Analysis Overview
SHA256
771db719454b5ec22b4dbcf48b70cc50d204af748464a25bfdb448c6349362b6
Threat Level: Known bad
The file 952-58-0x00000000002A0000-0x000000000085E000-memory.dmp was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Executes dropped EXE
Themida packer
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 14:19
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 14:19
Reported
2024-10-27 14:19
Platform
win7-20240903-en
Max time kernel
0s
Max time network
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 14:19
Reported
2024-10-27 14:22
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2428 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2428 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe | C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe |
| PID 2428 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe | C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe |
| PID 2128 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2128 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows-updater00" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe
"C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows-updater00" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| CA | 198.245.116.112:4782 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| CA | 198.245.116.112:4782 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| CA | 198.245.116.112:4782 | tcp | |
| CA | 198.245.116.112:4782 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| CA | 198.245.116.112:4782 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| CA | 198.245.116.112:4782 | tcp | |
| CA | 198.245.116.112:4782 | tcp |
Files
memory/2428-0-0x00007FFB521E3000-0x00007FFB521E5000-memory.dmp
memory/2428-1-0x0000000000880000-0x0000000000E3E000-memory.dmp
memory/2428-2-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe
| MD5 | 67185f8ccc2121a0f036db08e761a388 |
| SHA1 | 43ff5a9d7123902a0106dc1c380529320c5c5048 |
| SHA256 | 771db719454b5ec22b4dbcf48b70cc50d204af748464a25bfdb448c6349362b6 |
| SHA512 | 74bc7ec5cd0ae40b7db6cdb527b70fad00256829993d43fa721bed3023d235062f21179d032f304f5b4d3a68b5ad6cbd972cbe2099f6149be6cf8bfbe6cbf14b |
memory/2128-8-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp
memory/2428-9-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp
memory/2128-10-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp
memory/2128-11-0x000000001C720000-0x000000001C770000-memory.dmp
memory/2128-12-0x000000001CA30000-0x000000001CAE2000-memory.dmp
memory/2128-13-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp