Overview

overview

10

Static

static

3

MWIII Chai...er.exe

windows7-x64

10

MWIII Chai...er.exe

windows10-2004-x64

10

Resubmissions

11-07-2024 04:15

240711-evqvzsydmp 10

11-07-2024 04:13

240711-etf96aydjm 10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-07-2024 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MWIII Chair + Blocker.exe

  • Size

    47.7MB

  • MD5

    479f465034137af69c31b1ba25752ddf

  • SHA1

    1a437d072149e6a09ef81336e571ad7c6348fa6e

  • SHA256

    72880513939d8b52af76c8796bf066a7d3e7df97e9ef5a1a5076e9178016867b

  • SHA512

    f7eaf698eddc3b7f28a1c5d416a7332e20203c56109cd5fc709eea1f7f3d6500f7ac587bc969418d911563b26541cb95cc9de690b62fc5ecd8997a9d1927690d

  • SSDEEP

    786432:NlHDtuFgKqlUdKijEIzQviTQ5nGgcPkdzteBG3NAfhO2nlSZYptRZOHOhC+dj:3DtuFbB7fUaTQ5GidBdCh7nLptpC+

Score
10/10
quasarserverevasionexecutionpersistencepyinstallerspywaretrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Server

C2

193.37.254.35:60553

Mutex

08e34576-f933-4fe1-9756-64a65f86dc05

Attributes
  • encryption_key

    8DED0FEFCB0F93A016A6DAD812C6D6D58DEE8547

  • install_name

    services86.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    services86

  • subdirectory

    Files

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Power Settings 1 TTPs 4 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 16 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MWIII Chair + Blocker.exe
    "C:\Users\Admin\AppData\Local\Temp\MWIII Chair + Blocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAcQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAegB3ACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Users\Admin\AppData\Local\services86.exe
      "C:\Users\Admin\AppData\Local\services86.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "services86" /sc ONLOGON /tr "C:\Windows\system32\Files\services86.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2776
    • C:\Users\Admin\AppData\Local\services64.exe
      "C:\Users\Admin\AppData\Local\services64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Users\Admin\AppData\Local\services64.exe
        "C:\Users\Admin\AppData\Local\services64.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3040
    • C:\Users\Admin\AppData\Local\dependencies.exe
      "C:\Users\Admin\AppData\Local\dependencies.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:2432
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C Powercfg -h off
          3⤵
          • Power Settings
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\system32\powercfg.exe
            Powercfg -h off
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C Powercfg -h off
          3⤵
          • Power Settings
          • Suspicious use of WriteProcessMemory
          PID:752
          • C:\Windows\system32\powercfg.exe
            Powercfg -h off
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2256
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Confirm-SecureBootUEFI"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
          3⤵
            PID:2960
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:808
          • C:\Windows\system32\cmd.exe
            cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
            3⤵
              PID:2996
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2992
            • C:\Windows\system32\cmd.exe
              cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
              3⤵
                PID:3004
                • C:\Windows\system32\taskkill.exe
                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2812
              • C:\Windows\system32\cmd.exe
                cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                3⤵
                  PID:2692
                  • C:\Windows\system32\sc.exe
                    sc stop HTTPDebuggerPro
                    4⤵
                    • Launches sc.exe
                    PID:2020
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                  3⤵
                    PID:1812
                    • C:\Windows\system32\taskkill.exe
                      taskkill /IM HTTPDebuggerSvc.exe /F
                      4⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1700
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                    3⤵
                      PID:2664
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\dependencies.exe" MD5
                      3⤵
                        PID:2844
                        • C:\Windows\system32\certutil.exe
                          certutil -hashfile "C:\Users\Admin\AppData\Local\dependencies.exe" MD5
                          4⤵
                            PID:2092
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                          3⤵
                            PID:2384
                            • C:\Windows\system32\taskkill.exe
                              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2096
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                            3⤵
                              PID:2700
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                4⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2148
                            • C:\Windows\system32\cmd.exe
                              cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                              3⤵
                                PID:1916
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                  4⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2116
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                3⤵
                                  PID:2216
                                  • C:\Windows\system32\sc.exe
                                    sc stop HTTPDebuggerPro
                                    4⤵
                                    • Launches sc.exe
                                    PID:2328
                                • C:\Windows\system32\cmd.exe
                                  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                  3⤵
                                    PID:2308
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /IM HTTPDebuggerSvc.exe /F
                                      4⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2084
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                    3⤵
                                      PID:2340
                                    • C:\Windows\system32\cmd.exe
                                      cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                      3⤵
                                        PID:1696
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1424
                                      • C:\Windows\system32\cmd.exe
                                        cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                        3⤵
                                          PID:2152
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                            4⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2040
                                        • C:\Windows\system32\cmd.exe
                                          cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                          3⤵
                                            PID:1452
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1228
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                            3⤵
                                              PID:1720
                                              • C:\Windows\system32\sc.exe
                                                sc stop HTTPDebuggerPro
                                                4⤵
                                                • Launches sc.exe
                                                PID:1684
                                            • C:\Windows\system32\cmd.exe
                                              cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                              3⤵
                                                PID:2504
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /IM HTTPDebuggerSvc.exe /F
                                                  4⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1888
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                3⤵
                                                  PID:2176
                                                • C:\Windows\system32\cmd.exe
                                                  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                  3⤵
                                                    PID:736
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                      4⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2412
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                    3⤵
                                                      PID:2248
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                        4⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2232
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                      3⤵
                                                        PID:1260
                                                        • C:\Windows\system32\taskkill.exe
                                                          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                          4⤵
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2072
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                        3⤵
                                                          PID:1920
                                                          • C:\Windows\system32\sc.exe
                                                            sc stop HTTPDebuggerPro
                                                            4⤵
                                                            • Launches sc.exe
                                                            PID:1852
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                          3⤵
                                                            PID:304
                                                            • C:\Windows\system32\taskkill.exe
                                                              taskkill /IM HTTPDebuggerSvc.exe /F
                                                              4⤵
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:776
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                            3⤵
                                                              PID:296

