Analysis Overview
SHA256
ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70
Threat Level: Known bad
The file ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Drops startup file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-30 22:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-30 22:43
Reported
2024-09-30 22:45
Platform
win7-20240903-en
Max time kernel
115s
Max time network
117s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 1.tcp.sa.ngrok.io | N/A | N/A |
| N/A | 1.tcp.sa.ngrok.io | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1944 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe |
| PID 1944 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe |
| PID 1944 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe |
| PID 1944 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe
"C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe"
C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe
"C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | firebasestorage.googleapis.com | udp |
| GB | 172.217.169.42:443 | firebasestorage.googleapis.com | tcp |
| US | 8.8.8.8:53 | 1.tcp.sa.ngrok.io | udp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| US | 8.8.8.8:53 | 1.tcp.sa.ngrok.io | udp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.229.248.167:20545 | 1.tcp.sa.ngrok.io | tcp |
Files
memory/1944-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp
memory/1944-1-0x0000000000C30000-0x0000000000C38000-memory.dmp
memory/1944-4-0x0000000074C60000-0x000000007534E000-memory.dmp
\Users\Admin\AppData\Local\Temp\downloaded_exe.exe
| MD5 | 95987c727f465f760652339082f0e4d1 |
| SHA1 | fa3ac56456f4a243a22b780e0f5acbaeda553f33 |
| SHA256 | bd37ec6eb02875146d2ec01acbf5c0a58992eda86391489df1dce6485351ef88 |
| SHA512 | 752b1e7cf1daf5a4a68cb80a517126f1aa6b1f91ce0409ba197bba45b3f4c483f6b22e16749d2df78b42c92e25b9b85d47f79cd359397d30f6f33b690eb593a9 |
memory/2696-11-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp
memory/2696-12-0x0000000000A00000-0x0000000000D24000-memory.dmp
memory/2696-13-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
memory/1944-14-0x0000000074C6E000-0x0000000074C6F000-memory.dmp
memory/1944-15-0x0000000074C60000-0x000000007534E000-memory.dmp
memory/2696-16-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp
memory/2696-17-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-30 22:43
Reported
2024-09-30 22:45
Platform
win10v2004-20240802-en
Max time kernel
116s
Max time network
120s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 1.tcp.sa.ngrok.io | N/A | N/A |
| N/A | 1.tcp.sa.ngrok.io | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe |
| PID 2128 wrote to memory of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe | C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe
"C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe"
C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe
"C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firebasestorage.googleapis.com | udp |
| GB | 142.250.200.42:443 | firebasestorage.googleapis.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.tcp.sa.ngrok.io | udp |
| BR | 18.228.115.60:20545 | 1.tcp.sa.ngrok.io | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| BR | 18.228.115.60:20545 | 1.tcp.sa.ngrok.io | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| BR | 18.228.115.60:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.228.115.60:20545 | 1.tcp.sa.ngrok.io | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BR | 18.228.115.60:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.228.115.60:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.228.115.60:20545 | 1.tcp.sa.ngrok.io | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.tcp.sa.ngrok.io | udp |
| BR | 18.231.93.153:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.231.93.153:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.231.93.153:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.231.93.153:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.231.93.153:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.231.93.153:20545 | 1.tcp.sa.ngrok.io | tcp |
| BR | 18.231.93.153:20545 | 1.tcp.sa.ngrok.io | tcp |
Files
memory/2128-0-0x000000007491E000-0x000000007491F000-memory.dmp
memory/2128-1-0x0000000000B20000-0x0000000000B28000-memory.dmp
memory/2128-4-0x0000000074910000-0x00000000750C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe
| MD5 | 95987c727f465f760652339082f0e4d1 |
| SHA1 | fa3ac56456f4a243a22b780e0f5acbaeda553f33 |
| SHA256 | bd37ec6eb02875146d2ec01acbf5c0a58992eda86391489df1dce6485351ef88 |
| SHA512 | 752b1e7cf1daf5a4a68cb80a517126f1aa6b1f91ce0409ba197bba45b3f4c483f6b22e16749d2df78b42c92e25b9b85d47f79cd359397d30f6f33b690eb593a9 |
memory/2692-16-0x00007FFD03D63000-0x00007FFD03D65000-memory.dmp
memory/2692-17-0x0000000000AA0000-0x0000000000DC4000-memory.dmp
memory/2692-18-0x00007FFD03D60000-0x00007FFD04821000-memory.dmp
memory/2692-19-0x000000001D5C0000-0x000000001D610000-memory.dmp
memory/2692-20-0x000000001D6D0000-0x000000001D782000-memory.dmp
memory/2128-21-0x000000007491E000-0x000000007491F000-memory.dmp
memory/2128-22-0x0000000074910000-0x00000000750C0000-memory.dmp
memory/2692-23-0x00007FFD03D63000-0x00007FFD03D65000-memory.dmp
memory/2692-24-0x00007FFD03D60000-0x00007FFD04821000-memory.dmp