quasar | 6c4367e763852b7afe852905e9d7baba18ac33c1e4eaf8370350824fb3ffce86

General

Target

Synapse X Launcher.exe
Size

3.2MB
MD5

3854a6572a9a5a25bccbd13664713915
SHA1

b7c3ca681c1dcb328113c5966bbd96aed541ae64
SHA256

6c4367e763852b7afe852905e9d7baba18ac33c1e4eaf8370350824fb3ffce86
SHA512

80fb1425c57d7984da87349efdc0c4508296b58548e62ee4743215edd1058818154cb1207b95ec74299c7b61953f19f71c6ab0d325126efd21d8c5749ad69452
SSDEEP

49152:pvblL26AaNeWgPhlmVqvMQ7XSKB/RJ6UbR3LoGdM+THHB72eh2NTgj:pvBL26AaNeWgPhlmVqkQ7XSKB/RJ6e

Score

10^/10

quasar windows update spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

C2

espinyskibidi-29823.portmap.host:29823

Mutex

a94ba996-69af-4720-85e6-f4929c5eb0f8

Attributes

encryption_key
6F721445F7E0B1CF58980D84A9D49F4458D4EFD9
install_name
Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update Startup
subdirectory
Windows Update

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1812-1-0x0000000000810000-0x0000000000B52000-memory.dmp	family_quasar
C:\Windows\System32\Windows Update\Update.exe	family_quasar
behavioral1/memory/2612-8-0x0000000000D70000-0x00000000010B2000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Update.exe

pid process

2612 Update.exe

pid	process
2612	Update.exe

Drops file in System32 directory 5 IoCs

Processes:

Synapse X Launcher.exeUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Windows Update	Synapse X Launcher.exe
File opened for modification	C:\Windows\system32\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\system32\Windows Update	Update.exe
File created	C:\Windows\system32\Windows Update\Update.exe	Synapse X Launcher.exe
File opened for modification	C:\Windows\system32\Windows Update\Update.exe	Synapse X Launcher.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3060 schtasks.exe
2700 schtasks.exe

pid	process
3060	schtasks.exe
2700	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{58580D31-1142-11EF-9988-CEEE273A2359} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Synapse X Launcher.exeUpdate.exe

description pid process

Token: SeDebugPrivilege 1812 Synapse X Launcher.exe
Token: SeDebugPrivilege 2612 Update.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2564 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2564 iexplore.exe
2564 iexplore.exe
2512 IEXPLORE.EXE
2512 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1812	Synapse X Launcher.exe
Token: SeDebugPrivilege	2612	Update.exe

pid	process
2564	iexplore.exe

pid	process
2564	iexplore.exe
2564	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Synapse X Launcher.exeUpdate.exeiexplore.exe

description	pid	process	target process
PID 1812 wrote to memory of 3060	1812	Synapse X Launcher.exe	schtasks.exe
PID 1812 wrote to memory of 3060	1812	Synapse X Launcher.exe	schtasks.exe
PID 1812 wrote to memory of 3060	1812	Synapse X Launcher.exe	schtasks.exe
PID 1812 wrote to memory of 2612	1812	Synapse X Launcher.exe	Update.exe
PID 1812 wrote to memory of 2612	1812	Synapse X Launcher.exe	Update.exe
PID 1812 wrote to memory of 2612	1812	Synapse X Launcher.exe	Update.exe
PID 2612 wrote to memory of 2700	2612	Update.exe	schtasks.exe
PID 2612 wrote to memory of 2700	2612	Update.exe	schtasks.exe
PID 2612 wrote to memory of 2700	2612	Update.exe	schtasks.exe
PID 2564 wrote to memory of 2512	2564	iexplore.exe	IEXPLORE.EXE
PID 2564 wrote to memory of 2512	2564	iexplore.exe	IEXPLORE.EXE
PID 2564 wrote to memory of 2512	2564	iexplore.exe	IEXPLORE.EXE
PID 2564 wrote to memory of 2512	2564	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Synapse X Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse X Launcher.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Update Startup" /sc ONLOGON /tr "C:\Windows\system32\Windows Update\Update.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\Windows Update\Update.exe
"C:\Windows\system32\Windows Update\Update.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Update Startup" /sc ONLOGON /tr "C:\Windows\system32\Windows Update\Update.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Windows Update\Update.exe

Filesize
3.2MB

MD5
3854a6572a9a5a25bccbd13664713915

SHA1
b7c3ca681c1dcb328113c5966bbd96aed541ae64

SHA256
6c4367e763852b7afe852905e9d7baba18ac33c1e4eaf8370350824fb3ffce86

SHA512
80fb1425c57d7984da87349efdc0c4508296b58548e62ee4743215edd1058818154cb1207b95ec74299c7b61953f19f71c6ab0d325126efd21d8c5749ad69452

Download Submit
memory/1812-0-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

Filesize
4KB

Download
memory/1812-1-0x0000000000810000-0x0000000000B52000-memory.dmp

Filesize
3.3MB

Download
memory/1812-2-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-11-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-8-0x0000000000D70000-0x00000000010B2000-memory.dmp

Filesize
3.3MB

Download
memory/2612-10-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-9-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-12-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-13-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads