Overview

overview

10

Static

static

10

AutoWizard.exe

windows7-x64

10

AutoWizard.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 19:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    AutoWizard.exe

  • Size

    3.1MB

  • MD5

    10940d658a4c54da91d0c0724d47644e

  • SHA1

    da3d9e51ccc7432746d066337fb459bbf624c92a

  • SHA256

    b7521fbbcc6a7324f8c8849b5e16dfc2a00d1b648e70b47a93a2b97ac4df3738

  • SHA512

    a1ff398937f75c51dd199553cd41889cbf7c0e9b498f1fc6f26ad9ffc13778a189b74c5c7f577a85778215cfa89e85467046e1054b8684aeb9ff58383afdb15c

  • SSDEEP

    49152:OvblL26AaNeWgPhlmVqvMQ7XSKfX8FEFUhk/bBLoGdZpTHHB72eh2NT:OvBL26AaNeWgPhlmVqkQ7XSKP8sRp

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

natural-processor.gl.at.ply.gg:52897

Mutex

db07703d-6eb7-451c-b4c1-daa365c5e21a

Attributes
  • encryption_key

    D6BBAE7A79E9CB135CA60E651F157605EA259426

  • install_name

    AutoWizard.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\AutoWizard.exe
    "C:\Users\Admin\AppData\Local\Temp\AutoWizard.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AutoWizard.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2004
    • C:\Windows\system32\SubDir\AutoWizard.exe
      "C:\Windows\system32\SubDir\AutoWizard.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AutoWizard.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2752

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System32\SubDir\AutoWizard.exe
          Filesize

          3.1MB

          MD5

          10940d658a4c54da91d0c0724d47644e

          SHA1

          da3d9e51ccc7432746d066337fb459bbf624c92a

          SHA256

          b7521fbbcc6a7324f8c8849b5e16dfc2a00d1b648e70b47a93a2b97ac4df3738

          SHA512

          a1ff398937f75c51dd199553cd41889cbf7c0e9b498f1fc6f26ad9ffc13778a189b74c5c7f577a85778215cfa89e85467046e1054b8684aeb9ff58383afdb15c

          Download Submit

        • memory/1424-8-0x0000000000E90000-0x00000000011BC000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/1424-11-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1424-10-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1424-12-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1424-13-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2156-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2156-1-0x0000000001220000-0x000000000154C000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/2156-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2156-9-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

          Filesize

          9.9MB

          Download