Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-08-2024 19:10

General

  • Target

    yolo.exe

  • Size

    5.7MB

  • MD5

    275231b1dc6cd9a37e767687257e655d

  • SHA1

    433ce42bf76994b259cf95acd70ddd9a91421ce7

  • SHA256

    3b3fd08f825e24a763ed8abd79dcec933dfd2e3e104f21e5a2bb4a7aa3d3c244

  • SHA512

    5c5837ae8cd4db50d42434071ff4b01d62c276a0f350481ee2ead1f2bfc560bd1edf9cebc37a57a2cd160c65909242473b4c3d2c6cd1b99159cd8b1b2825dbb8

  • SSDEEP

    98304:WXzhW148Pd+Tf1mpcOldJQ3/Vxvk22SsaNYfdPBldt6+dBcjHnj5X9F:WFK4s0TfLOdo/rJ7jVX9F

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.174:4782

Mutex

1ddaef8c-bff6-41cf-ab7c-88ced4b0af76

Attributes
  • encryption_key

    D5F1E515D26F03AD6621A5237F6E935EF48F2FD8

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\yolo.exe
    "C:\Users\Admin\AppData\Local\Temp\yolo.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2660
    • \??\c:\users\admin\appdata\local\temp\yolo.exe 
      c:\users\admin\appdata\local\temp\yolo.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2784
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2636
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2656
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2552
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1352
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2372
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:13 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:908
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:14 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1808
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:15 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2620
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:1164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      2.6MB

      MD5

      3e2a85240aac96bb85e7f00fea79af44

      SHA1

      115ea5a6a80ece7cc2e8cf1c496dc26e88064ee1

      SHA256

      b9bad57ac141034d79a5e27867346108c96c699cabdb18303026e8cc043798d3

      SHA512

      8e948f985e3417fa6710327d23488d7d9309e2e5fd91a97e4c7d8d26fb4b0b62be4670cfa742fb8bcc5a4105529ed5dc0dfdda579d39b1f55ee4dbb4a80cb416

    • C:\Windows\Resources\Themes\icsys.icn.exe

      Filesize

      2.6MB

      MD5

      5fc67792e22f5258314ff634bfe90657

      SHA1

      6f50438d45a3923f3cf7a7bbc1c73ded443a2aa3

      SHA256

      0080690a22eb34bd46d9e6ae9acdf9edf46e1a2c77fc838b9647bd8fcc20aa84

      SHA512

      a0539c823ed16c96560cec21281bcdb11dc733f541bc97472bf5044a26303fa7d4714e1c75998112fafb94142ba97dcb7e05b4472972513e5786575d12ce7e33

    • C:\Windows\Resources\spoolsv.exe

      Filesize

      2.6MB

      MD5

      600bca49a64ac55307bf992b8d0c2197

      SHA1

      7291a9f37f2562807c9b0ab71cfd35412dad5f7a

      SHA256

      cf00056348f57524af705dcb0ca24ea7767bf499fbf801836aa06252d6897c1d

      SHA512

      b984364944e628bc7bb3d2686d29b2653131325d4974c437699a234dc629eac5fa90773c57753edd6b5717a963fa2ceb131dc15e8e444ff79bd7c4f494e8c8ff

    • \??\c:\users\admin\appdata\local\temp\yolo.exe 

      Filesize

      3.1MB

      MD5

      e3029e333df0359a166560a9fe160b9b

      SHA1

      230e9d6e0fc7545f486af1cb1e4843b3ab75ef54

      SHA256

      490d0fa62c63a60a0ff149623221126351a547933c8a2b3d61cbf9dcdff14dee

      SHA512

      28f0647106a63a61a9f8edb84336512a684c994aedd5f74c028aa4a5b87d0842f720976459cb3ba1e1a8130a41bb363ca65aaee1fca1a3b776433547f2c8f4c7

    • \Windows\Resources\svchost.exe

      Filesize

      2.6MB

      MD5

      5b021eaec5fee81f77dd39ef2bf6def6

      SHA1

      91e4fd6b9d18bf7b91035368d6cedc840db0ea62

      SHA256

      b7fb17324f97932d0fbeda5f61a4b2d64be7d8a4cfc1abf6590d90e00273adb7

      SHA512

      7b5949977c351a16976467030c9dd3bd533968218b4d91a3b9f8ceb2b0326a1f7c6ffb5fa4078624722869a8f6d78468c381b1b94321d7fcf6433647a8f7360c

    • memory/1352-79-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/1352-62-0x0000000003190000-0x00000000037A6000-memory.dmp

      Filesize

      6.1MB

    • memory/1352-55-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2372-64-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2372-69-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2552-54-0x0000000003570000-0x0000000003B86000-memory.dmp

      Filesize

      6.1MB

    • memory/2552-43-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2552-71-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2636-74-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2636-30-0x00000000037F0000-0x0000000003E06000-memory.dmp

      Filesize

      6.1MB

    • memory/2636-19-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2656-78-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2656-80-0x0000000003790000-0x0000000003DA6000-memory.dmp

      Filesize

      6.1MB

    • memory/2656-101-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2656-99-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2656-91-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2656-42-0x0000000003790000-0x0000000003DA6000-memory.dmp

      Filesize

      6.1MB

    • memory/2656-31-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2660-75-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2660-0-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2660-18-0x0000000003440000-0x0000000003A56000-memory.dmp

      Filesize

      6.1MB

    • memory/2660-1-0x00000000775D0000-0x00000000775D2000-memory.dmp

      Filesize

      8KB

    • memory/2660-63-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

    • memory/2784-77-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

      Filesize

      9.9MB

    • memory/2784-76-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

      Filesize

      4KB

    • memory/2784-12-0x0000000000F70000-0x0000000001294000-memory.dmp

      Filesize

      3.1MB

    • memory/2784-13-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

      Filesize

      9.9MB

    • memory/2784-11-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

      Filesize

      4KB