Analysis

  • max time kernel
    15s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-04-2024 11:09

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    2c1fba8d6624adf6c582fb2d5fb43b28

  • SHA1

    bd45ee984e9476d604824f83c6cf6111a9db2467

  • SHA256

    a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840

  • SHA512

    cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19

  • SSDEEP

    49152:nvVG42pda6D+/PjlLOlg6yQipV6iRJ67bR3LoGdTqTHHB72eh2NT:nvM42pda6D+/PjlLOlZyQipV6iRJ6ND

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

funlink.ddns.net:4444

quasarhost1.ddns.net:4444

Mutex

c363b2f8-fc6a-4abd-a753-cff1aad2a173

Attributes
  • encryption_key

    CE5FBAC1A56C8C780C74FE8E7CD5CBCF8ABD6C8D

  • install_name

    updale.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows av startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1532
    • C:\Windows\system32\SubDir\updale.exe
      "C:\Windows\system32\SubDir\updale.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2612
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmknLoE48RGB.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2696
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:2400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\pmknLoE48RGB.bat

      Filesize

      196B

      MD5

      9cce0dca1ef1148360b651f825223599

      SHA1

      014b0417c7daa19d4389080d54fe174340a12784

      SHA256

      0a6ad1828f76c970269eef4db6b9d818986290c8bf8e1a551ea4f0f80bb2b725

      SHA512

      079b6727d575cb411489b15de50fbf551aa948794b517e4d8d6aff95ae57dd54bfefb065ad7a6bfa27a64b7c5fd53531bb57a5a0648afd10d014017f7f387b0d

    • C:\Windows\System32\SubDir\updale.exe

      Filesize

      3.1MB

      MD5

      2c1fba8d6624adf6c582fb2d5fb43b28

      SHA1

      bd45ee984e9476d604824f83c6cf6111a9db2467

      SHA256

      a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840

      SHA512

      cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19

    • memory/2240-0-0x0000000000EA0000-0x00000000011C4000-memory.dmp

      Filesize

      3.1MB

    • memory/2240-1-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

      Filesize

      9.9MB

    • memory/2240-2-0x000000001AD40000-0x000000001ADC0000-memory.dmp

      Filesize

      512KB

    • memory/2240-8-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

      Filesize

      9.9MB

    • memory/2540-10-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

      Filesize

      9.9MB

    • memory/2540-9-0x0000000000E00000-0x0000000001124000-memory.dmp

      Filesize

      3.1MB

    • memory/2540-20-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

      Filesize

      9.9MB