Analysis Overview
SHA256
bd0a7542a724d699799858acaf694cbfc2f281fa8bb0641698d23bdc5454dc38
Threat Level: Known bad
The file nitro gen.sfx.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 03:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 03:23
Reported
2024-08-01 03:26
Platform
win7-20240729-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nitro gen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nitro gen.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe"
C:\Users\Admin\AppData\Local\Temp\nitro gen.exe
"C:\Users\Admin\AppData\Local\Temp\nitro gen.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe
"C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe" /rl HIGHEST /f
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fauhfuhfdrga-54679.portmap.host | udp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
| DE | 193.161.193.99:54679 | fauhfuhfdrga-54679.portmap.host | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nitro gen.exe
| MD5 | a7ffd511af0df48e69375566bde8cb74 |
| SHA1 | eaf0f135d686471da2f63df031d5d869f0865062 |
| SHA256 | 643cb37d115ad66aa776b615e57c2bb11c7d413c593232c1515e2463ce95b7e9 |
| SHA512 | c0e347a2515aeaa56351cf55414ac6f9ef547972ca0126c0b7b51e8a8397df0837ba22033da745eb1f435ea9214dc8920edc1683ada2575cf8ac602d06d4293f |
memory/2724-21-0x000007FEF4A13000-0x000007FEF4A14000-memory.dmp
memory/2724-22-0x0000000001090000-0x00000000013B4000-memory.dmp
memory/2724-23-0x000007FEF4A10000-0x000007FEF53FC000-memory.dmp
memory/2724-30-0x000007FEF4A10000-0x000007FEF53FC000-memory.dmp
memory/2608-29-0x00000000003D0000-0x00000000006F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 03:23
Reported
2024-08-01 03:33
Platform
win10v2004-20240730-en
Max time kernel
437s
Max time network
455s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |