Overview
overview
10Static
static
10Release (1).rar
windows7-x64
3Release (1).rar
windows10-2004-x64
3Guna.UI2.dll
windows7-x64
1Guna.UI2.dll
windows10-2004-x64
1IDTOIPBYR_0.deps.json
windows7-x64
3IDTOIPBYR_0.deps.json
windows10-2004-x64
3IDTOIPBYR_0.exe
windows7-x64
10IDTOIPBYR_0.exe
windows10-2004-x64
10IDTOIPBYR_0.exe
windows7-x64
10IDTOIPBYR_0.exe
windows10-2004-x64
10IDTOIPBYR_0.pdb
windows7-x64
3IDTOIPBYR_0.pdb
windows10-2004-x64
3IDTOIPBYR_...g.json
windows7-x64
3IDTOIPBYR_...g.json
windows10-2004-x64
3System.Management.dll
windows7-x64
1System.Management.dll
windows10-2004-x64
1Analysis
-
max time kernel
364s -
max time network
364s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 00:05
Behavioral task
behavioral1
Sample
Release (1).rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Release (1).rar
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Guna.UI2.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Guna.UI2.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
IDTOIPBYR_0.deps.json
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
IDTOIPBYR_0.deps.json
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
IDTOIPBYR_0.exe
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
IDTOIPBYR_0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
IDTOIPBYR_0.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
IDTOIPBYR_0.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
IDTOIPBYR_0.pdb
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
IDTOIPBYR_0.pdb
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
IDTOIPBYR_0.runtimeconfig.json
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
IDTOIPBYR_0.runtimeconfig.json
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
System.Management.dll
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
System.Management.dll
Resource
win10v2004-20240419-en
General
-
Target
IDTOIPBYR_0.exe
-
Size
413KB
-
MD5
aabcedbac7ad8b10993f6de878be1ba4
-
SHA1
be8ea58edc1e83ebf33fe0e87a29916e9c554426
-
SHA256
4466cd4392c0fa3c49979664630db1b607e129c858fd44507cf5fc6b5b9dd3ba
-
SHA512
5a2bb094997699335a149ca353dc5e98e66482aa9dadc52502068337760bbd65bd648b3935777f4424e9811705657bcd2eb38254d731d892256d578c1f1eaf66
-
SSDEEP
6144:2gmEjkzQT1TVNSeE7E11zVeusnib8YoVHR8z0n7kgpMRqZGe:T1TVVXEo13eusHnVH9pMRWGe
Malware Config
Extracted
quasar
3.1.5
Office04
147.185.221.19:33587
$Sxr-lG7PreqFKmNhJc0CKS
-
encryption_key
11fnZjAdVB1EIQVhl7wn
-
install_name
DLLrunhost.exe
-
log_directory
UpdLogs
-
reconnect_delay
3000
-
startup_key
WindowsAudioHelper
-
subdirectory
Windows
Signatures
-
Processes:
schtasks.exeflow ioc 2 ip-api.com 4 ip-api.com 2688 schtasks.exe -
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral9/memory/2288-0-0x0000000000D10000-0x0000000000D7E000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe family_quasar behavioral9/memory/2540-10-0x0000000000AC0000-0x0000000000B2E000-memory.dmp family_quasar -
Drops file in Drivers directory 2 IoCs
Processes:
DLLrunhost.exeIDTOIPBYR_0.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts DLLrunhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts IDTOIPBYR_0.exe -
Executes dropped EXE 1 IoCs
Processes:
DLLrunhost.exepid process 2540 DLLrunhost.exe -
Loads dropped DLL 1 IoCs
Processes:
IDTOIPBYR_0.exepid process 2288 IDTOIPBYR_0.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exepid process 2688 schtasks.exe 2408 SCHTASKS.exe 2620 schtasks.exe 1564 SCHTASKS.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2420 ipconfig.exe 2444 ipconfig.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2692 powershell.exe 1616 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
IDTOIPBYR_0.exepowershell.exeDLLrunhost.exepowershell.exedescription pid process Token: SeDebugPrivilege 2288 IDTOIPBYR_0.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2540 DLLrunhost.exe Token: SeDebugPrivilege 1616 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DLLrunhost.exepid process 2540 DLLrunhost.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
IDTOIPBYR_0.exeDLLrunhost.execmd.exedescription pid process target process PID 2288 wrote to memory of 2688 2288 IDTOIPBYR_0.exe schtasks.exe PID 2288 wrote to memory of 2688 2288 IDTOIPBYR_0.exe schtasks.exe PID 2288 wrote to memory of 2688 2288 IDTOIPBYR_0.exe schtasks.exe PID 2288 wrote to memory of 2688 2288 IDTOIPBYR_0.exe schtasks.exe PID 2288 wrote to memory of 2540 2288 IDTOIPBYR_0.exe DLLrunhost.exe PID 2288 wrote to memory of 2540 2288 IDTOIPBYR_0.exe DLLrunhost.exe PID 2288 wrote to memory of 2540 2288 IDTOIPBYR_0.exe DLLrunhost.exe PID 2288 wrote to memory of 2540 2288 IDTOIPBYR_0.exe DLLrunhost.exe PID 2288 wrote to memory of 2540 2288 IDTOIPBYR_0.exe DLLrunhost.exe PID 2288 wrote to memory of 2540 2288 IDTOIPBYR_0.exe DLLrunhost.exe PID 2288 wrote to memory of 2540 2288 IDTOIPBYR_0.exe DLLrunhost.exe PID 2288 wrote to memory of 2692 2288 IDTOIPBYR_0.exe powershell.exe PID 2288 wrote to memory of 2692 2288 IDTOIPBYR_0.exe powershell.exe PID 2288 wrote to memory of 2692 2288 IDTOIPBYR_0.exe powershell.exe PID 2288 wrote to memory of 2692 2288 IDTOIPBYR_0.exe powershell.exe PID 2288 wrote to memory of 2420 2288 IDTOIPBYR_0.exe ipconfig.exe PID 2288 wrote to memory of 2420 2288 IDTOIPBYR_0.exe ipconfig.exe PID 2288 wrote to memory of 2420 2288 IDTOIPBYR_0.exe ipconfig.exe PID 2288 wrote to memory of 2420 2288 IDTOIPBYR_0.exe ipconfig.exe PID 2288 wrote to memory of 2408 2288 IDTOIPBYR_0.exe SCHTASKS.exe PID 2288 wrote to memory of 2408 2288 IDTOIPBYR_0.exe SCHTASKS.exe PID 2288 wrote to memory of 2408 2288 IDTOIPBYR_0.exe SCHTASKS.exe PID 2288 wrote to memory of 2408 2288 IDTOIPBYR_0.exe SCHTASKS.exe PID 2540 wrote to memory of 2620 2540 DLLrunhost.exe schtasks.exe PID 2540 wrote to memory of 2620 2540 DLLrunhost.exe schtasks.exe PID 2540 wrote to memory of 2620 2540 DLLrunhost.exe schtasks.exe PID 2540 wrote to memory of 2620 2540 DLLrunhost.exe schtasks.exe PID 2540 wrote to memory of 2852 2540 DLLrunhost.exe schtasks.exe PID 2540 wrote to memory of 2852 2540 DLLrunhost.exe schtasks.exe PID 2540 wrote to memory of 2852 2540 DLLrunhost.exe schtasks.exe PID 2540 wrote to memory of 2852 2540 DLLrunhost.exe schtasks.exe PID 2540 wrote to memory of 2896 2540 DLLrunhost.exe cmd.exe PID 2540 wrote to memory of 2896 2540 DLLrunhost.exe cmd.exe PID 2540 wrote to memory of 2896 2540 DLLrunhost.exe cmd.exe PID 2540 wrote to memory of 2896 2540 DLLrunhost.exe cmd.exe PID 2896 wrote to memory of 272 2896 cmd.exe chcp.com PID 2896 wrote to memory of 272 2896 cmd.exe chcp.com PID 2896 wrote to memory of 272 2896 cmd.exe chcp.com PID 2896 wrote to memory of 272 2896 cmd.exe chcp.com PID 2896 wrote to memory of 1520 2896 cmd.exe PING.EXE PID 2896 wrote to memory of 1520 2896 cmd.exe PING.EXE PID 2896 wrote to memory of 1520 2896 cmd.exe PING.EXE PID 2896 wrote to memory of 1520 2896 cmd.exe PING.EXE PID 2540 wrote to memory of 1616 2540 DLLrunhost.exe powershell.exe PID 2540 wrote to memory of 1616 2540 DLLrunhost.exe powershell.exe PID 2540 wrote to memory of 1616 2540 DLLrunhost.exe powershell.exe PID 2540 wrote to memory of 1616 2540 DLLrunhost.exe powershell.exe PID 2540 wrote to memory of 2444 2540 DLLrunhost.exe ipconfig.exe PID 2540 wrote to memory of 2444 2540 DLLrunhost.exe ipconfig.exe PID 2540 wrote to memory of 2444 2540 DLLrunhost.exe ipconfig.exe PID 2540 wrote to memory of 2444 2540 DLLrunhost.exe ipconfig.exe PID 2540 wrote to memory of 1564 2540 DLLrunhost.exe SCHTASKS.exe PID 2540 wrote to memory of 1564 2540 DLLrunhost.exe SCHTASKS.exe PID 2540 wrote to memory of 1564 2540 DLLrunhost.exe SCHTASKS.exe PID 2540 wrote to memory of 1564 2540 DLLrunhost.exe SCHTASKS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe"C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsAudioHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe" /rl HIGHEST /f2⤵
