Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-04-2024 13:50

General

  • Target

    Client.exe

  • Size

    3.1MB

  • MD5

    1109da1db2b4175b38ae1bc7c881db9a

  • SHA1

    02b92b5e6aa54ae040bc5cd5e845287be01c9562

  • SHA256

    0aadcb147077d657fd68e222689a25d93c40144d54922c83b4171a5e801235c5

  • SHA512

    44cc1ee0e92159f4d41b4b1c9ae52a7b208b7888c5864795f1e815725d26677e2c7f4fce6410a8cfa8e07c8ee19c3f07f4110c64f1eca62d2f6bbf4cdda8f952

  • SSDEEP

    49152:rvbI22SsaNYfdPBldt698dBcjHRTaxzBxL9aGdg6STHHB72eh2NT:rvk22SsaNYfdPBldt6+dBcjHRTaxh

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

140.238.91.110:34309

Mutex

d748a36c-8402-4813-815d-0daea2ec5f51

Attributes
  • encryption_key

    312796590553474EC6AA07D7A09E6A1B8FA1043A

  • install_name

    dllhostx64.exe

  • log_directory

    Error Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Boot Menu

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4296
    • C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe
      "C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:656
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /delete /tn "Windows Boot Menu" /f
        3⤵
          PID:2840
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UofcyMV9JYEc.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3932
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:1152
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:3220

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\UofcyMV9JYEc.bat

        Filesize

        216B

        MD5

        8f3ec340fecd690814b6525be23f661e

        SHA1

        825c874188b531c34ce9c684dbc72f45c6a8e20f

        SHA256

        e67ed1a9cf1190a40b356307d9da05de7503a6bfa562f29b1f0711a2dd5f784a

        SHA512

        7cb7f175ccd13857d249ea2f566ca07c44cbc29ee6de45952bad96e13081e6b873ec5bb7ecbc3fb68254755af73d12d880a1a5fb1c9d1c1a790fdc825993cb3b

      • C:\Users\Admin\AppData\Roaming\Windows\dllhostx64.exe

        Filesize

        3.1MB

        MD5

        1109da1db2b4175b38ae1bc7c881db9a

        SHA1

        02b92b5e6aa54ae040bc5cd5e845287be01c9562

        SHA256

        0aadcb147077d657fd68e222689a25d93c40144d54922c83b4171a5e801235c5

        SHA512

        44cc1ee0e92159f4d41b4b1c9ae52a7b208b7888c5864795f1e815725d26677e2c7f4fce6410a8cfa8e07c8ee19c3f07f4110c64f1eca62d2f6bbf4cdda8f952

      • memory/4300-10-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

        Filesize

        64KB

      • memory/4300-9-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

        Filesize

        10.8MB

      • memory/4300-11-0x000000001C3C0000-0x000000001C410000-memory.dmp

        Filesize

        320KB

      • memory/4300-12-0x000000001C4D0000-0x000000001C582000-memory.dmp

        Filesize

        712KB

      • memory/4300-13-0x000000001C430000-0x000000001C442000-memory.dmp

        Filesize

        72KB

      • memory/4300-14-0x000000001C490000-0x000000001C4CC000-memory.dmp

        Filesize

        240KB

      • memory/4300-15-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

        Filesize

        10.8MB

      • memory/4300-16-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

        Filesize

        64KB

      • memory/4300-22-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

        Filesize

        10.8MB

      • memory/4388-2-0x000000001BA60000-0x000000001BA70000-memory.dmp

        Filesize

        64KB

      • memory/4388-8-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

        Filesize

        10.8MB

      • memory/4388-0-0x0000000000AB0000-0x0000000000DD4000-memory.dmp

        Filesize

        3.1MB

      • memory/4388-1-0x00007FF8C6C30000-0x00007FF8C76F2000-memory.dmp

        Filesize

        10.8MB