Analysis

  • max time kernel
    130s
  • max time network
    138s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-04-2024 07:39

General

  • Target

    experimentingnew.exe

  • Size

    3.1MB

  • MD5

    399bbb3dc58bcc8cc2fe9aef9a3ebac5

  • SHA1

    37be03a9765a8b321c0ddf2ff00acdb106502b7b

  • SHA256

    821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98

  • SHA512

    98e70c54329089015535e30f32006ef8731e69dd32234590ef7f8388403cd68e86c5a4030083f8c510c46c7d0f995fe3a9a82db01a0b6fc288ea7eb5db5fa64f

  • SSDEEP

    49152:LvXlL26AaNeWgPhlmVqvMQ7XSKkZxNESEYk/iMLoGdHCTHHB72eh2NT:LvVL26AaNeWgPhlmVqkQ7XSKex/S3

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

0.tcp.eu.ngrok.io:15209

Mutex

2c47ae55-417f-4523-8ffe-361bacffde6b

Attributes
  • encryption_key

    5921775375700E0556963615862881AFA90D9F9F

  • install_name

    Microsoft Windows Search Indexer.exe

  • log_directory

    Discord

  • reconnect_delay

    3000

  • startup_key

    Runtime Broker

  • subdirectory

    svchost

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 55 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\experimentingnew.exe
    "C:\Users\Admin\AppData\Local\Temp\experimentingnew.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4640
    • C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe
      "C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4468
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViF7BHIzsl6O.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3792
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:4880
          • C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe
            "C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe"
            4⤵
            • Drops file in Drivers directory
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            PID:2300
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /delete /tn "Runtime Broker" /f
          3⤵
            PID:4124
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1476
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2440

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ViF7BHIzsl6O.bat

          Filesize

          466B

          MD5

          9cacb3eda6512b3317c2266f3cb6bb68

          SHA1

          45a29ce93dc697b97f667b4e38721a59b3c2ad15

          SHA256

          86e4c8382264bdb53077a3125525b689f35a850ed0f300a90cc3174e1f6c95b6

          SHA512

          d8f898455cf1d16e846a8b6948bb85e764b64d4bb64dff8a12dde95344d4b072407639bc3a1ff3087e110570a5db24a9bdfdb9eb8d6cb32041c74b82006d182e

        • C:\Users\Admin\AppData\Local\Temp\m4teqhoJwoAJ.exe

          Filesize

          2.5MB

          MD5

          1e885823577394ea61ea89438ffe2954

          SHA1

          e53e96f7374790bdad8a614949b398b055c3a27b

          SHA256

          7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c

          SHA512

          73f600833dad0047b6444110d722dc95237b38bb486abc7fc8e4f59b69e2154c885fb46d65f488d5139a0b6e76ebde33ea72711c7f58436650ef992fb8995627

        • C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe

          Filesize

          3.1MB

          MD5

          399bbb3dc58bcc8cc2fe9aef9a3ebac5

          SHA1

          37be03a9765a8b321c0ddf2ff00acdb106502b7b

          SHA256

          821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98

          SHA512

          98e70c54329089015535e30f32006ef8731e69dd32234590ef7f8388403cd68e86c5a4030083f8c510c46c7d0f995fe3a9a82db01a0b6fc288ea7eb5db5fa64f

        • memory/1060-18-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

          Filesize

          64KB

        • memory/1060-8-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp

          Filesize

          9.9MB

        • memory/1060-10-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

          Filesize

          64KB

        • memory/1060-11-0x000000001C060000-0x000000001C0B0000-memory.dmp

          Filesize

          320KB

        • memory/1060-12-0x000000001C170000-0x000000001C222000-memory.dmp

          Filesize

          712KB

        • memory/1060-15-0x000000001C0E0000-0x000000001C0F2000-memory.dmp

          Filesize

          72KB

        • memory/1060-16-0x000000001CC60000-0x000000001CC9E000-memory.dmp

          Filesize

          248KB

        • memory/1060-17-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp

          Filesize

          9.9MB

        • memory/1060-31-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp

          Filesize

          9.9MB

        • memory/2900-9-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp

          Filesize

          9.9MB

        • memory/2900-0-0x0000000000A00000-0x0000000000D24000-memory.dmp

          Filesize

          3.1MB

        • memory/2900-2-0x000000001BA00000-0x000000001BA10000-memory.dmp

          Filesize

          64KB

        • memory/2900-1-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp

          Filesize

          9.9MB