Malware Analysis Report

2024-08-06 11:10

Sample ID 240614-2hsv5syflb
Target 6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee
SHA256 6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee
Tags
office01 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee

Threat Level: Known bad

The file 6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee was found to be: Known bad.

Malicious Activity Summary

office01 quasar spyware trojan

Detects Windows executables referencing non-Windows User-Agents

Quasar RAT

Quasar payload

Quasar family

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing common artifacts observed in infostealers

Detects executables containing common artifacts observed in infostealers

Detects Windows executables referencing non-Windows User-Agents

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 22:35

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 22:35

Reported

2024-06-14 22:37

Platform

win7-20240508-en

Max time kernel

146s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Windows\system32\schtasks.exe
PID 2228 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Windows\system32\schtasks.exe
PID 2228 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Windows\system32\schtasks.exe
PID 2228 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2228 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2228 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2888 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 2888 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 2888 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 2888 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2744 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2744 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2744 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2744 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2744 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2744 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2744 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2744 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 3068 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 3068 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 3068 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 3068 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 2928 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2928 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2928 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2928 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2928 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2928 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2928 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2928 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2928 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 1576 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 1576 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 1576 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 1576 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 1576 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 1576 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2324 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2324 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2324 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2324 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2324 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2324 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2324 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2324 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 2148 wrote to memory of 668 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 2148 wrote to memory of 668 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 2148 wrote to memory of 668 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\schtasks.exe
PID 2148 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\system32\cmd.exe
PID 308 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 308 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 308 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 308 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 308 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 308 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 308 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe

"C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gXSJ6KA9poma.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4elAmeuSkR2T.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dYsXO5K92xcd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eSqeGolUHbgK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nm75HuuIXw9i.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GTArpjs2PpWO.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\agBppG3L2u2J.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 salchipingo2-53080.portmap.host udp
US 8.8.8.8:53 salchipingo2-53080.portmap.host udp
US 8.8.8.8:53 salchipingo2-53080.portmap.host udp
US 8.8.8.8:53 salchipingo2-53080.portmap.host udp
US 8.8.8.8:53 salchipingo2-53080.portmap.host udp
US 8.8.8.8:53 salchipingo2-53080.portmap.host udp
US 8.8.8.8:53 salchipingo2-53080.portmap.host udp

Files

memory/2228-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

memory/2228-1-0x0000000000C30000-0x0000000000F54000-memory.dmp

memory/2228-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

MD5 5be228f80c4787e5b4b5d4d49b74f3f8
SHA1 1044191469a2ce9ba3e051d843016dd6f6457696
SHA256 6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee
SHA512 e664adccfaf7519c25d59312b49d72d1241e1e257d5e6bd7551186d0480f3864f87cd487bc6f098c3f6c5bd5e75655fae9f072f57e765ff0aa70db593857fb16

memory/2888-8-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

memory/2888-9-0x0000000000EF0000-0x0000000001214000-memory.dmp

memory/2888-10-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gXSJ6KA9poma.bat

MD5 446d20ed9b33c955721e4e31c930dbef
SHA1 be73cd67a7fa987af0cb8f09dc657d9e5f1e2067
SHA256 5d5bfe402923f48edb229c5f97688d3a727caa2cbaeb6591c8d5b2cddca9a1e7
SHA512 4d917cbe433652267b71576e3e404bee55d9472564db31ac825454897fec71df34099985d5fc477d53f64dc755e5ae3bc095cfd15d8dc2d22479267ee313346c

memory/2888-19-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

memory/2228-21-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4elAmeuSkR2T.bat

MD5 5f7c94906a7e1da45e4d642e08e55d55
SHA1 8358b75ba925c761ba1bba2e73dead7b04f34571
SHA256 0f5b134a0f31e969f16a23bcf892b7305648b717b98a7b9a7f7ff8e295ded00b
SHA512 4e46e8b9d900039fedddb567a72aa60c56e132d0feaec8cb0af6533a70f885559150f6431671d679c9cb0022ffaf2d34dd37803bdfb88c967e60549901bd8188

memory/1576-33-0x0000000000F50000-0x0000000001274000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dYsXO5K92xcd.bat

