Overview

overview

10

Static

static

3

4dd83334fe...77.exe

windows7-x64

10

4dd83334fe...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4dd83334fef3b9d7e5067482cec38477.exe

  • Size

    1.2MB

  • MD5

    4dd83334fef3b9d7e5067482cec38477

  • SHA1

    ccc0dbee8923d7232471c654451bffa36adffbad

  • SHA256

    ee77b42fb254cef1f950668b0be51d87239d5134f0f92819fd8da1093fc8ced5

  • SHA512

    84c15c60e87346208c7964db16a80f36f4f6981c5ebedcef072aaa0090c087c0d879841eeabf516a9432be48d6ddb35ee0f9739baa4085d0a60cc118fd6e6aec

  • SSDEEP

    24576:Currek0x+kDlM+BCUlNGfnUvlZTF6DU+acRIwc8CNdlltK:CurSk0xx+opMGlZTT+XxEtK

Score
10/10
quasarnewzzzexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

newzzz

C2

193.124.205.71:5228

Mutex

a4f616c8-d1cd-4f76-ba66-226e115aa50e

Attributes
  • encryption_key

    133BC02FFBBFFB2A15EC33D664C8D9C62CB17983

  • install_name

    Client.exe

  • log_directory

    Cast

  • reconnect_delay

    3000

  • startup_key

    SubDir

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4dd83334fef3b9d7e5067482cec38477.exe
    "C:\Users\Admin\AppData\Local\Temp\4dd83334fef3b9d7e5067482cec38477.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\4dd83334fef3b9d7e5067482cec38477')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    72f884c40eef3b76a341f81c75196536

    SHA1

    966f4ce72bedc1e2c26afa359e0a5b81ec043fd0

    SHA256

    a476eac66d8a622376e9b52e46bb0567b429267f7fe43418e2a15c9e2b0f31b4

    SHA512

    bd04bdf36715da1f4668d6059aa2f517217a34e8e5a6bfb166e530fd9015438e410dcea270bdf38639a64349c81b7bc292975a727649412a5badfaed5aef461e

    Download Submit

  • memory/1764-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1764-1-0x0000000001010000-0x0000000001142000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1764-17-0x000000001B910000-0x000000001BC34000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1764-18-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-6-0x0000000002490000-0x0000000002510000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2268-7-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2268-8-0x0000000002460000-0x0000000002468000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2816-14-0x000000001B260000-0x000000001B542000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2816-15-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

    Filesize

    32KB

    Download