Analysis Overview
SHA256
e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0
Threat Level: Known bad
The file e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe was found to be: Known bad.
Malicious Activity Summary
Detects file containing reversed ASEP Autorun registry keys
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Detects executables embedding command execution via IExecuteCommand COM object
Quasar RAT
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Quasar family
Quasar payload
Detects Windows executables referencing non-Windows User-Agents
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Detects executables containing URLs to raw contents of a Github gist
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Detects executables embedding command execution via IExecuteCommand COM object
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Detects Windows executables referencing non-Windows User-Agents
Detects executables containing URLs to raw contents of a Github gist
Detects file containing reversed ASEP Autorun registry keys
Looks up external IP address via web service
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 01:51
Signatures
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding command execution via IExecuteCommand COM object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 01:51
Reported
2024-06-29 01:54
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
132s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding command execution via IExecuteCommand COM object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe
"C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 45.40.96.164:5552 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.96.40.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/668-0-0x000000007482E000-0x000000007482F000-memory.dmp
memory/668-1-0x0000000000F90000-0x000000000107C000-memory.dmp
memory/668-2-0x0000000005FB0000-0x0000000006554000-memory.dmp
memory/668-3-0x0000000005AA0000-0x0000000005B32000-memory.dmp
memory/668-4-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/668-5-0x0000000005B40000-0x0000000005BA6000-memory.dmp
memory/668-6-0x00000000068A0000-0x00000000068B2000-memory.dmp
memory/668-7-0x0000000006DE0000-0x0000000006E1C000-memory.dmp
memory/668-8-0x0000000007520000-0x000000000752A000-memory.dmp
memory/668-9-0x000000007482E000-0x000000007482F000-memory.dmp
memory/668-10-0x0000000074820000-0x0000000074FD0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 01:51
Reported
2024-06-29 01:54
Platform
win7-20240220-en
Max time kernel
118s
Max time network
140s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding command execution via IExecuteCommand COM object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe
"C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 45.40.96.164:5552 | tcp |
Files
memory/2908-0-0x000000007405E000-0x000000007405F000-memory.dmp
memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp
memory/2908-2-0x0000000074050000-0x000000007473E000-memory.dmp
memory/2908-3-0x000000007405E000-0x000000007405F000-memory.dmp
memory/2908-4-0x0000000074050000-0x000000007473E000-memory.dmp