Analysis Overview
SHA256
031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104
Threat Level: Known bad
The file 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104 was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-29 17:02
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-29 17:02
Reported
2024-07-29 17:06
Platform
win10v2004-20240709-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 4220 | N/A | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2244 wrote to memory of 4220 | N/A | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2244 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe |
| PID 2244 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe |
| PID 1268 wrote to memory of 2408 | N/A | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1268 wrote to memory of 2408 | N/A | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe
"C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\sigmaexecutor.exe.exe
"C:\Windows\system32\SubDir\sigmaexecutor.exe.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| N/A | 192.168.1.70:4782 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 192.168.1.70:4782 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| N/A | 192.168.1.70:4782 | tcp | |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| N/A | 192.168.1.70:4782 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 192.168.1.70:4782 | tcp | |
| N/A | 192.168.1.70:4782 | tcp | |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
memory/2244-0-0x00007FFDF3423000-0x00007FFDF3425000-memory.dmp
memory/2244-1-0x00000000003D0000-0x00000000006F4000-memory.dmp
memory/2244-2-0x00007FFDF3420000-0x00007FFDF3EE1000-memory.dmp
C:\Windows\System32\SubDir\sigmaexecutor.exe.exe
| MD5 | 9a4f3b0223e0bcb90d5a08afdae6a169 |
| SHA1 | b8ea3a64121a47f7a7abc73fc9a39d912b31a724 |
| SHA256 | 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104 |
| SHA512 | 38ab6b70078807bc8c56f5c004ae4ef4a40690ec26bc896213a158765530caec5812b556a5555037ac986175fb1d4d588f1a982dd5e383a8c5734783507f6601 |
memory/1268-10-0x00007FFDF3420000-0x00007FFDF3EE1000-memory.dmp
memory/2244-9-0x00007FFDF3420000-0x00007FFDF3EE1000-memory.dmp
memory/1268-11-0x00007FFDF3420000-0x00007FFDF3EE1000-memory.dmp
memory/1268-12-0x000000001C000000-0x000000001C050000-memory.dmp
memory/1268-13-0x000000001C110000-0x000000001C1C2000-memory.dmp
memory/1268-14-0x00007FFDF3420000-0x00007FFDF3EE1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 17:02
Reported
2024-07-29 17:05
Platform
win7-20240704-en
Max time kernel
125s
Max time network
141s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\sigmaexecutor.exe.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe
"C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\sigmaexecutor.exe.exe
"C:\Windows\system32\SubDir\sigmaexecutor.exe.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.70:4782 | tcp | |
| N/A | 192.168.1.70:4782 | tcp | |
| N/A | 192.168.1.70:4782 | tcp | |
| N/A | 192.168.1.70:4782 | tcp | |
| N/A | 192.168.1.70:4782 | tcp | |
| N/A | 192.168.1.70:4782 | tcp |
Files
memory/2308-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp
memory/2308-1-0x0000000001290000-0x00000000015B4000-memory.dmp
memory/2308-2-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp
C:\Windows\System32\SubDir\sigmaexecutor.exe.exe
| MD5 | 9a4f3b0223e0bcb90d5a08afdae6a169 |
| SHA1 | b8ea3a64121a47f7a7abc73fc9a39d912b31a724 |
| SHA256 | 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104 |
| SHA512 | 38ab6b70078807bc8c56f5c004ae4ef4a40690ec26bc896213a158765530caec5812b556a5555037ac986175fb1d4d588f1a982dd5e383a8c5734783507f6601 |
memory/2308-9-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp
memory/2084-8-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp
memory/2084-10-0x0000000000F20000-0x0000000001244000-memory.dmp
memory/2084-11-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp
memory/2084-12-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp