quasar | 2760a9f7cf2f6173b214a2309e2875a4ee1b6d301e2781ed1033dfbdc367e059

Reason

Machine shutdown

General

Target

IncognitoExecutorPro.exe
Size

10.1MB
MD5

31bf96839daa9a6040bc08cdb08a14fb
SHA1

61b1b04ad917615bba369b269792df863c12658e
SHA256

2760a9f7cf2f6173b214a2309e2875a4ee1b6d301e2781ed1033dfbdc367e059
SHA512

f369cdf20cb44b0824f9a9ad2ade55c2eb068074af6470700d526a24f7b738062de67e7f05ee40a0641c5f193769502d59dd5167a4cf0e8f9c6f01ebeeddf56a
SSDEEP

196608:y6wZYKg9Sw7sghUuE1R1R9iVTdRUo/Rf7KG0ZLK+4eCA6Pt7R:5kwDh10RsFzUURTclC5t7

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

0.tcp.eu.ngrok.io:14456

Mutex

2aabc0d2-2673-4473-9d8e-30b4863e718a

Attributes

encryption_key
91137B461EAD4C8D03DB7ED595191162855E87F2
install_name
DRIVER32.exe
log_directory
Logs
reconnect_delay
1000
startup_key
DRIVER32
subdirectory
SYSWOW

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\INCOGNITOEXEC.EXE	family_quasar
behavioral1/memory/2848-40-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar
behavioral1/memory/1032-52-0x0000000000D60000-0x0000000001084000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

Processes:

INCOGNITOEXEC.EXESIGMAHACKS0.2.EXEtest.exeDRIVER32.exe

pid process

2848 INCOGNITOEXEC.EXE
3012 SIGMAHACKS0.2.EXE
2496 test.exe
1032 DRIVER32.exe
Loads dropped DLL 5 IoCs

Processes:

IncognitoExecutorPro.exeSIGMAHACKS0.2.EXEtest.exe

pid process

3064 IncognitoExecutorPro.exe
3064 IncognitoExecutorPro.exe
2488
3012 SIGMAHACKS0.2.EXE
2496 test.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 0.tcp.eu.ngrok.io
41 0.tcp.eu.ngrok.io

pid	process
2848	INCOGNITOEXEC.EXE
3012	SIGMAHACKS0.2.EXE
2496	test.exe
1032	DRIVER32.exe

pid	process
3064	IncognitoExecutorPro.exe
3064	IncognitoExecutorPro.exe
2488
3012	SIGMAHACKS0.2.EXE
2496	test.exe

flow	ioc
2	0.tcp.eu.ngrok.io
41	0.tcp.eu.ngrok.io

Drops file in System32 directory 2 IoCs

Processes:

INCOGNITOEXEC.EXE

description	ioc	process
File created	C:\Windows\system32\SYSWOW\DRIVER32.exe	INCOGNITOEXEC.EXE
File opened for modification	C:\Windows\system32\SYSWOW\DRIVER32.exe	INCOGNITOEXEC.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2188 schtasks.exe
324 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INCOGNITOEXEC.EXEDRIVER32.exe

description pid process

Token: SeDebugPrivilege 2848 INCOGNITOEXEC.EXE
Token: SeDebugPrivilege 1032 DRIVER32.exe

pid	process
2188	schtasks.exe
324	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2848	INCOGNITOEXEC.EXE
Token: SeDebugPrivilege	1032	DRIVER32.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

