Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2024 18:16

General

  • Target

    c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe

  • Size

    1.0MB

  • MD5

    7ccf1fdf90d92e8a7ebca6f935207440

  • SHA1

    301ed5b0bd32f06a32855f659c9a44f0d1766d0a

  • SHA256

    c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadc

  • SHA512

    a7957cb6fb3e418f0eda322433dcc8518fde5a66a4da2fe7cf53d96f710169bf1e55ad698f1ccf0124b39c4d3107d3e52672e6eeb279c03e4d613fe0557cb5a1

  • SSDEEP

    24576:7P3JAsyS48MGN075+RFfdX0SOvYZKjVNhFpV1SLzknZ7cPR:7P3CFS4w075+DdVezFpVcon1cP

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

HTROY

C2

87.120.116.115:61510

onadeatcamsides.sytes.net:61511

Mutex

QSR_MUTEX_ZAU4jFZ758CCGtDmef

Attributes
  • encryption_key

    rK1SiSuzs11zCQEpJeMg

  • install_name

    Updates.exe

  • log_directory

    Logs

  • reconnect_delay

    30000

  • startup_key

    NewUpdates

  • subdirectory

    Mindow

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe
    "C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe
      C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2416
      • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
          C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3060
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2504
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\pdKQSk9LRdT4.bat" "
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1984
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1240
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1532
            • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
              "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:872
              • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                7⤵
                • Executes dropped EXE
                PID:2188
              • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                7⤵
                • Executes dropped EXE
                PID:1332
              • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                7⤵
                • Executes dropped EXE
                PID:2376
        • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
          C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1256
        • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
          C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2668
    • C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe
      C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:548
    • C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe
      C:\Users\Admin\AppData\Local\Temp\c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pdKQSk9LRdT4.bat

    Filesize

    208B

    MD5

    b9658453b3869d9bd23953bfc1e5104d

    SHA1

    2124c46f6d20581767288605849a59327cce3e57

    SHA256

    ce9b2e774a7d363edcb026f311bd490dbcc4818c5dd56d0e284299b0d720c9cf

    SHA512

    c4a0b9a25da5161152b84ad64db137c0d5e8b87d39fdac8b073c30845fca23b0c6f4e0fff1f39ebc6e31a361f9616453624810e59919e04e47a1bb8feae9eef7

  • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe

    Filesize

    1.0MB

    MD5

    7ccf1fdf90d92e8a7ebca6f935207440

    SHA1

    301ed5b0bd32f06a32855f659c9a44f0d1766d0a

    SHA256

    c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadc

    SHA512

    a7957cb6fb3e418f0eda322433dcc8518fde5a66a4da2fe7cf53d96f710169bf1e55ad698f1ccf0124b39c4d3107d3e52672e6eeb279c03e4d613fe0557cb5a1

  • memory/672-31-0x00000000009E0000-0x0000000000AF0000-memory.dmp

    Filesize

    1.1MB

  • memory/872-59-0x0000000000300000-0x0000000000410000-memory.dmp

    Filesize

    1.1MB

  • memory/1740-22-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

  • memory/1740-24-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

  • memory/2032-4-0x000000000D7D0000-0x000000000D8F2000-memory.dmp

    Filesize

    1.1MB

  • memory/2032-23-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

  • memory/2032-5-0x00000000003E0000-0x00000000003E6000-memory.dmp

    Filesize

    24KB

  • memory/2032-0-0x000000007469E000-0x000000007469F000-memory.dmp

    Filesize

    4KB

  • memory/2032-3-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

  • memory/2032-2-0x00000000002F0000-0x00000000002F6000-memory.dmp

    Filesize

    24KB

  • memory/2032-1-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

    Filesize

    1.1MB

  • memory/2768-8-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2768-6-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2768-21-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

  • memory/2768-10-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2768-32-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB