Overview

overview

10

Static

static

10

QuasarModded.scr

windows10-1703-x64

10

QuasarModded.scr

windows10-2004-x64

10

QuasarModded.scr

windows11-21h2-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    306s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/07/2024, 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QuasarModded.scr

  • Size

    1.2MB

  • MD5

    a4804946374d70da63b45d48c0de6188

  • SHA1

    a00c5b21387aa3b2fa9eafd8bd3d0159de32454f

  • SHA256

    e5f8616d5ed2e6e1538b238c2ef7d13ee680406899fa14cae2ad54bede356d4a

  • SHA512

    d3e9bff12b39e2d4602e947be84606ffbd7af2bc9b0785721d9caf679163749892b7fa2cc33c76def45b275ce2971fef1a27d0369f857c42dca2dfd666631f5c

  • SSDEEP

    24576:u2G/nvxW3WieCaZtNvoYU367xprsfVwkR4QuYN0wnxvjd:ubA3jGA+ruVwkz6wnxvx

Score
10/10
dcratevasioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\QuasarModded.scr
    "C:\Users\Admin\AppData\Local\Temp\QuasarModded.scr" /S
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgewebfontDriver\JPEKY7KdznoNKJ6HgkX9q4NreF.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\bridgewebfontDriver\Gg47yix3Ugv.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\bridgewebfontDriver\surrogateBrowser.exe
          "C:\bridgewebfontDriver\surrogateBrowser.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4452
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S9OIdMu3DI.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3108
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3636
              • C:\Windows\Branding\ShellBrd\SearchUI.exe
                "C:\Windows\Branding\ShellBrd\SearchUI.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:1872
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:1400
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\bridgewebfontDriver\IJ5c76irDFq5p4JLIcG.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "echo Loading Windows...."
          3⤵
            PID:1660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2316
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Recent\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\SearchUI.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\SearchUI.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\SearchUI.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4260

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\S9OIdMu3DI.bat
        Filesize

        206B

        MD5

        ee8256407121261b6b1b2ebd0ffacab4

        SHA1

        9d1a779be439385f2b00f0cbfb0f5c03f7bb48d8

        SHA256

        837e4323868efec403757e224e69d057687b532f2e73fe726c7086240f80779e

        SHA512

        7d01840339fb763cb5b249584698030b63aa59603dd36722d117fe1fc118eae27807ca9192a3d31201bac7b28a5bc72e2db2ea6de00dff6884e8776cff581d13

        Download Submit

      • C:\bridgewebfontDriver\Gg47yix3Ugv.bat
        Filesize

        157B

        MD5

        2145812a655fcd7fd26f377cca64e5ac

        SHA1

        12610088154f68594f5416c48cb0542a9d1b7b8d

        SHA256

        fb23c678fc163f761224473afc361013c1fd9d3297a5a99a252d7770b7b46be6

        SHA512

        a93fee719fbc9186c8ad706c05b7abddf40d8ba48aa34d8989c35a6660a4bf8d02273336c96e770bedeefe992041167e7abca2eff21a87da11fe98ff9dc268d0

        Download Submit

      • C:\bridgewebfontDriver\IJ5c76irDFq5p4JLIcG.bat
        Filesize

        37B

        MD5

        6cd2aafebcf7db23c74ca6c73a041342

        SHA1

        600fc446485bfd277e415b768766bb9137fbe302

        SHA256

        af30295b156854859a392ca6afcdf01edb5e2df21b31c0787ab9396ddf44cb0e

        SHA512

        eb43e65b3f9296afd5907a95e23a86c2776da0cb7d8bdedb6c3bc30bfd37ec2a78227606d7bf4a3e05bf50248558835c9b2e77a9376b26ae36170a398a8087fa

        Download Submit

      • C:\bridgewebfontDriver\JPEKY7KdznoNKJ6HgkX9q4NreF.vbe
        Filesize

        207B

        MD5

        abf61c238f6dd4ecb89a49801a52ce82

        SHA1

        1e61ebb43d17005a986cf3d7d5c93d1ccd9dc0fd

        SHA256

        d4955e52bc64f7bf143f0930a12f45710769c06323cc6ab1742a798b2a4362f3

        SHA512

        142c94171c559b936bd3f880183c7607ed4a9614b84dd6d844b692a4dd36d85a206bc780cd6c5158bc579c1cac75d57289b801b6bd4afe7c8cffb3436585b0d1

        Download Submit

      • C:\bridgewebfontDriver\surrogateBrowser.exe
        Filesize

        897KB

        MD5

        9ec0bd3db90819b061753ad50f77741c

        SHA1

        b693c923ccc22944bbc1e8501e05fcc93e88b369

        SHA256

        80fdef187d476f0966a2565f2da801f45772c816f9c6350078a4010c87a26ef5

        SHA512

        93f04bbeeb4df2cca62ca5e1d2888650734e7fc54385a16537c11811085bd9520f770a38984aeeb512f65a8ec48b2285d896072b8400a5624c9c212d02f1bbad

        Download Submit

      • memory/4452-19-0x0000000000B30000-0x0000000000C18000-memory.dmp

        Filesize

        928KB

        Download

      • memory/4452-20-0x0000000002E00000-0x0000000002E0E000-memory.dmp

        Filesize

        56KB

        Download