Overview

overview

10

Static

static

3

4dd83334fe...77.exe

windows7-x64

10

4dd83334fe...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4dd83334fef3b9d7e5067482cec38477.exe

  • Size

    1.2MB

  • MD5

    4dd83334fef3b9d7e5067482cec38477

  • SHA1

    ccc0dbee8923d7232471c654451bffa36adffbad

  • SHA256

    ee77b42fb254cef1f950668b0be51d87239d5134f0f92819fd8da1093fc8ced5

  • SHA512

    84c15c60e87346208c7964db16a80f36f4f6981c5ebedcef072aaa0090c087c0d879841eeabf516a9432be48d6ddb35ee0f9739baa4085d0a60cc118fd6e6aec

  • SSDEEP

    24576:Currek0x+kDlM+BCUlNGfnUvlZTF6DU+acRIwc8CNdlltK:CurSk0xx+opMGlZTT+XxEtK

Score
10/10
quasarnewzzzexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

newzzz

C2

193.124.205.71:5228

Mutex

a4f616c8-d1cd-4f76-ba66-226e115aa50e

Attributes
  • encryption_key

    133BC02FFBBFFB2A15EC33D664C8D9C62CB17983

  • install_name

    Client.exe

  • log_directory

    Cast

  • reconnect_delay

    3000

  • startup_key

    SubDir

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4dd83334fef3b9d7e5067482cec38477.exe
    "C:\Users\Admin\AppData\Local\Temp\4dd83334fef3b9d7e5067482cec38477.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\4dd83334fef3b9d7e5067482cec38477')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    cc2ce575753731574bf10ff6e5162032

    SHA1

    b660e5156f97af770e5d359fdd2a6ea697f359fb

    SHA256

    c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa

    SHA512

    715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i12bmlo0.mwf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2520-18-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2520-2-0x000001E4D1850000-0x000001E4D1872000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2520-13-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2520-14-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2520-17-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2520-12-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4132-1-0x00000000009E0000-0x0000000000B12000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4132-0-0x00007FFEC1A63000-0x00007FFEC1A65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4132-32-0x000000001C130000-0x000000001C454000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4132-33-0x000000001C550000-0x000000001C5A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4132-34-0x000000001CD60000-0x000000001CE12000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4132-37-0x00007FFEC1A63000-0x00007FFEC1A65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4132-38-0x000000001C5F0000-0x000000001C602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4132-39-0x000000001CCE0000-0x000000001CD1C000-memory.dmp

    Filesize

    240KB

    Download