- Quasar RAT
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe"C:\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsAudioHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "WindowsAudioHelper" /f3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IjzI7sCl8fnQ.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns3⤵
- Gathers network information
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77DLLrunhost.exe" /tr "'C:\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns2⤵
- Gathers network information
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77IDTOIPBYR_0.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IjzI7sCl8fnQ.batFilesize
270B
MD5de940645b20fdd1dea1acafd00f60e33
SHA121146900e934e5d5098e7aa3078b504bd423936c
SHA256515180f3505670007fa1f5042854ee1fd3222a7f84c009a9349f270e01a7ce46
SHA512bd0ad3929e78663f976c57dc70837f09f3326fe5926637c8f67be808a492f26bbf1bdab781d6a7ab4a163f57386aec7f03056292cf2dd2f624ea83005f2add7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7VKXPKJV8EHJGAJRSOB6.tempFilesize
7KB
MD5d3c6fc5b5f146dbead5199f6a5f2e7e3
SHA17e8b79d67e591d1f6ed4d8c9f7b63e8ec21e642c
SHA2561139dd077f08ad6fafcae04e03ab89f96f4e2c95019d9ddc7002c230baaa2fb8
SHA5122348bb7052b986c0008ade3ed1f45b43b9f7e35010f167f9e9b28de20e8a64cd762ef59c004f55813ccc82dacc0566bff4d4a8550a501426cc3cef43c9589a61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5c25dcd527c2c1b0cc9b747ef6f5f6ada
SHA1ba622c5e485b4959bd7bb5d554358dd6c4bdc175
SHA256061fd74a7147a449de0684c71412cac64feee020fd8028022f87f9bfc6a56d10
SHA512d4e9fcb8c6bfcb62f4de6ff7d5e22e5b4c89e678958c150f79fd5174139d47555c6e4a2a09183959079facec9d3542c07b60223b3f5abd2817959f60f0400487
-
C:\Users\Admin\AppData\Roaming\UpdLogs\04-28-~1Filesize
224B
MD5751240313794c07790c6a4c80965c724
SHA1aa47561cf7fb31c3949615801d627caf08b7501c
SHA2567087c87e038ba9f81121e0a91f3e05e6aa108aaee7d947854e03e35a7c29bd28
SHA5124ff31ca299ea08bc96e8614a0db92d5cfff6c7f78ec41c04e912f4c6cadccc23e49a89167b4dad0693c61b4dcdd9cd60d2bdfa490e717836331a3933fed5db8f
-
C:\Windows\system32\drivers\etc\hostsFilesize
4KB
MD57336f9570f191c5259888d4e0c40304c
SHA1b5993611376d6636db24e9583c16111bdfa3eb3e
SHA256c7bb8931dd150e1251de035823b6c9ddfa84f92b868785717da62163733ff8f4
SHA512f7ebc208d01021c4e95a619f22fdae9890cba37fabef4faf9bb5bde9816600e6bfcd7e5203043bb59e86549211ba055ae59b232c04c6376029a501f684195921
-
\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exeFilesize
413KB
MD5aabcedbac7ad8b10993f6de878be1ba4
SHA1be8ea58edc1e83ebf33fe0e87a29916e9c554426
SHA2564466cd4392c0fa3c49979664630db1b607e129c858fd44507cf5fc6b5b9dd3ba
SHA5125a2bb094997699335a149ca353dc5e98e66482aa9dadc52502068337760bbd65bd648b3935777f4424e9811705657bcd2eb38254d731d892256d578c1f1eaf66
-
memory/2288-1-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2288-2-0x0000000004D60000-0x0000000004DA0000-memory.dmpFilesize
256KB
-
memory/2288-0-0x0000000000D10000-0x0000000000D7E000-memory.dmpFilesize
440KB
-
memory/2288-13-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2540-10-0x0000000000AC0000-0x0000000000B2E000-memory.dmpFilesize
440KB
-
memory/2540-18-0x0000000004880000-0x00000000048C0000-memory.dmpFilesize
256KB
-
memory/2540-17-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2540-11-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2540-35-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2540-12-0x0000000004880000-0x00000000048C0000-memory.dmpFilesize
256KB