Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
16-06-2024 00:15
General
-
Target
Server.exe
-
Size
3.1MB
-
MD5
e45a6c438c6ab1538b44fc43a242a5d3
-
SHA1
00a85654779955ca989d1f2907ea1831b2511688
-
SHA256
f5acec48afbdd2a4850462e4613ce91c983bc3a3498c69a306a4ca12ccd15de0
-
SHA512
806783dfc96b3a97c11675236d31f10c6540668e6149ab158eea680b0f84248b7b25ba4f36b4790250459b87e2b0bc91d551b07a79e236c8a4356df4f3878a6f
-
SSDEEP
49152:LvelL26AaNeWgPhlmVqvMQ7XSKybCaSmz/ZoGdmTHHB72eh2NT:LvOL26AaNeWgPhlmVqkQ7XSKoCaZ
Malware Config
Extracted
quasar
1.4.1
Stealer
battery-stripes.gl.at.ply.gg:26129
b5481c41-4bb5-4640-a5ee-20f5c734de54
-
encryption_key
FA1E38D5CB08766F486F72A0AB91AE27E1725C2B
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
WD
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exeFilesize
3.1MB
MD5e45a6c438c6ab1538b44fc43a242a5d3
SHA100a85654779955ca989d1f2907ea1831b2511688
SHA256f5acec48afbdd2a4850462e4613ce91c983bc3a3498c69a306a4ca12ccd15de0
SHA512806783dfc96b3a97c11675236d31f10c6540668e6149ab158eea680b0f84248b7b25ba4f36b4790250459b87e2b0bc91d551b07a79e236c8a4356df4f3878a6f
-
memory/836-10-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmpFilesize
9.9MB
-
memory/836-11-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmpFilesize
9.9MB
-
memory/836-12-0x000000001BC80000-0x000000001BCD0000-memory.dmpFilesize
320KB
-
memory/836-13-0x000000001C420000-0x000000001C4D2000-memory.dmpFilesize
712KB
-
memory/836-16-0x000000001BD00000-0x000000001BD12000-memory.dmpFilesize
72KB
-
memory/836-17-0x000000001C3A0000-0x000000001C3DE000-memory.dmpFilesize
248KB
-
memory/836-18-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmpFilesize
9.9MB
-
memory/1888-0-0x00007FF91EBF3000-0x00007FF91EBF4000-memory.dmpFilesize
4KB
-
memory/1888-1-0x00000000007A0000-0x0000000000AC4000-memory.dmpFilesize
3.1MB
-
memory/1888-2-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmpFilesize
9.9MB
-
memory/1888-9-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmpFilesize
9.9MB