Analysis

  • max time kernel
    65s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-08-2024 21:24

General

  • Target

    https://gofile.io/d/uKWr1e

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.81:4782

Mutex

0a59af96-9d42-44d5-b396-2e1eed2f0ccd

Attributes
  • encryption_key

    D74FD39F07C448A62144F09979721B1B6749C76E

  • install_name

    amdlogum.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update.exe

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/uKWr1e
    1⤵
      PID:3448
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3748,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:1
      1⤵
        PID:3468
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3992,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:1
        1⤵
          PID:2200
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5352,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:8
          1⤵
            PID:2228
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5368,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:8
            1⤵
              PID:1960
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5804,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:1
              1⤵
                PID:3900
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5240,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5844 /prefetch:8
                1⤵
                  PID:4440
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5992,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:1
                  1⤵
                    PID:4448
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6204,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:8
                    1⤵
                      PID:456
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5856,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:1
                      1⤵
                        PID:3160
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6744,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:8
                        1⤵
                          PID:2880
                        • C:\Users\Admin\Downloads\Client-built.exe
                          "C:\Users\Admin\Downloads\Client-built.exe"
                          1⤵
                          • Drops file in System32 directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:1884
                          • C:\Windows\SYSTEM32\schtasks.exe
                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Windows\system32\Windows\amdlogum.exe" /rl HIGHEST /f
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:3268
                          • C:\Windows\system32\Windows\amdlogum.exe
                            "C:\Windows\system32\Windows\amdlogum.exe"
                            2⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:1320
                            • C:\Windows\SYSTEM32\schtasks.exe
                              "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Windows\system32\Windows\amdlogum.exe" /rl HIGHEST /f
                              3⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:428
                        • C:\Windows\System32\rundll32.exe
                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                          1⤵
                            PID:4440
                          • C:\Users\Admin\Downloads\Client-built.exe
                            "C:\Users\Admin\Downloads\Client-built.exe"
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2628
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5528,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
                            1⤵
                              PID:4204
                            • C:\Users\Admin\Downloads\Client-built.exe
                              "C:\Users\Admin\Downloads\Client-built.exe"
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4076

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

                              Filesize

                              1KB

                              MD5

                              baf55b95da4a601229647f25dad12878

                              SHA1

                              abc16954ebfd213733c4493fc1910164d825cac8

                              SHA256

                              ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                              SHA512

                              24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                            • C:\Windows\System32\Windows\amdlogum.exe

                              Filesize

                              3.1MB

                              MD5

                              83cac7369d8be73c15a2b91151607c89

                              SHA1

                              50393e07c333f9b9dc5881fddfdd07f546d7a185

                              SHA256

                              f786bbceb1e6b3c876a691ad37fe4a9b9d064bf5043109df7a3dc1e92b56535f

                              SHA512

                              8f267383b89be36c718f91a26c0d3a0522de0e0abc0be82794a90e6d278e22cf19978ccf2159af8f4283317c222386717fa10f454cbd421929ad7eefaa97beb4

                            • memory/1320-10-0x00007FFDE8990000-0x00007FFDE9451000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/1320-11-0x00007FFDE8990000-0x00007FFDE9451000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/1320-12-0x000000001BBB0000-0x000000001BC00000-memory.dmp

                              Filesize

                              320KB

                            • memory/1320-13-0x000000001BCC0000-0x000000001BD72000-memory.dmp

                              Filesize

                              712KB

                            • memory/1320-15-0x00007FFDE8990000-0x00007FFDE9451000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/1884-0-0x00007FFDE8993000-0x00007FFDE8995000-memory.dmp

                              Filesize

                              8KB

                            • memory/1884-1-0x00000000003D0000-0x00000000006F4000-memory.dmp

                              Filesize

                              3.1MB

                            • memory/1884-2-0x00007FFDE8990000-0x00007FFDE9451000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/1884-9-0x00007FFDE8990000-0x00007FFDE9451000-memory.dmp

                              Filesize

                              10.8MB