Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
30-05-2024 12:59
General
-
Target
Beta.exe
-
Size
3.1MB
-
MD5
bb26a2979d9a61725f910422403ed4dd
-
SHA1
b46d4a3a7f7253e1d7268c060702d301ebb36dd6
-
SHA256
fb80d28a129184b6a273bd893aeee80765b6ec3eb617d90c6d32d0738bcbbfef
-
SHA512
dfa1d068282cae728f6adf890065c0dcecbf9215646f50313d995afd209f52c07f3fd8e1e414c8712af1e2b5306ef453a9b6419f1c574dbd445acbc276426200
-
SSDEEP
49152:ivEt62XlaSFNWPjljiFa2RoUYI9ihqKhHvJQMoGd9THHB72eh2NT:ivY62XlaSFNWPjljiFXRoUYImh5
Malware Config
Extracted
quasar
1.4.1
Astro-1
arthurus36.duckdns.org:5555
ad7cd985-5e2e-45a3-9246-b82449c7c4d8
-
encryption_key
6314C8C60AA1035CEB920FD38F0342E398BAF5D0
-
install_name
cmdprmpt.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
systemdex
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Beta.exe"C:\Users\Admin\AppData\Local\Temp\Beta.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "systemdex" /sc ONLOGON /tr "C:\Windows\system32\cmdprmpt.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmdprmpt.exe"C:\Windows\system32\cmdprmpt.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "systemdex" /sc ONLOGON /tr "C:\Windows\system32\cmdprmpt.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\cmdprmpt.exeFilesize
3.1MB
MD5bb26a2979d9a61725f910422403ed4dd
SHA1b46d4a3a7f7253e1d7268c060702d301ebb36dd6
SHA256fb80d28a129184b6a273bd893aeee80765b6ec3eb617d90c6d32d0738bcbbfef
SHA512dfa1d068282cae728f6adf890065c0dcecbf9215646f50313d995afd209f52c07f3fd8e1e414c8712af1e2b5306ef453a9b6419f1c574dbd445acbc276426200
-
memory/2308-10-0x00007FFEB5BD0000-0x00007FFEB6691000-memory.dmpFilesize
10.8MB
-
memory/2308-11-0x00007FFEB5BD0000-0x00007FFEB6691000-memory.dmpFilesize
10.8MB
-
memory/2308-12-0x000000001BF20000-0x000000001BF70000-memory.dmpFilesize
320KB
-
memory/2308-13-0x000000001C4A0000-0x000000001C552000-memory.dmpFilesize
712KB
-
memory/2308-14-0x00007FFEB5BD0000-0x00007FFEB6691000-memory.dmpFilesize
10.8MB
-
memory/3260-0-0x00007FFEB5BD3000-0x00007FFEB5BD5000-memory.dmpFilesize
8KB
-
memory/3260-1-0x00000000004C0000-0x00000000007E4000-memory.dmpFilesize
3.1MB
-
memory/3260-2-0x00007FFEB5BD0000-0x00007FFEB6691000-memory.dmpFilesize
10.8MB
-
memory/3260-9-0x00007FFEB5BD0000-0x00007FFEB6691000-memory.dmpFilesize
10.8MB