Analysis

  • max time kernel
    1800s
  • max time network
    1799s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/08/2024, 21:16

General

  • Target

    Zula Spacex Hack.exe

  • Size

    3.0MB

  • MD5

    9ea8a4ae340433b891d28439c307c3f1

  • SHA1

    f8bb6e9961ccf4c6f0d340a715ec418d777a20b4

  • SHA256

    eb8ac22cb3171099ce9f453185e1c66484a4bddbf612d463365c4bc7c66d73c5

  • SHA512

    7af61339a94a10c9406c99e84df20568e9020e1719e2ab0b903baa1b17f4dbbad61065963ce432a4bec5155347ba606b0e8005e985e842e3b285f68061207c86

  • SSDEEP

    49152:91TOLmD6u8xp/4DU8Kb2N5hFkYQFJPWOcFzU4PjGmfJFwHTcEVBmk1nT9:9tp8xpwMSFkYacVl779FYZ

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

1.4.1

Botnet

Spacex

C2

darkerzm.duckdns.org:443

Mutex

9d0cae87-20bd-4a2e-b07e-e89f7d6ed7d3

Attributes
  • encryption_key

    5C5FC8D86E7AFAAF0B65EA7319B4546128D20904

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Zula Spacex Hack.exe
    "C:\Users\Admin\AppData\Local\Temp\Zula Spacex Hack.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5520
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1408
      • C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3976
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1196
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SrjMgTjNUfCe.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:6088
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:3168
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:6020
            • C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
              "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2044
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
                6⤵
                • Scheduled Task/Job: Scheduled Task
                PID:6108

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

            Filesize

            1KB

            MD5

            b4e91d2e5f40d5e2586a86cf3bb4df24

            SHA1

            31920b3a41aa4400d4a0230a7622848789b38672

            SHA256

            5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

            SHA512

            968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

          • C:\Users\Admin\AppData\Local\Temp\SrjMgTjNUfCe.bat

            Filesize

            209B

            MD5

            e2eb260e4ed3f7f6e2046fed48abeafc

            SHA1

            790e0bc06901e32f99fa08dd504e6187e63118c8

            SHA256

            3027254df23163f5c180580331050c238204481e563f20e296183302e2470b81

            SHA512

            0c00534a23cf8e8e09782604cd660375bac93344ca3130a126f8d70a7d421bd4b17aa729555f0fd874ea67d251e1a294c1855eee3cc378ae1cf20d18711e12fb

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

            Filesize

            3.1MB

            MD5

            e7e1387343960784b9026fb567f5d0ac

            SHA1

            7dfee24cd6d0d08b730b63bf970e8b91adaf6b6e

            SHA256

            43ce2ef57cefbae98d64239f8d8010c30f8ae65fe74308711bb2480c1558fa2a

            SHA512

            0182c3b97ba28de71b6e2e2b05ce41195623f7705d800e24bed20addee4946c4ef01498a676c8cdcc78a05505bf52e0d732f9eb8cf2c7ae46b528ac9f35e22c5

          • memory/3224-23-0x00007FFA02E93000-0x00007FFA02E95000-memory.dmp

            Filesize

            8KB

          • memory/3224-22-0x00000000007D0000-0x0000000000AF4000-memory.dmp

            Filesize

            3.1MB

          • memory/3976-31-0x000000001CAC0000-0x000000001CB72000-memory.dmp

            Filesize

            712KB

          • memory/3976-30-0x000000001C3B0000-0x000000001C400000-memory.dmp

            Filesize

            320KB

          • memory/5520-4-0x0000000005570000-0x0000000005602000-memory.dmp

            Filesize

            584KB

          • memory/5520-8-0x0000000006ED0000-0x0000000007376000-memory.dmp

            Filesize

            4.6MB

          • memory/5520-7-0x0000000005700000-0x0000000005756000-memory.dmp

            Filesize

            344KB

          • memory/5520-6-0x0000000005420000-0x000000000542A000-memory.dmp

            Filesize

            40KB

          • memory/5520-5-0x0000000074810000-0x0000000074FC1000-memory.dmp

            Filesize

            7.7MB

          • memory/5520-0-0x000000007481E000-0x000000007481F000-memory.dmp

            Filesize

            4KB

          • memory/5520-3-0x0000000005B20000-0x00000000060C6000-memory.dmp

            Filesize

            5.6MB

          • memory/5520-32-0x000000007481E000-0x000000007481F000-memory.dmp

            Filesize

            4KB

          • memory/5520-33-0x0000000074810000-0x0000000074FC1000-memory.dmp

            Filesize

            7.7MB

          • memory/5520-2-0x0000000005430000-0x00000000054CC000-memory.dmp

            Filesize

            624KB

          • memory/5520-1-0x0000000000660000-0x000000000096C000-memory.dmp

            Filesize

            3.0MB