Overview

overview

10

Static

static

3

MWIII Chai...er.exe

windows7-x64

10

MWIII Chai...er.exe

windows10-2004-x64

10

Resubmissions

11-07-2024 04:15

240711-evqvzsydmp 10

11-07-2024 04:13

240711-etf96aydjm 10

Analysis

  • max time kernel
    60s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-07-2024 04:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MWIII Chair + Blocker.exe

  • Size

    47.7MB

  • MD5

    479f465034137af69c31b1ba25752ddf

  • SHA1

    1a437d072149e6a09ef81336e571ad7c6348fa6e

  • SHA256

    72880513939d8b52af76c8796bf066a7d3e7df97e9ef5a1a5076e9178016867b

  • SHA512

    f7eaf698eddc3b7f28a1c5d416a7332e20203c56109cd5fc709eea1f7f3d6500f7ac587bc969418d911563b26541cb95cc9de690b62fc5ecd8997a9d1927690d

  • SSDEEP

    786432:NlHDtuFgKqlUdKijEIzQviTQ5nGgcPkdzteBG3NAfhO2nlSZYptRZOHOhC+dj:3DtuFbB7fUaTQ5GidBdCh7nLptpC+

Score
10/10
quasarserverevasionexecutionpersistencepyinstallerspywaretrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Server

C2

193.37.254.35:60553

Mutex

08e34576-f933-4fe1-9756-64a65f86dc05

Attributes
  • encryption_key

    8DED0FEFCB0F93A016A6DAD812C6D6D58DEE8547

  • install_name

    services86.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    services86

  • subdirectory

    Files

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Power Settings 1 TTPs 4 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 5 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 16 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MWIII Chair + Blocker.exe
    "C:\Users\Admin\AppData\Local\Temp\MWIII Chair + Blocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAcQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAegB3ACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Users\Admin\AppData\Local\services86.exe
      "C:\Users\Admin\AppData\Local\services86.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "services86" /sc ONLOGON /tr "C:\Windows\system32\Files\services86.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:912
      • C:\Windows\system32\Files\services86.exe
        "C:\Windows\system32\Files\services86.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1292
        • C:\Windows\system32\schtasks.exe
          "schtasks" /create /tn "services86" /sc ONLOGON /tr "C:\Windows\system32\Files\services86.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:836
    • C:\Users\Admin\AppData\Local\services64.exe
      "C:\Users\Admin\AppData\Local\services64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Users\Admin\AppData\Local\services64.exe
        "C:\Users\Admin\AppData\Local\services64.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2548
    • C:\Users\Admin\AppData\Local\dependencies.exe
      "C:\Users\Admin\AppData\Local\dependencies.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:1592
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C Powercfg -h off
          3⤵
          • Power Settings
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Windows\system32\powercfg.exe
            Powercfg -h off
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1208
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C Powercfg -h off
          3⤵
          • Power Settings
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Windows\system32\powercfg.exe
            Powercfg -h off
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Confirm-SecureBootUEFI"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:596
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
          3⤵
            PID:1972
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1980
          • C:\Windows\system32\cmd.exe
            cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
            3⤵
              PID:1988
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1788
            • C:\Windows\system32\cmd.exe
              cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
              3⤵
                PID:1992
                • C:\Windows\system32\taskkill.exe
                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:540
              • C:\Windows\system32\cmd.exe
                cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                3⤵
                  PID:1936
                  • C:\Windows\system32\sc.exe
                    sc stop HTTPDebuggerPro
                    4⤵
                    • Launches sc.exe
                    PID:2376
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                  3⤵
                    PID:1092
                    • C:\Windows\system32\taskkill.exe
                      taskkill /IM HTTPDebuggerSvc.exe /F
                      4⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:692
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                    3⤵
                      PID:1476
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\dependencies.exe" MD5
                      3⤵
                        PID:1336
                        • C:\Windows\system32\certutil.exe
                          certutil -hashfile "C:\Users\Admin\AppData\Local\dependencies.exe" MD5
                          4⤵
                            PID:780
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                          3⤵
                            PID:2260
                            • C:\Windows\system32\taskkill.exe
                              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1596
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                            3⤵
                              PID:2176
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                4⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:380
                            • C:\Windows\system32\cmd.exe
                              cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                              3⤵
                                PID:2140
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                  4⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1776
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                3⤵
                                  PID:1808
                                  • C:\Windows\system32\sc.exe
                                    sc stop HTTPDebuggerPro
                                    4⤵
                                    • Launches sc.exe
                                    PID:1344
                                • C:\Windows\system32\cmd.exe
                                  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                  3⤵
                                    PID:1920
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /IM HTTPDebuggerSvc.exe /F
                                      4⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1812
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                    3⤵
                                      PID:3036
                                    • C:\Windows\system32\cmd.exe
                                      cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                      3⤵
                                        PID:1352
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2960
                                      • C:\Windows\system32\cmd.exe
                                        cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                        3⤵
                                          PID:1772
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                            4⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2436
                                        • C:\Windows\system32\cmd.exe
                                          cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                          3⤵
                                            PID:1796
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2480
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                            3⤵
                                              PID:1928
                                              • C:\Windows\system32\sc.exe
                                                sc stop HTTPDebuggerPro
                                                4⤵
                                                • Launches sc.exe
                                                PID:1700
                                            • C:\Windows\system32\cmd.exe
                                              cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                              3⤵
                                                PID:1308
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /IM HTTPDebuggerSvc.exe /F
                                                  4⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3012
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                3⤵
                                                  PID:1736
                                                • C:\Windows\system32\cmd.exe
                                                  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                  3⤵
                                                    PID:1932
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2256
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                    3⤵
                                                      PID:1924
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                        4⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1608
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                      3⤵
                                                        PID:1724
                                                        • C:\Windows\system32\taskkill.exe
                                                          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                          4⤵
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1656
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                        3⤵
                                                          PID:680
                                                          • C:\Windows\system32\sc.exe
                                                            sc stop HTTPDebuggerPro
                                                            4⤵
                                                            • Launches sc.exe
                                                            PID:2776
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                          3⤵
                                                            PID:1056
                                                            • C:\Windows\system32\taskkill.exe
                                                              taskkill /IM HTTPDebuggerSvc.exe /F
                                                              4⤵
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2500
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                            3⤵
                                                              PID:2356

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28082\python310.dll
                                                          Filesize

                                                          1.4MB

                                                          MD5

                                                          4a6afa2200b1918c413d511c5a3c041c

                                                          SHA1

                                                          39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

                                                          SHA256

                                                          bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

                                                          SHA512

                                                          dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\dependencies.exe
                                                          Filesize

                                                          10.5MB

                                                          MD5

                                                          5f9f741929a6bf741b958638c397bb8d

                                                          SHA1

                                                          e370edb712a9ace94aa3221dcb9b271953c245ff

                                                          SHA256

                                                          9a768722b28c4309ab8ad25b7a94bf4eb6192746d47c69202b17373b7e2dcaa8

                                                          SHA512

                                                          31ca935fe41121d7722fcbe41a803450d9d790f4387b1df68ddfc3865183403f18240d0c8ca514a3b4fb94e9b37cc40b5f8af19400d691099658dbe5279b78cd

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\services64.exe
                                                          Filesize

                                                          34.1MB

                                                          MD5

                                                          a8a0683a64c14f55844fa0ad6ed345bd

                                                          SHA1

                                                          039100e09e95c19aa19caeb7641417e3d065061d

                                                          SHA256

                                                          9466fb159deb56e656a507de7f621eade9f57ef013f980e5bbc853c9b3df9468

                                                          SHA512

                                                          69d12fb87bcfde005a12e8e60733fbf799d98cd0957669f59db6b485f13067076af82ca07fdcb472ca78a963baef718fa441be9693cce1b3a0eabb84705a7b9d

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\87HFYSZYPUNT6REUV2YE.temp
                                                          Filesize

                                                          7KB

                                                          MD5

                                                          9396a80a14db337e63200c7fdc4ae79d

                                                          SHA1

                                                          31520d7f0ac3ea2f18c7919f8f48c2c2ac203c45

                                                          SHA256

                                                          bc991c88ca75ffea06b8a26bdecc73d7a1aa1b30119da427b9531ce9e0b98f0e

                                                          SHA512

                                                          739179c3bbd06589f1809ba7a88d687550551597cc376b4610851197db57b637549d1219b945a3844035a58a1be0d0e26d5fcffef85009391bf156fd3e94db7f

                                                          Download Submit

                                                        • C:\secureboot_status.txt
                                                          Filesize

                                                          447B

                                                          MD5

                                                          cf8355d29a9d97cf5d6a673e64f9fcda

                                                          SHA1

                                                          9050f2dd8c50258f22fea4278268357d4133668f

                                                          SHA256

                                                          7fc3a10f21c5405061e1eff734790d1a640ddc1971a84e60070288af8bb161d3

                                                          SHA512

                                                          9669cb9c7100047e4f0c0478edc3c390fde9fa8ae98e5aaf4c204520f6eb3e57c11eb388f72986afd21781c24b2796c39e1aa291d34f481b0de9c94b81bd1a48

                                                          Download Submit

                                                        • \Users\Admin\AppData\Local\services86.exe
                                                          Filesize

                                                          3.1MB

                                                          MD5

                                                          fd0a43d6dbd1e8d51c7fd88fcec20b77

                                                          SHA1

                                                          09e5c01eb89bc3f56505776b4029170012329671

                                                          SHA256

                                                          c545f6df14ab1fa59235838ddb48572637fdebf237d96d0978cd55acbaa86311

                                                          SHA512

                                                          594619cd351091392a039543d6c766545cac477becff14ad0116b881a376e924d98ef116c66be41181daa41c7d1b6c36ea95bf028f92ce29418f22311175893e

                                                          Download Submit

                                                        • memory/596-57-0x0000000001E90000-0x0000000001E98000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/596-56-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                          Download

                                                        • memory/1292-51-0x00000000010D0000-0x00000000013F4000-memory.dmp

                                                          Filesize

                                                          3.1MB

                                                          Download

                                                        • memory/2548-35-0x000007FEF38C0000-0x000007FEF3D26000-memory.dmp

                                                          Filesize

                                                          4.4MB

                                                          Download

                                                        • memory/2584-41-0x0000000077A10000-0x0000000077A12000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2584-42-0x000000013F290000-0x00000001405C7000-memory.dmp

                                                          Filesize

                                                          19.2MB

                                                          Download

                                                        • memory/2584-37-0x0000000077A10000-0x0000000077A12000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2584-39-0x0000000077A10000-0x0000000077A12000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2848-10-0x0000000000350000-0x0000000000674000-memory.dmp

                                                          Filesize

                                                          3.1MB

                                                          Download