Analysis Overview
SHA256
c1fba0fc260e24b6f42a72d8725aac400465890e5ee1a422cd567229ec1609bc
Threat Level: Known bad
The file SRCkey.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Quasar family
Executes dropped EXE
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-30 17:47
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-30 17:47
Reported
2024-07-30 17:48
Platform
win10v2004-20240730-en
Max time kernel
18s
Max time network
22s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1880 wrote to memory of 1072 | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1880 wrote to memory of 1072 | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1880 wrote to memory of 4708 | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 1880 wrote to memory of 4708 | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 4708 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4708 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SRCkey.exe
"C:\Users\Admin\AppData\Local\Temp\SRCkey.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 192.168.8.180:4782 | tcp |
Files
memory/1880-0-0x00007FF92DF63000-0x00007FF92DF65000-memory.dmp
memory/1880-1-0x00000000001C0000-0x00000000004E4000-memory.dmp
memory/1880-2-0x00007FF92DF60000-0x00007FF92EA21000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | d0fa55b027cf3268483208bc5087bf14 |
| SHA1 | 758d9396522e8458159bb7b5186340caf767f691 |
| SHA256 | c1fba0fc260e24b6f42a72d8725aac400465890e5ee1a422cd567229ec1609bc |
| SHA512 | 418ae9524de8f7326fe77c2664f1cdf2f807c0a50fe6e2619cc32fb863eff08a1b3ec26c029f1e319f540e9074380e8ca2dc9fb3f65e0cb2d26947037967f48b |
memory/4708-10-0x00007FF92DF60000-0x00007FF92EA21000-memory.dmp
memory/1880-9-0x00007FF92DF60000-0x00007FF92EA21000-memory.dmp
memory/4708-11-0x00007FF92DF60000-0x00007FF92EA21000-memory.dmp
memory/4708-12-0x000000001B590000-0x000000001B5E0000-memory.dmp
memory/4708-13-0x000000001BDE0000-0x000000001BE92000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-30 17:47
Reported
2024-07-30 17:49
Platform
win11-20240709-en
Max time kernel
34s
Max time network
36s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 3504 | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1728 wrote to memory of 3504 | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1728 wrote to memory of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 1728 wrote to memory of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\SRCkey.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 3988 wrote to memory of 2064 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3988 wrote to memory of 2064 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SRCkey.exe
"C:\Users\Admin\AppData\Local\Temp\SRCkey.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.8.180:4782 | tcp | |
| N/A | 192.168.8.180:4782 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1728-0-0x00007FFA30013000-0x00007FFA30015000-memory.dmp
memory/1728-1-0x0000000000BE0000-0x0000000000F04000-memory.dmp
memory/1728-2-0x00007FFA30010000-0x00007FFA30AD2000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | d0fa55b027cf3268483208bc5087bf14 |
| SHA1 | 758d9396522e8458159bb7b5186340caf767f691 |
| SHA256 | c1fba0fc260e24b6f42a72d8725aac400465890e5ee1a422cd567229ec1609bc |
| SHA512 | 418ae9524de8f7326fe77c2664f1cdf2f807c0a50fe6e2619cc32fb863eff08a1b3ec26c029f1e319f540e9074380e8ca2dc9fb3f65e0cb2d26947037967f48b |
memory/3988-10-0x00007FFA30010000-0x00007FFA30AD2000-memory.dmp
memory/1728-9-0x00007FFA30010000-0x00007FFA30AD2000-memory.dmp
memory/3988-11-0x00007FFA30010000-0x00007FFA30AD2000-memory.dmp
memory/3988-12-0x000000001B7A0000-0x000000001B7F0000-memory.dmp
memory/3988-13-0x000000001BFF0000-0x000000001C0A2000-memory.dmp
memory/3988-14-0x00007FFA30010000-0x00007FFA30AD2000-memory.dmp