Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 21:57

General

  • Target

    Client-built.exe

  • Size

    3.3MB

  • MD5

    280cdb0f182b4fca9cd0fd87ab0f9551

  • SHA1

    b7631a3d0bc305c70f1a0711ca0d3b03d82252ec

  • SHA256

    88641b449e8a26c6468058f54acf474225b571dab55a921caed63020390b6896

  • SHA512

    d35ec454f18987a700506e1585cfd313906a3e2ab868040b38bba3682ab61b78dc4eec224c23fb8309a8cbd6ae664299940ec8d00afbc0ffaf1a248230c1c8cd

  • SSDEEP

    49152:56LFXL5Z8hlPKxXavRZbki7yEI2hBqTHHB72eh2NT1:56p5Z8hlPKxXavRZIi7vj

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SKIDS

C2

147.185.221.22:6712

Mutex

1051d457-43fe-4be3-87a0-52f2e36a87aa

Attributes
  • encryption_key

    F387A0FF28E4F7F4D7B4E353EB2E71F75D3FB5C0

  • install_name

    Windows Host Process.exe

  • log_directory

    Windows-Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Host Process

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2700
    • C:\Windows\system32\Windows\Windows Host Process.exe
      "C:\Windows\system32\Windows\Windows Host Process.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\Windows\Windows Host Process.exe

    Filesize

    3.3MB

    MD5

    280cdb0f182b4fca9cd0fd87ab0f9551

    SHA1

    b7631a3d0bc305c70f1a0711ca0d3b03d82252ec

    SHA256

    88641b449e8a26c6468058f54acf474225b571dab55a921caed63020390b6896

    SHA512

    d35ec454f18987a700506e1585cfd313906a3e2ab868040b38bba3682ab61b78dc4eec224c23fb8309a8cbd6ae664299940ec8d00afbc0ffaf1a248230c1c8cd

  • memory/2816-9-0x0000000001310000-0x0000000001666000-memory.dmp

    Filesize

    3.3MB

  • memory/2816-10-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

  • memory/2816-11-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

  • memory/2816-12-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

  • memory/3000-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

    Filesize

    4KB

  • memory/3000-1-0x0000000000DB0000-0x0000000001106000-memory.dmp

    Filesize

    3.3MB

  • memory/3000-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

  • memory/3000-8-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB