Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
25-05-2024 15:05
General
-
Target
Kaspersky_crack.exe
-
Size
3.3MB
-
MD5
8fbbb4a62b7687217f6784b86e3ae0fb
-
SHA1
c06e18e0fbece91d426196378e14f850c8eb8374
-
SHA256
e7075f9a99683b8b4f07d99ecd4f760e5e9d3a49907ca15560759b4c0dc6f5fd
-
SHA512
716580fc9594fe3a4f1f0014af0aee9513a7f502ce613187d99ae2b4614f5709cc5d702341eebd7de0006e3dc25e18c0b3f146d7c845d4681bc62190dc23c33c
-
SSDEEP
49152:Lvkt62XlaSFNWPjljiFa2RoUYIUeRJ6RbR3LoGde2THHB72eh2NT:Lv462XlaSFNWPjljiFXRoUYIUeRJ6zu
Malware Config
Extracted
quasar
1.4.1
Kaspersky
192.168.1.8:4782
e4ff6046-0d9e-4bca-92f0-47dc12c241c9
-
encryption_key
413A5CFEC3EDE828D57DAABC5058E2D2758B4DB3
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Kaspersky
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kaspersky_crack.exe"C:\Users\Admin\AppData\Local\Temp\Kaspersky_crack.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Kaspersky" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Kaspersky" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.3MB
MD58fbbb4a62b7687217f6784b86e3ae0fb
SHA1c06e18e0fbece91d426196378e14f850c8eb8374
SHA256e7075f9a99683b8b4f07d99ecd4f760e5e9d3a49907ca15560759b4c0dc6f5fd
SHA512716580fc9594fe3a4f1f0014af0aee9513a7f502ce613187d99ae2b4614f5709cc5d702341eebd7de0006e3dc25e18c0b3f146d7c845d4681bc62190dc23c33c
-
memory/4480-10-0x00007FFD900B0000-0x00007FFD90B71000-memory.dmpFilesize
10.8MB
-
memory/4480-11-0x00007FFD900B0000-0x00007FFD90B71000-memory.dmpFilesize
10.8MB
-
memory/4480-12-0x0000000002A40000-0x0000000002A90000-memory.dmpFilesize
320KB
-
memory/4480-13-0x000000001BD80000-0x000000001BE32000-memory.dmpFilesize
712KB
-
memory/4480-14-0x00007FFD900B0000-0x00007FFD90B71000-memory.dmpFilesize
10.8MB
-
memory/5004-0-0x00007FFD900B3000-0x00007FFD900B5000-memory.dmpFilesize
8KB
-
memory/5004-1-0x00000000002F0000-0x000000000063C000-memory.dmpFilesize
3.3MB
-
memory/5004-2-0x00007FFD900B0000-0x00007FFD90B71000-memory.dmpFilesize
10.8MB
-
memory/5004-9-0x00007FFD900B0000-0x00007FFD90B71000-memory.dmpFilesize
10.8MB