Analysis

  • max time kernel
    19s
  • max time network
    20s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-04-2024 15:22

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    383aa601a1a3e6722935b017a215f4b8

  • SHA1

    3855b5d5ba3ba2f161bd6d60caac5415e93bd482

  • SHA256

    6d03d6c26940eb9f2f6eaaa1d0a49d3f24a2941ec85bc7f12d3fb72162d780c8

  • SHA512

    ceff9701a5cbc5bc6d61d5ebf0764b54aa056bdb311789f4dec7065a0910050932024498d0ee3a0a7f6b3cce2e5b77ff89d132120a4581536aa33822684f10eb

  • SSDEEP

    49152:3vnI22SsaNYfdPBldt698dBcjHuPdKbRznLoGdYXzTHHB72eh2NT:3vI22SsaNYfdPBldt6+dBcjHuPd+LoX

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

us1.localto.net:38905

Mutex

abf2fea6-bc08-449e-9ce0-142ecb0a54c5

Attributes
  • encryption_key

    93B883D530A44E5A4457CCB3F463B613FCE53505

  • install_name

    Google.exe.exe

  • log_directory

    Log

  • reconnect_delay

    3000

  • startup_key

    AntimaIware Core Service

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2880
    • C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2780
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /delete /tn "AntimaIware Core Service" /f
        3⤵
          PID:832
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0cVCuv9jI9s7.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:4588
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:4544

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0cVCuv9jI9s7.bat

        Filesize

        215B

        MD5

        63d1fe662d6bfa45eb2a9a93d4d35b8b

        SHA1

        6693da4443f98ee47530b58c5e3a130beedf1971

        SHA256

        231316589487353199f0a88a4387aede7cd578921916c8f8d9627490140334bd

        SHA512

        e917ed85c3e789258a4bc140174e89045d9c056cf31b9b1cc0cb499f96bbdf4db008757a7c560a7a26695dfa5df423655fcb6aba32274aa2a64426a3845e36df

      • C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe

        Filesize

        3.1MB

        MD5

        383aa601a1a3e6722935b017a215f4b8

        SHA1

        3855b5d5ba3ba2f161bd6d60caac5415e93bd482

        SHA256

        6d03d6c26940eb9f2f6eaaa1d0a49d3f24a2941ec85bc7f12d3fb72162d780c8

        SHA512

        ceff9701a5cbc5bc6d61d5ebf0764b54aa056bdb311789f4dec7065a0910050932024498d0ee3a0a7f6b3cce2e5b77ff89d132120a4581536aa33822684f10eb

      • memory/2764-10-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

        Filesize

        9.9MB

      • memory/2764-11-0x000000001C240000-0x000000001C290000-memory.dmp

        Filesize

        320KB

      • memory/2764-12-0x000000001C350000-0x000000001C402000-memory.dmp

        Filesize

        712KB

      • memory/2764-15-0x000000001C2C0000-0x000000001C2D2000-memory.dmp

        Filesize

        72KB

      • memory/2764-16-0x000000001CE40000-0x000000001CE7E000-memory.dmp

        Filesize

        248KB

      • memory/2764-21-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

        Filesize

        9.9MB

      • memory/3120-0-0x0000000000BD0000-0x0000000000EF4000-memory.dmp

        Filesize

        3.1MB

      • memory/3120-1-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

        Filesize

        9.9MB

      • memory/3120-2-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

        Filesize

        64KB

      • memory/3120-9-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

        Filesize

        9.9MB