Analysis Overview
SHA256
fe8593b5d45e1ffcd4f1d47e4167c5e13ad33f3391250d53e500ff0328f018cc
Threat Level: Known bad
The file 24ac8f788c945be0d9ce1ee31573e040 was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 02:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 02:35
Reported
2024-01-01 23:28
Platform
win7-20231215-en
Max time kernel
14s
Max time network
123s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2052 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe
"C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe"
C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe
"C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe"
C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe
"C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe"
C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe
"C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Offline" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\24ac8f788c945be0d9ce1ee31573e040.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Offline" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2052-0-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2052-1-0x00000000009C0000-0x0000000000A72000-memory.dmp
memory/2052-2-0x0000000004C20000-0x0000000004C60000-memory.dmp
memory/2052-3-0x0000000000460000-0x0000000000478000-memory.dmp
memory/2664-7-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2664-15-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2664-13-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2664-16-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2664-11-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2664-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2664-8-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2664-6-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2664-4-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2664-17-0x00000000049F0000-0x0000000004A30000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
| MD5 | 375a9f2d5fb110069458ffcc9ebfe730 |
| SHA1 | cacf850343f9efae685a62d74928dc6432ba2c0d |
| SHA256 | 309840edc17b613295521d0b7f48bb124684941469354d50dee8b931a2ac3506 |
| SHA512 | 6d310ba9f98d66889180bd0bea8e7da674969725400581b19a07a693c83f8aab66f56e34664356e5be3096df7951621a6c5e243749505ab11207e7b71e76aa53 |
memory/2772-25-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2664-26-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2772-24-0x0000000000240000-0x00000000002F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
| MD5 | 16e0761029cad9ace58028a0696bde90 |
| SHA1 | 57579989a7660fc69f2fa2997137defa98e896ee |
| SHA256 | 7b0add65eaa614becbbe0c6a3f4f5d4ea17e6f13622cdcde2f82b849fc3682e4 |
| SHA512 | a818d511a5b30fd93dab369f77b8d56de93f4bfd4038ee503da07896ab22877e6ecfb997f4d867d10946ff52db432b33dde287f3dcc440d3d0ebd9b5edcabfb8 |
C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
| MD5 | 601a7744bdaa3bc3556f08c5af10ee71 |
| SHA1 | 7adde03acfc418569e640842ac1e0bf0df10a66d |
| SHA256 | ac601d05ed43e88ce325805bd0cf757d16d0969c91814e2423ab00a9f6f606b9 |
| SHA512 | a8ebbd487638518f2bb499cbc917551953ebbd3f5df21bc26b3a6e06a53391e7a5a331e11cf679054f1f1c7d5448d99e31e344816e7b2455fe4723e4c44ef2eb |
memory/2772-27-0x0000000001E20000-0x0000000001E60000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
| MD5 | 0449d4ff0ddd8e361ffd3ed86db2bb73 |
| SHA1 | f0eca6a3230bdbc307750bd2d9620ef534ea40ea |
| SHA256 | 8305a14f176ccae401c3bb326a597c04c37a6a10c33dbdcefb2893ff0bb246a9 |
| SHA512 | 98adc257c129bba7b453e1ee64fa88b3ecd784f7cc37a27ab06801e759ac8614dc049ee8ba4e8111bbff148617e4fa5509d57d30d9dd770be26ceccb5bc73088 |
memory/2376-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2052-42-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2376-44-0x00000000049F0000-0x0000000004A30000-memory.dmp
memory/2376-43-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2772-46-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2772-47-0x0000000001E20000-0x0000000001E60000-memory.dmp
memory/2376-48-0x0000000074DA0000-0x000000007548E000-memory.dmp
memory/2376-49-0x00000000049F0000-0x0000000004A30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 02:35
Reported
2024-01-01 23:29
Platform
win10v2004-20231215-en