Malware Analysis Report

2024-10-19 08:36

Sample ID 240801-dxy4pszajp
Target nitro gen.sfx.exe
SHA256 bd0a7542a724d699799858acaf694cbfc2f281fa8bb0641698d23bdc5454dc38
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd0a7542a724d699799858acaf694cbfc2f281fa8bb0641698d23bdc5454dc38

Threat Level: Known bad

The file nitro gen.sfx.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar RAT

Quasar payload

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-01 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 03:23

Reported

2024-08-01 03:26

Platform

win7-20240729-en

Max time kernel

138s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe C:\Users\Admin\AppData\Local\Temp\nitro gen.exe
PID 1976 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe C:\Users\Admin\AppData\Local\Temp\nitro gen.exe
PID 1976 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe C:\Users\Admin\AppData\Local\Temp\nitro gen.exe
PID 2724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.exe C:\Windows\system32\schtasks.exe
PID 2724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.exe C:\Windows\system32\schtasks.exe
PID 2724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.exe C:\Windows\system32\schtasks.exe
PID 2724 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.exe C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe
PID 2724 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.exe C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe
PID 2724 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.exe C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe
PID 2608 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe C:\Windows\system32\schtasks.exe
PID 2608 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe C:\Windows\system32\schtasks.exe
PID 2608 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe

"C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe"

C:\Users\Admin\AppData\Local\Temp\nitro gen.exe

"C:\Users\Admin\AppData\Local\Temp\nitro gen.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe

"C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe" /rl HIGHEST /f

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4bc

Network

Country Destination Domain Proto
US 8.8.8.8:53 fauhfuhfdrga-54679.portmap.host udp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp
DE 193.161.193.99:54679 fauhfuhfdrga-54679.portmap.host tcp

Files

C:\Users\Admin\AppData\Local\Temp\nitro gen.exe

MD5 a7ffd511af0df48e69375566bde8cb74
SHA1 eaf0f135d686471da2f63df031d5d869f0865062
SHA256 643cb37d115ad66aa776b615e57c2bb11c7d413c593232c1515e2463ce95b7e9
SHA512 c0e347a2515aeaa56351cf55414ac6f9ef547972ca0126c0b7b51e8a8397df0837ba22033da745eb1f435ea9214dc8920edc1683ada2575cf8ac602d06d4293f

memory/2724-21-0x000007FEF4A13000-0x000007FEF4A14000-memory.dmp

memory/2724-22-0x0000000001090000-0x00000000013B4000-memory.dmp

memory/2724-23-0x000007FEF4A10000-0x000007FEF53FC000-memory.dmp

memory/2724-30-0x000007FEF4A10000-0x000007FEF53FC000-memory.dmp

memory/2608-29-0x00000000003D0000-0x00000000006F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 03:23

Reported

2024-08-01 03:33

Platform

win10v2004-20240730-en

Max time kernel

437s

Max time network

455s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe

"C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A