Analysis Overview
SHA256
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87
Threat Level: Known bad
The file a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe was found to be: Known bad.
Malicious Activity Summary
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Quasar RAT
Detects Windows executables referencing non-Windows User-Agents
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Quasar payload
Quasar family
Detects file containing reversed ASEP Autorun registry keys
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Detects executables containing URLs to raw contents of a Github gist
Detects executables embedding command execution via IExecuteCommand COM object
Detects executables containing URLs to raw contents of a Github gist
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Detects executables embedding command execution via IExecuteCommand COM object
Detects file containing reversed ASEP Autorun registry keys
Detects Windows executables referencing non-Windows User-Agents
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Looks up external IP address via web service
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 01:39
Signatures
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding command execution via IExecuteCommand COM object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 01:39
Reported
2024-06-29 01:42
Platform
win7-20231129-en
Max time kernel
118s
Max time network
131s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding command execution via IExecuteCommand COM object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
"C:\Users\Admin\AppData\Local\Temp\a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 45.40.96.164:5552 | tcp |
Files
memory/2060-0-0x000000007406E000-0x000000007406F000-memory.dmp
memory/2060-1-0x0000000000C50000-0x0000000000D3C000-memory.dmp
memory/2060-2-0x0000000074060000-0x000000007474E000-memory.dmp
memory/2060-3-0x000000007406E000-0x000000007406F000-memory.dmp
memory/2060-4-0x0000000074060000-0x000000007474E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 01:39
Reported
2024-06-29 01:42
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding command execution via IExecuteCommand COM object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
"C:\Users\Admin\AppData\Local\Temp\a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 45.40.96.164:5552 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.96.40.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.178.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | i.pki.goog | udp |
| US | 8.8.8.8:53 | i.pki.goog | udp |
| GB | 172.217.169.67:80 | i.pki.goog | tcp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/4820-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp
memory/4820-1-0x00000000002F0000-0x00000000003DC000-memory.dmp
memory/4820-2-0x00000000053B0000-0x0000000005954000-memory.dmp
memory/4820-3-0x0000000004E00000-0x0000000004E92000-memory.dmp
memory/4820-4-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/4820-5-0x0000000004FF0000-0x0000000005056000-memory.dmp
memory/4820-6-0x0000000005C00000-0x0000000005C12000-memory.dmp
memory/4820-7-0x0000000006040000-0x000000000607C000-memory.dmp
memory/4820-8-0x0000000006780000-0x000000000678A000-memory.dmp
memory/4820-9-0x0000000074EAE000-0x0000000074EAF000-memory.dmp
memory/4820-10-0x0000000074EA0000-0x0000000075650000-memory.dmp