Analysis Overview
SHA256
67860b6c376983094f49a5a09dcaae107c693a2cdfbd203065ca2415a32f11cb
Threat Level: Known bad
The file 12332e311cefd7bc4b016ab51b885c7a was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 07:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 07:31
Reported
2024-01-01 09:18
Platform
win7-20231215-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1724 set thread context of 2100 | N/A | C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe | C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe
"C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe"
C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe
C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 388
Network
Files
memory/1724-0-0x0000000074FE0000-0x000000007558B000-memory.dmp
memory/1724-1-0x0000000074FE0000-0x000000007558B000-memory.dmp
memory/1724-2-0x0000000000A90000-0x0000000000AD0000-memory.dmp
memory/2100-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1724-6-0x0000000074FE0000-0x000000007558B000-memory.dmp
memory/2100-10-0x00000000002A0000-0x00000000002E0000-memory.dmp
memory/2100-11-0x0000000074A30000-0x0000000074FDB000-memory.dmp
memory/2100-9-0x0000000074A30000-0x0000000074FDB000-memory.dmp
memory/2828-12-0x0000000002480000-0x0000000002481000-memory.dmp
memory/2100-5-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2100-3-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2100-14-0x00000000002A0000-0x00000000002E0000-memory.dmp
memory/2100-13-0x0000000074A30000-0x0000000074FDB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 07:31
Reported
2024-01-01 09:19
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
169s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4716 set thread context of 1304 | N/A | C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe | C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe
"C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe"
C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe
C:\Users\Admin\AppData\Local\Temp\12332e311cefd7bc4b016ab51b885c7a.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 776
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 52.111.229.19:443 | tcp | |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 52.168.112.67:443 | tcp | |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4716-0-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/4716-2-0x0000000001480000-0x0000000001490000-memory.dmp
memory/4716-1-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1304-3-0x0000000000400000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\12332e311cefd7bc4b016ab51b885c7a.exe.log
| MD5 | c19eb8c8e7a40e6b987f9d2ee952996e |
| SHA1 | 6fc3049855bc9100643e162511673c6df0f28bfb |
| SHA256 | 677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a |
| SHA512 | 860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596 |
memory/4716-7-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1304-6-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1304-8-0x00000000011E0000-0x00000000011F0000-memory.dmp
memory/1304-9-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1304-16-0x0000000074EE0000-0x0000000075491000-memory.dmp