Analysis Overview
SHA256
821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98
Threat Level: Known bad
The file experimentingnew.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Drops file in Drivers directory
Checks BIOS information in registry
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Checks SCSI registry key(s)
Runs ping.exe
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-20 07:39
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-20 07:39
Reported
2024-04-20 07:41
Platform
win10-20240404-en
Max time kernel
130s
Max time network
138s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\mbamtestfile.dat | C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\mbamtestfile.dat | C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\experimentingnew.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\experimentingnew.exe
"C:\Users\Admin\AppData\Local\Temp\experimentingnew.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe
"C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe" /rl HIGHEST /f
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViF7BHIzsl6O.bat" "
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "Runtime Broker" /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe
"C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:15209 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 75.249.158.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telemetry.malwarebytes.com | udp |
| US | 35.165.166.159:443 | telemetry.malwarebytes.com | tcp |
| US | 8.8.8.8:53 | 159.166.165.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/2900-0-0x0000000000A00000-0x0000000000D24000-memory.dmp
memory/2900-1-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
memory/2900-2-0x000000001BA00000-0x000000001BA10000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe
| MD5 | 399bbb3dc58bcc8cc2fe9aef9a3ebac5 |
| SHA1 | 37be03a9765a8b321c0ddf2ff00acdb106502b7b |
| SHA256 | 821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98 |
| SHA512 | 98e70c54329089015535e30f32006ef8731e69dd32234590ef7f8388403cd68e86c5a4030083f8c510c46c7d0f995fe3a9a82db01a0b6fc288ea7eb5db5fa64f |
memory/2900-9-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
memory/1060-8-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
memory/1060-10-0x0000000002DB0000-0x0000000002DC0000-memory.dmp
memory/1060-11-0x000000001C060000-0x000000001C0B0000-memory.dmp
memory/1060-12-0x000000001C170000-0x000000001C222000-memory.dmp
memory/1060-15-0x000000001C0E0000-0x000000001C0F2000-memory.dmp
memory/1060-16-0x000000001CC60000-0x000000001CC9E000-memory.dmp
memory/1060-17-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
memory/1060-18-0x0000000002DB0000-0x0000000002DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ViF7BHIzsl6O.bat
| MD5 | 9cacb3eda6512b3317c2266f3cb6bb68 |
| SHA1 | 45a29ce93dc697b97f667b4e38721a59b3c2ad15 |
| SHA256 | 86e4c8382264bdb53077a3125525b689f35a850ed0f300a90cc3174e1f6c95b6 |
| SHA512 | d8f898455cf1d16e846a8b6948bb85e764b64d4bb64dff8a12dde95344d4b072407639bc3a1ff3087e110570a5db24a9bdfdb9eb8d6cb32041c74b82006d182e |
memory/1060-31-0x00007FF8E5210000-0x00007FF8E5BFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\m4teqhoJwoAJ.exe
| MD5 | 1e885823577394ea61ea89438ffe2954 |
| SHA1 | e53e96f7374790bdad8a614949b398b055c3a27b |
| SHA256 | 7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c |
| SHA512 | 73f600833dad0047b6444110d722dc95237b38bb486abc7fc8e4f59b69e2154c885fb46d65f488d5139a0b6e76ebde33ea72711c7f58436650ef992fb8995627 |