MD5 33727a967c495f75c66a5b8958adef07
SHA1 676d9022d138b707a40ca02bb40f8e4879537a2c
SHA256 4e9294b96d3c9264399a8f9dcf5d89f13e7a12a0025214728bb0aac7d4325832
SHA512 58d51d511cff4a6cc012d8188a6da69b178140226494fcc12fdfdd2b2f63b3baf02566be7843a70732d5be2ac560e73bd28052cca669d702f5625b6bb6d81a99

C:\Users\Admin\AppData\Local\Temp\eSqeGolUHbgK.bat

MD5 00f42eba393bfdc55995fd1319b10710
SHA1 0b9334eab5e6227425bfc9c9d3fe030648904391
SHA256 4f16b380ecafdbb43f7cdcc4ff18cec8e874e999589e15206af1ba95ea84940e
SHA512 8f289810197e1818ff2a6ad7b52da5aa30886c13e20932579208f27b86b7d3b89641cbc60795a7bbd44e786124c7155d9edb5ccf851a23ad912c9565b731a2a4

C:\Users\Admin\AppData\Local\Temp\nm75HuuIXw9i.bat

MD5 a06087fd62796accd7f51c500d68940e
SHA1 da0a0a88b66bfc97029c645e3715d2428f33ed72
SHA256 2c19f05787f4506164ab1dd346b463d99801daae0ae453e236930cea920d2e73
SHA512 824e527546c2ee585871f290d0ecd4df82637c48ff6a418661458d8dee234b96e0a81f86f5bf503b73f0816a2e19ee82b6af270912eb0b704ae0822f44472a05

memory/1172-64-0x0000000001070000-0x0000000001394000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GTArpjs2PpWO.bat

MD5 25574f1e4517e5283685d3995e77bb35
SHA1 292aca61127d83b7e2082bc6c054dca308fcf25a
SHA256 207eae3d001063c74ef9bcce1812882fc5c7d854de40c64c74bbcc8a05890994
SHA512 df8216db05c96f932d65b45c9db17a216f06221201eb38db71ef1a4676602d79c2ee44879ceaedba2b902854326cab16e178c9163406e889cd6e4502a9db4c34

C:\Users\Admin\AppData\Local\Temp\agBppG3L2u2J.bat

MD5 a6031eef4955003cf9f59f07604adf18
SHA1 3428d183dbbf030756af10ed13e81422719dc37f
SHA256 720b6bd1f1876304e1146ed39f410f819f0a3d5d9855eab154a6c39d139ff16e
SHA512 986c3d0b4c42454bac4d1ab958d49287a91f96c5d52e6d69332a6a7f34aae89b516584d0152cdbf641392c8aaf9a70a7f68263f003ff1876ef72ead1237bb961

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 22:35

Reported

2024-06-14 22:37

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1428 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1428 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 1428 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe
PID 232 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\SYSTEM32\schtasks.exe
PID 232 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe

"C:\Users\Admin\AppData\Local\Temp\6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "v Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 salchipingo2-53080.portmap.host udp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp
DE 193.161.193.99:53080 salchipingo2-53080.portmap.host tcp

Files

memory/1428-0-0x00007FFD6C883000-0x00007FFD6C885000-memory.dmp

memory/1428-1-0x0000000000AB0000-0x0000000000DD4000-memory.dmp

memory/1428-2-0x00007FFD6C880000-0x00007FFD6D341000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Lenzs.exe

MD5 5be228f80c4787e5b4b5d4d49b74f3f8
SHA1 1044191469a2ce9ba3e051d843016dd6f6457696
SHA256 6ffb3717d7be4a8c03ec2c9ed3678ba9804696d38078cb1c2d1924487e2912ee
SHA512 e664adccfaf7519c25d59312b49d72d1241e1e257d5e6bd7551186d0480f3864f87cd487bc6f098c3f6c5bd5e75655fae9f072f57e765ff0aa70db593857fb16

memory/232-9-0x00007FFD6C880000-0x00007FFD6D341000-memory.dmp

memory/1428-10-0x00007FFD6C880000-0x00007FFD6D341000-memory.dmp

memory/232-11-0x00007FFD6C880000-0x00007FFD6D341000-memory.dmp

memory/232-12-0x0000000003340000-0x0000000003390000-memory.dmp

memory/232-13-0x000000001C780000-0x000000001C832000-memory.dmp

memory/232-14-0x00007FFD6C880000-0x00007FFD6D341000-memory.dmp