Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-05-2024 17:01
General
-
Target
VirusMaker.exe
-
Size
3.1MB
-
MD5
baa8a99d97d03602397dbfafe2d59a66
-
SHA1
15d7de25b0c256f3f490512191c3150054c29793
-
SHA256
0580735fb9ce4e11f6e20041dbf837e43c10012391277339cac60ad7bec4db9a
-
SHA512
900c7b316ded642a3e41f11d07d486cafc23770782ba9beedf42a69a89591913a2dccff4e95e0f43cfb949e59d63d598475be9f15413756e5371bfac831be89e
-
SSDEEP
49152:6vkt62XlaSFNWPjljiFa2RoUYI17xNESEQk/iVLoGdeEPETHHB72eh2NT:6v462XlaSFNWPjljiFXRoUYI1xbtt
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.12:4782
46113e25-df6e-4a96-919f-3f0b0ebb89e3
-
encryption_key
19B2878E7111F70CAD1E17A936917EF8A8ABB80A
-
install_name
VirusMaker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Edge
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusMaker.exe"C:\Users\Admin\AppData\Local\Temp\VirusMaker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Microsoft Edge" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\VirusMaker.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\VirusMaker.exe"C:\Users\Admin\AppData\Roaming\SubDir\VirusMaker.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Microsoft Edge" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\VirusMaker.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdc8ccab58,0x7ffdc8ccab68,0x7ffdc8ccab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1972,i,6139749737466989861,15401008897623380962,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD546312296803f466721d7be24b9f5d62e
SHA1a4716f7563eb50c6f0b86a840fbd72e46ca7fd06
SHA2560b4b053c0ecca8f4cee93a4f22eacc4d56ab11e55f8833a53e8176389e760442
SHA5129756d211c3d920b17500add1f0da44501c36d40d687b5deddfaee1114b6aaf1ffb8bc5fca6cca4015d15b2cedde87c46427ced3033e50ffd42ee748a209617b6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD56de6e4247f117371995343a7b4873b9e
SHA109bc941fa9b8035ef3f8b8563c0369b54156a7b8
SHA256b2f85307905b0e03c3dc9ac9210bdc5520a04953af8a34a153e47a74955fa89d
SHA5124508192b7bbed32091e50139e0b1d670dcaa6993617d3db1088f57a23a644bda93d58682128b63ccf635ee8a7c436860651f64d23a347e775d0145ea21ea2940
-
Filesize
6KB
MD542157854bcc84d9d725bf8de20ce05d5
SHA1f57d24b23ab98024512bc9a46cdb599329c21fc5
SHA2564dc1ce4fec14f18f62b640c52e3fa0a9cb615562ea4ba6fc29589c46e7fea55c
SHA5126db95c240759f7d97c5bf43d6043d7708b41f197d06096b56264011164b896648becc096840b48a7376dbca463d9858bdd685fd25e33b9923a395574212d7528
-
Filesize
16KB
MD568f097e4b78e69e8862451bbb8fe6d1c
SHA109b2c073e89315db1c76a27bacd802b9d6f642f9
SHA256f93af46ddd040f15074a1746a81ce26754e1022911211f00b84c7fdfdde85df5
SHA5121a03a09bcb307fcd5c7012a88e5843881e5bf59a303c93179fdf522873cdc5e0ea84da116c21590dd303791169b7715877167a5aeee7a29783bc72bf5331f184
-
Filesize
281KB
MD586c060cce02e264a197db2b3825274a4
SHA173647cfb6d98b41c14af6f661dcac5adafde4401
SHA2565d3fc5afdad52978a25d0300d80a80e50df4139050155960cb7e44c804e2e0df
SHA512b1ea5e01ac91f4b69629c38a1e6511ddd8289e3b2eb3652954392a38e8b80fef0381bd692fcae03b1be15d3e58de05583939e010cac7a8a77c1abb506874ad2b
-
Filesize
257KB
MD596370d7dd26b9db01053e1efaa6be495
SHA1871653d713a22cbce7156e6e1882e5268dc29ab8
SHA2562a9171a1e54a45770c881b31885c9ee8bad0b930feca325177e371c20faf530c
SHA5124ba1199a744ca091c6ad5fdc83cf37b7a363059e8277e9df2595ee12d18d1bc580606e153fc8d6becf9d8ac2486c931d222b86db7253e8808c8d06b6ed9e07ce
-
Filesize
261KB
MD54913a5c6da96d5dc71db509b8219734d
SHA1a4a983be8a6d92c71af9c311986afcff286ba826
SHA256b92a69e2db02a2702dcb6cbf6c3ee768caa486b7ce8322ee46e52f66ecef93cb
SHA512ffcb316e63bb8e3245d4fda9404b7e67f0e587736d166dea52b2e2ff63eea7b4789ad13b80dd8a634cdef241790011a8585de97fd1f2c373b063d2933709e7f7
-
Filesize
261KB
MD5f0ae6e042f3b03246e51503674c324b0
SHA16f9acd0df69177c68431e34c0b22f05b1902c9ff
SHA2568cbbc9c6b15369567663bc8ae61b624007394e847e04f11cd925ca78ff23902f
SHA512f2524915fab2c0abe52dc6f64da32e0737d4242aaa8b2d8d8c774ab7fc1eec5fa37522c91f1530107e49275c6a9d7293e49bb54fce91cdb8dd4ec91eeabec046
-
Filesize
92KB
MD500605736cd96c0357f3e850948a66939
SHA180a96ba0acfcdbb96df9538d35c3351b6f7743c4
SHA2560d90d55b2de9ecc4ecb6bf8b59b7b5f15c569cfb2b34ff71aae6d76a2876e536
SHA512e1cb95af83f5df528fdd07d0d52b790eee8a447bb29ca071b6c971c13ad6cf9ddb1fb394586aba71ab6d82a1785729ace268272edad1fb96f31a058024a87011
-
Filesize
89KB
MD51c89c9ae0caa410ee8a51a74c299e721
SHA1c2dff7ac5372e228764d246d72909fab82e95286
SHA256e996278471c6d9160ffd694ef072059f951a76ce11e11d2d0df0f94fab27acbc
SHA512f2ad9212a7bc7f613faceec8e391d61c9993487f67e0a9df5e2b3ccd59fb9ebc7c86cf1c081e856bf551df2af199aaf57ef8b322fd7ded9f62eb48d0c99a0d9e
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
3.1MB
MD5baa8a99d97d03602397dbfafe2d59a66
SHA115d7de25b0c256f3f490512191c3150054c29793
SHA2560580735fb9ce4e11f6e20041dbf837e43c10012391277339cac60ad7bec4db9a
SHA512900c7b316ded642a3e41f11d07d486cafc23770782ba9beedf42a69a89591913a2dccff4e95e0f43cfb949e59d63d598475be9f15413756e5371bfac831be89e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
5.2MB
-
Filesize
712KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB