Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 20:42

General

  • Target

    36dfd5a4664c2d1e078b1258f718f944d7c2f517e274e2a78217387e809b5245.exe

  • Size

    1.3MB

  • MD5

    30d7dcd4a107420445b82d57586d0653

  • SHA1

    4eb0382ba81011804dfdd4d93d1338cfc151d0db

  • SHA256

    36dfd5a4664c2d1e078b1258f718f944d7c2f517e274e2a78217387e809b5245

  • SHA512

    80e2d01dfe55bf94cafaa8ad1cd42f62741e54b08b36e1c95f517c254a08297eb65f0df9ef8bd3c8e516c5324de263662aed168b20517523cdad255d57d6163b

  • SSDEEP

    24576:J9sQDSz3eoh5SpYkryz8u9FYeWPJOFL64zAtb:JSGjnbPJOQ4zmb

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

RARX

C2

titine555.ddns.net:7276

Mutex

QSR_MUTEX_USHHV6Bt9sa1Tgpylt

Attributes
  • encryption_key

    0J7VRBDdOUAjK9gEtWzF

  • install_name

    Update service.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    service update

  • subdirectory

    microsofte

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36dfd5a4664c2d1e078b1258f718f944d7c2f517e274e2a78217387e809b5245.exe
    "C:\Users\Admin\AppData\Local\Temp\36dfd5a4664c2d1e078b1258f718f944d7c2f517e274e2a78217387e809b5245.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Local\Temp\3582-490\36dfd5a4664c2d1e078b1258f718f944d7c2f517e274e2a78217387e809b5245.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\36dfd5a4664c2d1e078b1258f718f944d7c2f517e274e2a78217387e809b5245.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "service update" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /rl HIGHEST /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:5084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

  • C:\Users\Admin\AppData\Local\Temp\3582-490\36dfd5a4664c2d1e078b1258f718f944d7c2f517e274e2a78217387e809b5245.exe

    Filesize

    1.2MB

    MD5

    c18e4c1a82bd7df260de903f99c417db

    SHA1

    719da47b81ccf5975aea4d17bc250ebae828ee26

    SHA256

    adf3f7b7afca219c9200a147c06f5a5466a0a4d4252c77c5cf781f9f1186e365

    SHA512

    c4a06b3061655ed4ca815aa65996b71dd5796a41f961764b353a787d503764f33294255ccdda4ab047aee5dbba2d4e1e7f8fa4ed8a26675e757c51e5b530d1d0

  • memory/468-110-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/468-108-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/468-107-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/468-105-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3328-17-0x0000000005F20000-0x00000000064C4000-memory.dmp

    Filesize

    5.6MB

  • memory/3328-111-0x0000000006D90000-0x0000000006DAA000-memory.dmp

    Filesize

    104KB

  • memory/3328-19-0x00000000059B0000-0x00000000059BA000-memory.dmp

    Filesize

    40KB

  • memory/3328-16-0x0000000073500000-0x0000000073CB0000-memory.dmp

    Filesize

    7.7MB

  • memory/3328-103-0x0000000073500000-0x0000000073CB0000-memory.dmp

    Filesize

    7.7MB

  • memory/3328-104-0x000000007350E000-0x000000007350F000-memory.dmp

    Filesize

    4KB

  • memory/3328-15-0x00000000057C0000-0x000000000585E000-memory.dmp

    Filesize

    632KB

  • memory/3328-106-0x0000000073500000-0x0000000073CB0000-memory.dmp

    Filesize

    7.7MB

  • memory/3328-14-0x00000000056B0000-0x000000000574C000-memory.dmp

    Filesize

    624KB

  • memory/3328-13-0x0000000000A90000-0x0000000000BD6000-memory.dmp

    Filesize

    1.3MB

  • memory/3328-12-0x000000007350E000-0x000000007350F000-memory.dmp

    Filesize

    4KB

  • memory/3328-18-0x0000000005A10000-0x0000000005AA2000-memory.dmp

    Filesize

    584KB

  • memory/3328-112-0x0000000006DF0000-0x0000000006DF6000-memory.dmp

    Filesize

    24KB

  • memory/3328-115-0x0000000073500000-0x0000000073CB0000-memory.dmp

    Filesize

    7.7MB

  • memory/4000-113-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/4000-116-0x0000000073500000-0x0000000073CB0000-memory.dmp

    Filesize

    7.7MB

  • memory/4000-117-0x0000000073500000-0x0000000073CB0000-memory.dmp

    Filesize

    7.7MB

  • memory/4000-118-0x0000000005740000-0x00000000057A6000-memory.dmp

    Filesize

    408KB

  • memory/4000-119-0x0000000006460000-0x0000000006472000-memory.dmp

    Filesize

    72KB

  • memory/4000-120-0x00000000068A0000-0x00000000068DC000-memory.dmp

    Filesize

    240KB

  • memory/4000-121-0x0000000073500000-0x0000000073CB0000-memory.dmp

    Filesize

    7.7MB