Overview

overview

10

Static

static

5

3c3709b103...ff.exe

windows7-x64

10

3c3709b103...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2024 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff.exe

  • Size

    69.1MB

  • MD5

    9c0e635401b0bc6bb9f32bf61c831309

  • SHA1

    1ba8408785b86eea68702003b200822f2b8768ad

  • SHA256

    3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff

  • SHA512

    d8adf0313061d1f9a32bc00fbdc9f414cc117e2017101bdcba7da34a3b124d759fbc029d62eb62aa89a135b964e33610e62d3b7a90200126578f7e2687b4b870

  • SSDEEP

    1572864:YVo7Cqx85SMJ/A/8Ww5XF6aC0TIOR6+m8YKF60K7H:6o21/AUB5XF8WIOR6+PO0KL

Score
10/10
quasarispring suitediscoveryexecutionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

iSpring Suite

C2

dragons.4cloud.click:1982

Mutex

rAok3Bn91dJeJbDXOl

Attributes
  • encryption_key

    1KJfoF8pVLBGtN9uzB0i

  • install_name

    Client.exe

  • log_directory

    4K

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff.exe
    "C:\Users\Admin\AppData\Local\Temp\3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Users\Admin\AppData\Local\Temp\SystemMechanic_Ultimate_Defense.exe
      C:\Users\Admin\AppData\Local\Temp/SystemMechanic_Ultimate_Defense.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
    • C:\Users\Admin\AppData\Local\Temp\Afhandlinger.exe
      C:\Users\Admin\AppData\Local\Temp/Afhandlinger.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -windowstyle hidden "$defeatists=Get-Content 'C:\Users\Admin\AppData\Local\Temp\gesjftigeres\tholeite\fingerable\Strategier\Gabrielle.Sel0';$Preregulating=$defeatists.SubString(37841,3);.$Preregulating($defeatists)"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1328
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          4⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tetchy" /t REG_EXPAND_SZ /d "%Aortographies% -windowstyle minimized $Wrestling=(Get-ItemProperty -Path 'HKCU:\Beskyldning\').Strandboernes;%Aortographies% -windowstyle minimized ($Wrestling)"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1356
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tetchy" /t REG_EXPAND_SZ /d "%Aortographies% -windowstyle minimized $Wrestling=(Get-ItemProperty -Path 'HKCU:\Beskyldning\').Strandboernes;%Aortographies% -windowstyle minimized ($Wrestling)"
              6⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:4460
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Add-MpPreference -ExclusionPath C:/
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvzprpxq.nxj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gesjftigeres\tholeite\fingerable\Shorewards.Bor171
    Filesize

    343KB

    MD5

    5d9a588764e76e9016d729e2977da1b4

    SHA1

    7e618075aef8d20eb490e9099eafea8d632ed323

    SHA256

    a2509c90e5da3aa0acec6a8f042721d6f80e6b701942e81842294bfe8aa6ffe5

    SHA512

    a04ab8734522771a5320c1f1ab77a3b43bed3bc6314a9af85ed4472ebd1c2acc1b3d67b287d0d9e27df6f1637441c5685f6cb8ff97bbcdd0b5329949f292deb0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gesjftigeres\tholeite\fingerable\Strategier\Gabrielle.Sel0
    Filesize

    37KB

    MD5

    573e47b1009cd190121e5cc88563d41c

    SHA1

    152eb9ab8dea6caccd4287f9b525617cc14cb1e9

    SHA256

    f018ab2a229bef73da87351a8448c98dd4749794f6ac0f974672c47e6c5f3dc5

    SHA512

    f5976dd33b138c5a328efb5e841bec483c46283cf56165b5e6bcd7610c5c10b658fd0287ee3d8f6d6e3f6176a053fd21604ed4039f7bb7bc218a899ec6a80f46

    Download Submit
  • memory/1328-106-0x0000000006120000-0x0000000006474000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1328-107-0x0000000006750000-0x000000000676E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1328-95-0x0000000006040000-0x00000000060A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1328-96-0x00000000060B0000-0x0000000006116000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1328-117-0x0000000009000000-0x000000000A46A000-memory.dmp
    Filesize

    20.4MB

    Download
  • memory/1328-94-0x0000000005770000-0x0000000005792000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1328-114-0x0000000008980000-0x0000000008FFA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1328-93-0x00000000057E0000-0x0000000005E08000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1328-112-0x0000000007D50000-0x00000000082F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1328-111-0x0000000006CB0000-0x0000000006CD2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1328-110-0x0000000006C60000-0x0000000006C7A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1328-109-0x0000000007700000-0x0000000007796000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1328-108-0x00000000067E0000-0x000000000682C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1328-92-0x0000000003150000-0x0000000003186000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2164-160-0x0000000021390000-0x000000002139A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2164-121-0x0000000020610000-0x00000000206A2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2164-158-0x00000000213A0000-0x00000000213DC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2164-157-0x0000000020920000-0x0000000020932000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2164-119-0x0000000000400000-0x00000000005E4000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2164-120-0x0000000000400000-0x000000000045E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/3488-131-0x00000000055C0000-0x0000000005914000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/3488-132-0x0000000005E50000-0x0000000005E9C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3488-152-0x0000000007150000-0x0000000007158000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3488-151-0x0000000007160000-0x000000000717A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3488-150-0x0000000007120000-0x0000000007134000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3488-149-0x00000000070F0000-0x00000000070FE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3488-148-0x00000000070B0000-0x00000000070C1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3488-147-0x0000000006F30000-0x0000000006F3A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3488-145-0x0000000006190000-0x00000000061AE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3488-146-0x0000000006B90000-0x0000000006C33000-memory.dmp
    Filesize

    652KB

    Download
  • memory/3488-135-0x000000006FBF0000-0x000000006FC3C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3488-134-0x0000000006150000-0x0000000006182000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4864-27-0x0000016B752B0000-0x0000016B75362000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4864-34-0x00007FFC09E63000-0x00007FFC09E65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4864-18-0x0000016B73A70000-0x0000016B73A84000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4864-13-0x00007FFC09E63000-0x00007FFC09E65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4864-20-0x0000016B74FB0000-0x0000016B752B0000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/4864-15-0x0000016B74D60000-0x0000016B74E6E000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4864-21-0x0000016B5B370000-0x0000016B5B37A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4864-25-0x0000016B5B380000-0x0000016B5B38A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4864-26-0x0000016B74BB0000-0x0000016B74BDA000-memory.dmp
    Filesize

    168KB

    Download
  • memory/4864-19-0x0000016B73AE0000-0x0000016B73B04000-memory.dmp
    Filesize

    144KB

    Download
  • memory/4864-28-0x0000016B75360000-0x0000016B753DA000-memory.dmp
    Filesize

    488KB

    Download
  • memory/4864-29-0x0000016B74BE0000-0x0000016B74C42000-memory.dmp
    Filesize

    392KB

    Download
  • memory/4864-30-0x0000016B75460000-0x0000016B754D6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4864-31-0x0000016B79BA0000-0x0000016B79BA8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4864-32-0x0000016B794E0000-0x0000016B79518000-memory.dmp
    Filesize

    224KB

    Download
  • memory/4864-33-0x0000016B794B0000-0x0000016B794BE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4864-16-0x0000016B73A60000-0x0000016B73A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4864-17-0x0000016B73A80000-0x0000016B73A8C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/4864-14-0x0000016B55D30000-0x0000016B59602000-memory.dmp
    Filesize

    56.8MB

    Download