Overview

overview

10

Static

static

10

Lo último.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    38s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06/11/2024, 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lo último.exe

  • Size

    3.1MB

  • MD5

    afb2e5dad453db7cf42339f806f37532

  • SHA1

    90fa9e8b4ed9d086d67b9f86dc57151db1637ca9

  • SHA256

    a4b343420149aabd8ef8af687bcb7b252af476c4c8fdad177c3cf5d65ccf912e

  • SHA512

    72c3474f11a90bd904957030d019611c460dfa66524e0113b40b18a4ae0f3d81d56ae125fa2f247b266e71a11fcaad5884987036563e9464dc2e973877f79f3f

  • SSDEEP

    49152:Hv+lL26AaNeWgPhlmVqvMQ7XSKwkamEoXdl3THHB72eh2NT:HvuL26AaNeWgPhlmVqkQ7XSK9af8

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Ingrid78-20703.portmap.host:20703

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lo último.exe
    "C:\Users\Admin\AppData\Local\Temp\Lo último.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1016
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:548
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YJExfG6f4gXG.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:524
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4512
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1216
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2760
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t7Fp78q35z88.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3776
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:5068
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3904
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2524
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1040
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKhJVLehewLJ.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3404
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1264
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1960
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3552
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4736
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P2pzTeIsTYKs.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4336
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4052
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:4408
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4092

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
            Filesize

            2KB

            MD5

            7787ce173dfface746f5a9cf5477883d

            SHA1

            4587d870e914785b3a8fb017fec0c0f1c7ec0004

            SHA256

            c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

            SHA512

            3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\CKhJVLehewLJ.bat
            Filesize

            207B

            MD5

            bfe2a5c1443f1bbf947b3c203b42e6d7

            SHA1

            87b27340259d99391c4fbd13f486bec09dd4cd77

            SHA256

            0124efac7bfce48866203fed000c180414c9a015ba68cc307c0c6c1f812e5312

            SHA512

            780f7cb3512d37f7f778e8f189aebe46cfdd105b3b7a03e2be03abbaf11c337c8fd906a9d63356aa859b9857d9787b2ac17546c5202fbaa317d0a4225e47a322

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\P2pzTeIsTYKs.bat
            Filesize

            207B

            MD5

            f2581ab8130eda36ee56577b2290f397

            SHA1

            5923e7227cd857afc0c328590fb07ef129c7b328

            SHA256

            411bbbb3e8d191783e9f8457c0fd78d33b4e40aa727043daba905dc859b371aa

            SHA512

            f5b149058c7c14b058ab71b13c3994af6a7f53d2f920ead8f7aa08350181094daf82f19726677c159e273164fd536f9591e5a8ccd6644061d674715ec8309ba0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\YJExfG6f4gXG.bat
            Filesize

            207B

            MD5

            0540e3e82bb82e6a290e788b04509ccf

            SHA1

            2d07c4501b0fcebc7ab75cd6e104ac92490023dd

            SHA256

            192f2b44c4af4cc0f46622c658023bddcc15041a2514c69516ed0d7d95984f3b

            SHA512

            5b853af3e8a283c54e29d18fb3737e1a125932c71d5a53183d439b3321ac1f00105ae75159281e6e3b1bf8bafc6bd4816168cfa9ef0a66325d9fc8d481644a14

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\t7Fp78q35z88.bat
            Filesize

            207B

            MD5

            680c250ce1ea8344c3881b60119cda5d

            SHA1

            8421be0d900bd24cf2046f9d066a3a750daa1cfe

            SHA256

            3ba8f9da202131e3669e9810d48bf779313e6fd8e1d5956877190864184577e0

            SHA512

            c3dbbc943490dc58755be766dde1544dba87b7eb227df2978430818c6e3806bc9756ec51f6299a73af435caee248daf4cab9db8de2710fec4cbbde5ead0dddc8

            Download Submit

          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            Filesize

            3.1MB

            MD5

            afb2e5dad453db7cf42339f806f37532

            SHA1

            90fa9e8b4ed9d086d67b9f86dc57151db1637ca9

            SHA256

            a4b343420149aabd8ef8af687bcb7b252af476c4c8fdad177c3cf5d65ccf912e

            SHA512

            72c3474f11a90bd904957030d019611c460dfa66524e0113b40b18a4ae0f3d81d56ae125fa2f247b266e71a11fcaad5884987036563e9464dc2e973877f79f3f

            Download Submit

          • memory/2560-5-0x00007FFAE0C60000-0x00007FFAE1722000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2560-0-0x00007FFAE0C63000-0x00007FFAE0C65000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2560-2-0x00007FFAE0C60000-0x00007FFAE1722000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2560-1-0x00000000005B0000-0x00000000008D4000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/3068-7-0x00007FFAE0C60000-0x00007FFAE1722000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3068-8-0x000000001C3E0000-0x000000001C430000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3068-9-0x000000001C4F0000-0x000000001C5A2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/3068-6-0x00007FFAE0C60000-0x00007FFAE1722000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3068-17-0x00007FFAE0C60000-0x00007FFAE1722000-memory.dmp

            Filesize

            10.8MB

            Download