248930e07cdfb01b80eb3595372a6419b5

  • SSDEEP

    12288:0hIG3Kl8pyP6f+SJ41gVbOmV8NXelO7eA82U:qX3M36XJ4+0wtH2U

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04w

C2

societyf500.ddns.net:5490

Mutex

f4264bdc-b486-4a30-a042-2bcfb907b3c7

Attributes
  • encryption_key

    0204DFA093E27B72F1617CCEA6076BCCE5D0A482

  • install_name

    dwmq.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    dwmq

  • subdirectory

    explorer

Signatures

  • Detect ZGRat V1 34 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07d0c0de71b135af74f710585f13aa33.exe
    "C:\Users\Admin\AppData\Local\Temp\07d0c0de71b135af74f710585f13aa33.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    PID:4976
    • C:\Users\Admin\AppData\Local\Temp\07d0c0de71b135af74f710585f13aa33.exe
      C:\Users\Admin\AppData\Local\Temp\07d0c0de71b135af74f710585f13aa33.exe
      2⤵
        PID:432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\07d0c0de71b135af74f710585f13aa33.exe.log

      Filesize

      1KB

      MD5

      b5291f3dcf2c13784e09a057f2e43d13

      SHA1

      fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

      SHA256

      ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

      SHA512

      11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

    • memory/432-2246-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

    • memory/432-2247-0x00000000053C0000-0x00000000053D0000-memory.dmp

      Filesize

      64KB

    • memory/432-2245-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

    • memory/432-2248-0x0000000006630000-0x0000000006C48000-memory.dmp

      Filesize

      6.1MB

    • memory/432-2252-0x00000000053C0000-0x00000000053D0000-memory.dmp

      Filesize

      64KB

    • memory/432-2251-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

    • memory/432-2250-0x00000000060D0000-0x0000000006182000-memory.dmp

      Filesize

      712KB

    • memory/432-2249-0x0000000005720000-0x0000000005770000-memory.dmp

      Filesize

      320KB

    • memory/4976-194-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

    • memory/4976-43-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-6-0x0000000006D00000-0x0000000006D76000-memory.dmp

      Filesize

      472KB

    • memory/4976-7-0x0000000006C80000-0x0000000006CFC000-memory.dmp

      Filesize

      496KB

    • memory/4976-8-0x0000000005E80000-0x0000000005E9E000-memory.dmp

      Filesize

      120KB

    • memory/4976-9-0x0000000006EF0000-0x0000000006F62000-memory.dmp

      Filesize

      456KB

    • memory/4976-25-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-47-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-65-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-73-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-71-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-69-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-67-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-63-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-61-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-59-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-57-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-5-0x0000000005B00000-0x0000000005B0A000-memory.dmp

      Filesize

      40KB

    • memory/4976-55-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-53-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-51-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-49-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-45-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-2-0x0000000005ED0000-0x0000000006474000-memory.dmp

      Filesize

      5.6MB

    • memory/4976-41-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-39-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-37-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-35-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-33-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-31-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-29-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-27-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-23-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-21-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-19-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-17-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-15-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-13-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-11-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-10-0x0000000006EF0000-0x0000000006F5C000-memory.dmp

      Filesize

      432KB

    • memory/4976-1688-0x0000000005A10000-0x0000000005A20000-memory.dmp

      Filesize

      64KB

    • memory/4976-4-0x0000000005A10000-0x0000000005A20000-memory.dmp

      Filesize

      64KB

    • memory/4976-3-0x0000000005A20000-0x0000000005AB2000-memory.dmp

      Filesize

      584KB

    • memory/4976-0-0x0000000000EB0000-0x0000000000F5A000-memory.dmp

      Filesize

      680KB

    • memory/4976-1-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

    • memory/4976-2244-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB