Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-02-2024 14:33

General

  • Target

    test.exe

  • Size

    3.3MB

  • MD5

    fbeec3a99ddfa31e7aac9b09f4ca8158

  • SHA1

    2b66e39b1e98320db37578a317021f870a39302b

  • SHA256

    6aada60dd11d7a1157b24ccffa3d6ef2b5200487779ea648c36a92ffdba93af8

  • SHA512

    62bc3ee9f312d341116c37c8c0e781896699aa598e7904c2eb6fe5374aa17eda77fa053346e9909bf5677b4ccd59e7ea8e6d4ac5c637f434532abd040f24f88d

  • SSDEEP

    49152:KvyI22SsaNYfdPBldt698dBcjHdffaBxtFoGdKTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHRfK

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.220:1234

Mutex

1086eee1-251e-49e1-b643-b2a2bc0e42ea

Attributes
  • encryption_key

    A0937AB413B78114B0DA85D9EA95BA3AF9187438

  • install_name

    Updater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Application Frame Handler

  • subdirectory

    Security

Signatures

  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Application Frame Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Security\Updater.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4576
    • C:\Users\Admin\AppData\Roaming\Security\Updater.exe
      "C:\Users\Admin\AppData\Roaming\Security\Updater.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Application Frame Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Security\Updater.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1652
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6b0b46f8,0x7ffc6b0b4708,0x7ffc6b0b4718
      2⤵
        PID:4124
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        2⤵
          PID:2572
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:464
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
          2⤵
            PID:4764
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
            2⤵
              PID:2312
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
              2⤵
                PID:5088
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
                2⤵
                  PID:3376
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13262641941447427527,656689230827413285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
                  2⤵
                    PID:1448
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:3360
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:2344

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      84381d71cf667d9a138ea03b3283aea5

                      SHA1

                      33dfc8a32806beaaafaec25850b217c856ce6c7b

                      SHA256

                      32dd52cc3142b6e758bd60adead81925515b31581437472d1f61bdeda24d5424

                      SHA512

                      469bfac06152c8b0a82de28e01f7ed36dc27427205830100b1416b7cd8d481f5c4369e2ba89ef1fdd932aaf17289a8e4ede303393feab25afc1158cb931d23a3

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      222e458d0daaa12ccd2b4d0cde00e6a7

                      SHA1

                      ef0f98291b2b3aa0c3bd28f9a978ee53c9cd4a73

                      SHA256

                      6a6e104ddf2c37292fe97df4e05c380762281042906c75a399edec9dab8e33e7

                      SHA512

                      b3acb4524bb591583527d48ce034d9f274c6e02d5fc98999d4ba504156a7cd7c5b011d7f9ec7d43301f71f2a4c8ccf8344b9d60868db4df6dffd7985e22e2ce4

                    • C:\Users\Admin\AppData\Roaming\Security\Updater.exe

                      Filesize

                      1.1MB

                      MD5

                      f255b68f355f71f044d13cfdbbb3abc1

                      SHA1

                      233031d5596f8395df112b81997473bbe5bc19ab

                      SHA256

                      fef90b178f13511a959b5347fb4692e20aa1d8d0a06f81bfeb00098945e37871

                      SHA512

                      2a0a7a8ab8c208b7eb1acac764b76228417d24613ab880985542df4ca6752fdea25718e455f1bd08acc1149bcaa4edfa6221231170d9942ce14da8d3e558cd39

                    • C:\Users\Admin\AppData\Roaming\Security\Updater.exe

                      Filesize

                      3.3MB

                      MD5

                      fbeec3a99ddfa31e7aac9b09f4ca8158

                      SHA1

                      2b66e39b1e98320db37578a317021f870a39302b

                      SHA256

                      6aada60dd11d7a1157b24ccffa3d6ef2b5200487779ea648c36a92ffdba93af8

                      SHA512

                      62bc3ee9f312d341116c37c8c0e781896699aa598e7904c2eb6fe5374aa17eda77fa053346e9909bf5677b4ccd59e7ea8e6d4ac5c637f434532abd040f24f88d

                    • memory/2284-13-0x000000001CB80000-0x000000001CC32000-memory.dmp

                      Filesize

                      712KB

                    • memory/2284-9-0x00007FFC6F9B0000-0x00007FFC70471000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/2284-11-0x00000000032D0000-0x00000000032E0000-memory.dmp

                      Filesize

                      64KB

                    • memory/2284-12-0x0000000003340000-0x0000000003390000-memory.dmp

                      Filesize

                      320KB

                    • memory/2284-14-0x00007FFC6F9B0000-0x00007FFC70471000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/2284-15-0x00000000032D0000-0x00000000032E0000-memory.dmp

                      Filesize

                      64KB

                    • memory/3600-10-0x00007FFC6F9B0000-0x00007FFC70471000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/3600-0-0x0000000000BA0000-0x0000000000EF8000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/3600-2-0x000000001BC40000-0x000000001BC50000-memory.dmp

                      Filesize

                      64KB

                    • memory/3600-1-0x00007FFC6F9B0000-0x00007FFC70471000-memory.dmp

                      Filesize

                      10.8MB