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI25402\python310.dll
                                                          Filesize

                                                          1.4MB

                                                          MD5

                                                          4a6afa2200b1918c413d511c5a3c041c

                                                          SHA1

                                                          39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

                                                          SHA256

                                                          bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

                                                          SHA512

                                                          dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\services64.exe
                                                          Filesize

                                                          34.1MB

                                                          MD5

                                                          a8a0683a64c14f55844fa0ad6ed345bd

                                                          SHA1

                                                          039100e09e95c19aa19caeb7641417e3d065061d

                                                          SHA256

                                                          9466fb159deb56e656a507de7f621eade9f57ef013f980e5bbc853c9b3df9468

                                                          SHA512

                                                          69d12fb87bcfde005a12e8e60733fbf799d98cd0957669f59db6b485f13067076af82ca07fdcb472ca78a963baef718fa441be9693cce1b3a0eabb84705a7b9d

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\services86.exe
                                                          Filesize

                                                          3.1MB

                                                          MD5

                                                          fd0a43d6dbd1e8d51c7fd88fcec20b77

                                                          SHA1

                                                          09e5c01eb89bc3f56505776b4029170012329671

                                                          SHA256

                                                          c545f6df14ab1fa59235838ddb48572637fdebf237d96d0978cd55acbaa86311

                                                          SHA512

                                                          594619cd351091392a039543d6c766545cac477becff14ad0116b881a376e924d98ef116c66be41181daa41c7d1b6c36ea95bf028f92ce29418f22311175893e

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ASMBWD91AJB95U7ML023.temp
                                                          Filesize

                                                          7KB

                                                          MD5

                                                          d3c0efa61cbb09e1a682073f9f53dad7

                                                          SHA1

                                                          8183d6e9ae00c52ee1b837b003f708105c76c6fb

                                                          SHA256

                                                          b985027a568ae5b6c6033ea5e185f24959fd5227269b2d43579b12948ebd44b1

                                                          SHA512

                                                          64f9475bc0ca7fb214b1f5f72728e74fbf98ed1a19e6b8b2751f2236aae5930609b6fad36ec5b325c9873063a494b1325941e583b393d57a81e96d0d014fc9be

                                                          Download Submit

                                                        • C:\secureboot_status.txt
                                                          Filesize

                                                          447B

                                                          MD5

                                                          cf8355d29a9d97cf5d6a673e64f9fcda

                                                          SHA1

                                                          9050f2dd8c50258f22fea4278268357d4133668f

                                                          SHA256

                                                          7fc3a10f21c5405061e1eff734790d1a640ddc1971a84e60070288af8bb161d3

                                                          SHA512

                                                          9669cb9c7100047e4f0c0478edc3c390fde9fa8ae98e5aaf4c204520f6eb3e57c11eb388f72986afd21781c24b2796c39e1aa291d34f481b0de9c94b81bd1a48

                                                          Download Submit

                                                        • \Users\Admin\AppData\Local\dependencies.exe
                                                          Filesize

                                                          10.5MB

                                                          MD5

                                                          5f9f741929a6bf741b958638c397bb8d

                                                          SHA1

                                                          e370edb712a9ace94aa3221dcb9b271953c245ff

                                                          SHA256

                                                          9a768722b28c4309ab8ad25b7a94bf4eb6192746d47c69202b17373b7e2dcaa8

                                                          SHA512

                                                          31ca935fe41121d7722fcbe41a803450d9d790f4387b1df68ddfc3865183403f18240d0c8ca514a3b4fb94e9b37cc40b5f8af19400d691099658dbe5279b78cd

                                                          Download Submit

                                                        • memory/2428-36-0x00000000001C0000-0x00000000004E4000-memory.dmp

                                                          Filesize

                                                          3.1MB

                                                          Download

                                                        • memory/2744-43-0x000000013F240000-0x0000000140577000-memory.dmp

                                                          Filesize

                                                          19.2MB

                                                          Download

                                                        • memory/2744-40-0x0000000077E00000-0x0000000077E02000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2744-38-0x0000000077E00000-0x0000000077E02000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2744-42-0x0000000077E00000-0x0000000077E02000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2956-52-0x000000001B620000-0x000000001B902000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                          Download

                                                        • memory/2956-53-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/3040-35-0x000007FEF4B60000-0x000007FEF4FC6000-memory.dmp

                                                          Filesize

                                                          4.4MB

                                                          Download