Analysis

  • max time kernel
    69s
  • max time network
    65s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-11-2024 07:01

General

  • Target

    kreo q zi.7z

  • Size

    922KB

  • MD5

    ec516db688f94e98d5141f4bade557e9

  • SHA1

    198ffbae5eed415ac673f5e371774759f1a53de1

  • SHA256

    282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

  • SHA512

    ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985

  • SSDEEP

    24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2396
  • C:\Users\Admin\Desktop\kreo q zi.exe
    "C:\Users\Admin\Desktop\kreo q zi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4996
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1272
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEnjNUjgGWOd.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2972
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4548
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4528
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4v4corS3ZZ0V.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4068
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3380
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:644
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2872
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1284
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7tPANshK7DHi.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1304
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2580
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4520
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4568
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1924
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w5PGS5nk1Ugc.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3556
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:3372
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1660
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:984
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:4828
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hk6Ko4y8l1Bg.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4448
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1436
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:1032
                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:660
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2972
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lxK56ht0FpbH.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2200
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:900
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:4008

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                Filesize

                2KB

                MD5

                7787ce173dfface746f5a9cf5477883d

                SHA1

                4587d870e914785b3a8fb017fec0c0f1c7ec0004

                SHA256

                c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

                SHA512

                3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

              • C:\Users\Admin\AppData\Local\Temp\4v4corS3ZZ0V.bat

                Filesize

                207B

                MD5

                f75eed355febcc6978b9ad5f8f124532

                SHA1

                66ba9f3017b7defbac19e17cfdcd8783c9987e57

                SHA256

                7384b070ab6bbfa309b86eb15c21da60eaf25ac896dca54d883e7bd28061bc1f

                SHA512

                e38893e9d75a6b4d3b9cde7b5779432d66a3e60e275b92529986a3401722f0da06e7443804550e86f9559bda5b283df453176cf53fced0cefcb919875e7e4530

              • C:\Users\Admin\AppData\Local\Temp\7tPANshK7DHi.bat

                Filesize

                207B

                MD5

                64eb49823736a5deefd4d00872895d03

                SHA1

                6493039c061d0b5a0d0a132d6981798c33753a87

                SHA256

                7cc7b837da3d8ebf2079d01e802cccc64623b9794e40f0750c6c44ab52c8dfe5

                SHA512

                af1dac06dd7b2c740bb68251723052bd1f3e8613e32fb55c3f3c0697cd0d4a15f1544c768dc3c93dac0e1cf3183a92a0d01b609e0d8478b6b8ad727523fa1f47

              • C:\Users\Admin\AppData\Local\Temp\eEnjNUjgGWOd.bat

                Filesize

                207B

                MD5

                66b0654eb66d236396754fb82ea8b850

                SHA1

                6015965f6b2ab0bace187645d3085d0d88a5bea5

                SHA256

                a1a1afbdb8f2ae040b5a9f6af57dab1de3d2ce9ffaf46ad921bb2ea2beabd485

                SHA512

                60e65f73bf48f94e39b32c5070567a9b495d46f70cf06feb1cd68ee59aad4dd2e8b895263aa97f237ca85713c3efce010fbdba37ee913f198b15c87e8208eff1

              • C:\Users\Admin\AppData\Local\Temp\hk6Ko4y8l1Bg.bat

                Filesize

                207B

                MD5

                c7934ed10c79075422897faaad26d004

                SHA1

                27d989ed971c6a0309697cf717fe9f3ca3d9f3b0

                SHA256

                9699f9e2c20d0efcb36e7f9e09504a677989ec457d9a70582f782dac9b36b1af

                SHA512

                1e34aace52fa024c56d08f87000eaaaf22b67237ef9af7380c402257f56d144fd1dd5dad4710042cda5d321a1295520d3ef8c679a30ae740cc8fd049b5e6af90

              • C:\Users\Admin\AppData\Local\Temp\lxK56ht0FpbH.bat

                Filesize

                207B

                MD5

                8142b16e4f8d97c6fbcd3a2299f9f838

                SHA1

                07dee0d73f4573a51b004a96ebd702a3a5f2b7e1

                SHA256

                ed295650ed0d0f9e1263484de84ea8741011f558632c9452084fea5ba309ddf2

                SHA512

                1762c0bc746910f9b4137edf6004808e33713e277adf5be228cfb70a3e5528ef7654c68ed6ad64f600c1c85c1b8943f61c31c733dc445081152da821f9230e3d

              • C:\Users\Admin\AppData\Local\Temp\w5PGS5nk1Ugc.bat

                Filesize

                207B

                MD5

                3f5f4caf4d3fe45704c6d3eb7314d7e3

                SHA1

                1801013de6050d1e6dcbedddfb1c7adb5f32e947

                SHA256

                35100b4ba4e4b40f886eb2168e1100c9deadcfe68936b9ceee636e9e4a767fc6

                SHA512

                047d07e2e8dbc78fb561421a01fc6af9e11c3f08599a68fe86392a93f29f61a61543ec4f17562eb2f64d1c2833e69123909af4ffc52fbd8bfe164b008b98c55e

              • C:\Users\Admin\Desktop\kreo q zi.exe

                Filesize

                3.1MB

                MD5

                28ac02fc40c8f1c2a8989ee3c09a1372

                SHA1

                b182758b62a1482142c0fce4be78c786e08b7025

                SHA256

                0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

                SHA512

                2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

              • memory/768-11-0x000000001CCD0000-0x000000001CD82000-memory.dmp

                Filesize

                712KB

              • memory/768-10-0x0000000002F20000-0x0000000002F70000-memory.dmp

                Filesize

                320KB

              • memory/2416-9-0x00007FFF47800000-0x00007FFF482C2000-memory.dmp

                Filesize

                10.8MB

              • memory/2416-6-0x00007FFF47800000-0x00007FFF482C2000-memory.dmp

                Filesize

                10.8MB

              • memory/2416-5-0x0000000000F90000-0x00000000012B4000-memory.dmp

                Filesize

                3.1MB

              • memory/2416-4-0x00007FFF47803000-0x00007FFF47805000-memory.dmp

                Filesize

                8KB