Overview

overview

10

Static

static

3

ee77b42fb2...d5.exe

windows7-x64

10

ee77b42fb2...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee77b42fb254cef1f950668b0be51d87239d5134f0f92819fd8da1093fc8ced5.exe

  • Size

    1.2MB

  • MD5

    4dd83334fef3b9d7e5067482cec38477

  • SHA1

    ccc0dbee8923d7232471c654451bffa36adffbad

  • SHA256

    ee77b42fb254cef1f950668b0be51d87239d5134f0f92819fd8da1093fc8ced5

  • SHA512

    84c15c60e87346208c7964db16a80f36f4f6981c5ebedcef072aaa0090c087c0d879841eeabf516a9432be48d6ddb35ee0f9739baa4085d0a60cc118fd6e6aec

  • SSDEEP

    24576:Currek0x+kDlM+BCUlNGfnUvlZTF6DU+acRIwc8CNdlltK:CurSk0xx+opMGlZTT+XxEtK

Score
10/10
quasarnewzzzexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

newzzz

C2

193.124.205.71:5228

Mutex

a4f616c8-d1cd-4f76-ba66-226e115aa50e

Attributes
  • encryption_key

    133BC02FFBBFFB2A15EC33D664C8D9C62CB17983

  • install_name

    Client.exe

  • log_directory

    Cast

  • reconnect_delay

    3000

  • startup_key

    SubDir

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee77b42fb254cef1f950668b0be51d87239d5134f0f92819fd8da1093fc8ced5.exe
    "C:\Users\Admin\AppData\Local\Temp\ee77b42fb254cef1f950668b0be51d87239d5134f0f92819fd8da1093fc8ced5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\ee77b42fb254cef1f950668b0be51d87239d5134f0f92819fd8da1093fc8ced5')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    cc2ce575753731574bf10ff6e5162032

    SHA1

    b660e5156f97af770e5d359fdd2a6ea697f359fb

    SHA256

    c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa

    SHA512

    715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d24sdmx0.l1f.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/340-18-0x00007FF9158F0000-0x00007FF9163B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/340-11-0x0000029E48AC0000-0x0000029E48AE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/340-13-0x00007FF9158F0000-0x00007FF9163B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/340-14-0x00007FF9158F0000-0x00007FF9163B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/340-15-0x00007FF9158F0000-0x00007FF9163B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/340-12-0x00007FF9158F0000-0x00007FF9163B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/744-1-0x00000000005F0000-0x0000000000722000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/744-0-0x00007FF9158F3000-0x00007FF9158F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/744-32-0x000000001BC40000-0x000000001BF64000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/744-33-0x000000001C050000-0x000000001C0A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/744-34-0x000000001DE00000-0x000000001DEB2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/744-37-0x000000001DD80000-0x000000001DD92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/744-38-0x000000001E900000-0x000000001E93C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/744-39-0x00007FF9158F3000-0x00007FF9158F5000-memory.dmp

    Filesize

    8KB

    Download