IncognitoExecutorPro.exeSIGMAHACKS0.2.EXEINCOGNITOEXEC.EXEDRIVER32.exe

description	pid	process	target process
PID 3064 wrote to memory of 2848	3064	IncognitoExecutorPro.exe	INCOGNITOEXEC.EXE
PID 3064 wrote to memory of 2848	3064	IncognitoExecutorPro.exe	INCOGNITOEXEC.EXE
PID 3064 wrote to memory of 2848	3064	IncognitoExecutorPro.exe	INCOGNITOEXEC.EXE
PID 3064 wrote to memory of 2848	3064	IncognitoExecutorPro.exe	INCOGNITOEXEC.EXE
PID 3064 wrote to memory of 3012	3064	IncognitoExecutorPro.exe	SIGMAHACKS0.2.EXE
PID 3064 wrote to memory of 3012	3064	IncognitoExecutorPro.exe	SIGMAHACKS0.2.EXE
PID 3064 wrote to memory of 3012	3064	IncognitoExecutorPro.exe	SIGMAHACKS0.2.EXE
PID 3064 wrote to memory of 3012	3064	IncognitoExecutorPro.exe	SIGMAHACKS0.2.EXE
PID 3012 wrote to memory of 2496	3012	SIGMAHACKS0.2.EXE	test.exe
PID 3012 wrote to memory of 2496	3012	SIGMAHACKS0.2.EXE	test.exe
PID 3012 wrote to memory of 2496	3012	SIGMAHACKS0.2.EXE	test.exe
PID 2848 wrote to memory of 2188	2848	INCOGNITOEXEC.EXE	schtasks.exe
PID 2848 wrote to memory of 2188	2848	INCOGNITOEXEC.EXE	schtasks.exe
PID 2848 wrote to memory of 2188	2848	INCOGNITOEXEC.EXE	schtasks.exe
PID 2848 wrote to memory of 1032	2848	INCOGNITOEXEC.EXE	DRIVER32.exe
PID 2848 wrote to memory of 1032	2848	INCOGNITOEXEC.EXE	DRIVER32.exe
PID 2848 wrote to memory of 1032	2848	INCOGNITOEXEC.EXE	DRIVER32.exe
PID 1032 wrote to memory of 324	1032	DRIVER32.exe	schtasks.exe
PID 1032 wrote to memory of 324	1032	DRIVER32.exe	schtasks.exe
PID 1032 wrote to memory of 324	1032	DRIVER32.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\IncognitoExecutorPro.exe
"C:\Users\Admin\AppData\Local\Temp\IncognitoExecutorPro.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\INCOGNITOEXEC.EXE
"C:\Users\Admin\AppData\Local\Temp\INCOGNITOEXEC.EXE"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\SYSWOW\DRIVER32.exe
"C:\Windows\system32\SYSWOW\DRIVER32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:324

C:\Users\Admin\AppData\Local\Temp\SIGMAHACKS0.2.EXE
"C:\Users\Admin\AppData\Local\Temp\SIGMAHACKS0.2.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\onefile_3012_133619033529946000\test.exe
"C:\Users\Admin\AppData\Local\Temp\SIGMAHACKS0.2.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1668

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1564

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SIGMAHACKS0.2.EXE
Filesize
6.9MB

MD5
10bbd38c21ebf84fea97c3812d57d9c6

SHA1
293cec0d7f44151ffbf88dfe408265825f8bca9b

SHA256
83c4e5947870b7b9f06044624b420ddc9fbae6898a5c9b4420c3dbeaca508bb9

SHA512
a00ec8ed84b806c4aca8564354a6687da64b999d255df7fea4c38e6026c8a4cee665414e96d5e28904d051f4c1a6956193a96c12e52286d6d7f58f39bae8ac31

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3012_133619033529946000\python311.dll
Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
\Users\Admin\AppData\Local\Temp\INCOGNITOEXEC.EXE
Filesize
3.1MB

MD5
8a1bea902cd41d9d01b105daea8bc646

SHA1
034680adb1168f398801b02e919dc8a5a5dc39a0

SHA256
89ecbadbbeadf5e68d13e5ba7ab917d4829e684333e096cbb0d3550a08688418

SHA512
e8c5fbb6caedc2cfb34a53b10509722d1b04da592993a630c878a61d0bbee7c8afe779caa6d2307eac117110d38277da6ffa7f9353b08c4fb6b81e03c62587fb

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_3012_133619033529946000\test.exe
Filesize
9.6MB

MD5
5244aa93f4209963f6c63e1ef9dde0b9

SHA1
642219eec726127fe7fbe9ceb5e223dcf46fbe46

SHA256
aeca166d5d3da9e76957686ca8753e95b930d8508f825f3cc6b4bac28da6e142

SHA512
e510165f98b070ad3c202734833230779fd95585d28b0a9873afbb5022f488c85e935b7f366a92b89449b42106f4ed76997cac16994386560bd45021d368e28c

Download Submit
memory/1032-52-0x0000000000D60000-0x0000000001084000-memory.dmp

Filesize
3.1MB

Download
memory/2848-40-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads