Analysis
-
max time kernel
1793s -
max time network
1798s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
20-05-2024 16:59
General
-
Target
ClientC.exe
-
Size
3.1MB
-
MD5
60283841a32e701810a4f2d92bd992ab
-
SHA1
e87d9569a7d037279814a12be25665208071ab91
-
SHA256
2ed6f46f965ff50c50cc8414b091745f36d4301e35a7a975bf9f2625b24f8326
-
SHA512
4e0ba404eaa0d823d7044f76ae0bbccb78c5d607843b33859a1c5a47f852ff040c86acc02e335f7235d4848f92e2c20f329ea5c898bd7960cc356225f06c4d97
-
SSDEEP
49152:yvkt62XlaSFNWPjljiFa2RoUYIPqRJ6vbR3LoGd/qtTHHB72eh2NT:yv462XlaSFNWPjljiFXRoUYIPqRJ6BP
Malware Config
Extracted
quasar
1.4.1
Office04
156.57.236.38:1162
eeb96fcd-c654-4ba2-9a84-d3d5cfa5eee3
-
encryption_key
7A857EF3A3EB39AF399F1F3800FB9F842DC83C9E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
InsertDelete
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ClientC.exe"C:\Users\Admin\AppData\Local\Temp\ClientC.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "InsertDelete" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "InsertDelete" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD560283841a32e701810a4f2d92bd992ab
SHA1e87d9569a7d037279814a12be25665208071ab91
SHA2562ed6f46f965ff50c50cc8414b091745f36d4301e35a7a975bf9f2625b24f8326
SHA5124e0ba404eaa0d823d7044f76ae0bbccb78c5d607843b33859a1c5a47f852ff040c86acc02e335f7235d4848f92e2c20f329ea5c898bd7960cc356225f06c4d97
-
memory/756-10-0x00007FF95E370000-0x00007FF95EE31000-memory.dmpFilesize
10.8MB
-
memory/756-11-0x00007FF95E370000-0x00007FF95EE31000-memory.dmpFilesize
10.8MB
-
memory/756-12-0x000000001BC50000-0x000000001BCA0000-memory.dmpFilesize
320KB
-
memory/756-13-0x000000001BD60000-0x000000001BE12000-memory.dmpFilesize
712KB
-
memory/756-14-0x00007FF95E370000-0x00007FF95EE31000-memory.dmpFilesize
10.8MB
-
memory/4168-0-0x00007FF95E373000-0x00007FF95E375000-memory.dmpFilesize
8KB
-
memory/4168-1-0x0000000000580000-0x00000000008A4000-memory.dmpFilesize
3.1MB
-
memory/4168-2-0x00007FF95E370000-0x00007FF95EE31000-memory.dmpFilesize
10.8MB
-
memory/4168-9-0x00007FF95E370000-0x00007FF95EE31000-memory.dmpFilesize
10.8MB