Overview

overview

10

Static

static

7

HyperWare_...ed.exe

windows7-x64

10

HyperWare_...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    70s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HyperWare_protected.exe

  • Size

    5.0MB

  • MD5

    9e9a6f9a90c1fa79bd9a09345b31b9ab

  • SHA1

    3e9409d409256f02efed1b52f527d4a6791d0926

  • SHA256

    9020aae0a31cd7145e594a192a1b378f5265ff12a30173a0781c2bd28e4a2db0

  • SHA512

    2637991f9cb9919143e5d9fbf9973035e9ba2ae97a1c8c3e7257f3e67e5cf3695a084045b18f81fc2b461524e17bca88e1a8039b780b4a5cb9d8cbbcb39eec62

  • SSDEEP

    98304:im309bAHMZH4Wv3iV21iP8Rsjax0mLK7ObppdX:X309bhlvTm8Rsjau37ObpHX

Score
10/10
quasaroffice04evasionspywarethemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

80.222.152.67:4782

Mutex

b1211cdc-e7ee-41df-a882-918ae7c97f3c

Attributes
  • encryption_key

    A684ADED669CF87DBFCB7333A13FCD58A8471D17

  • install_name

    HyperUD.exe

  • log_directory

    AppdataLog

  • reconnect_delay

    3000

  • startup_key

    Steam Client Webhelper

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 7 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HyperWare_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\HyperWare_protected.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4196
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Steam Client Webhelper" /sc ONLOGON /tr "C:\Windows\system32\SubDir\HyperUD.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4104
    • C:\Windows\SysWOW64\SubDir\HyperUD.exe
      "C:\Windows\system32\SubDir\HyperUD.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\SubDir\HyperUD.exe
    Filesize

    2.1MB

    MD5

    a0a7c5d49e10f25a28c6bd824def240a

    SHA1

    44e07a35bd69b2ace3787d609ae7af5aab4f1775

    SHA256

    c81b09cc6f30170e07c606667290d2fb1bc83e533becefba7e0549901c9f7963

    SHA512

    07206ec8f4632dc4b670ebfa169020d47f8c9a473b7bd90da70d974f76530a8f87b0865f4c4e0bd64a851b6dc9354c94484a6c68bb3f5cb3344dc9fffe798b95

    Download Submit

  • C:\Windows\SysWOW64\SubDir\HyperUD.exe
    Filesize

    5.0MB

    MD5

    9e9a6f9a90c1fa79bd9a09345b31b9ab

    SHA1

    3e9409d409256f02efed1b52f527d4a6791d0926

    SHA256

    9020aae0a31cd7145e594a192a1b378f5265ff12a30173a0781c2bd28e4a2db0

    SHA512

    2637991f9cb9919143e5d9fbf9973035e9ba2ae97a1c8c3e7257f3e67e5cf3695a084045b18f81fc2b461524e17bca88e1a8039b780b4a5cb9d8cbbcb39eec62

    Download Submit

  • memory/2756-23-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-35-0x0000000000400000-0x000000000110E000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2756-40-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-41-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-42-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-43-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-39-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-38-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-36-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-27-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-26-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-33-0x0000000000400000-0x000000000110E000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2756-32-0x0000000000400000-0x000000000110E000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2756-30-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-20-0x0000000000400000-0x000000000110E000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2756-28-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-29-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2756-24-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4196-12-0x0000000006620000-0x0000000006BC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4196-13-0x0000000003780000-0x0000000003812000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4196-5-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4196-22-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4196-21-0x0000000000400000-0x000000000110E000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/4196-2-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4196-14-0x0000000003870000-0x000000000387A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4196-3-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4196-0-0x0000000000400000-0x000000000110E000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/4196-11-0x0000000000400000-0x000000000110E000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/4196-10-0x0000000000400000-0x000000000110E000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/4196-8-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4196-9-0x0000000077D34000-0x0000000077D36000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4196-7-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4196-1-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4196-4-0x0000000076680000-0x0000000076770000-memory.dmp

    Filesize

    960KB

    Download