Analysis
-
max time kernel
221s -
max time network
228s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
10-11-2024 14:41
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
403d20c63335b299c8bcbe4c6e49231e
-
SHA1
b581c2ca151a033dd10dca736ea76cf29278f498
-
SHA256
db857bc6602026ddfd794ec8c167ede510ca24d46d1de71fac1357c1f4f34bfb
-
SHA512
68418311a5e6cf5a81205513cb2beefc164a913c8f361c7405698948977f77ef4e682aeef651844f9e2da1b6fba978d6f5b97f9fe0780d6b0b91d34a0ea6570a
-
SSDEEP
49152:rvrhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkadReEErHgk/uVkoGduLTHHB72eh2NT:rvjt2d5aKCuVPzlEmVQ0wvwfdRe6C+
Malware Config
Extracted
quasar
1.4.1
Office04
gorodpro-37914.portmap.host:37914
1c5ec883-e96d-4a3a-9035-7a940d47aeb7
-
encryption_key
99E87F88E9E967A51725453CB8223ADDB8256DE2
-
install_name
WindowsDefender.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender
-
subdirectory
WindowsDefender
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /K CHCP 4373⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comCHCP 4374⤵
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\xd.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5403d20c63335b299c8bcbe4c6e49231e
SHA1b581c2ca151a033dd10dca736ea76cf29278f498
SHA256db857bc6602026ddfd794ec8c167ede510ca24d46d1de71fac1357c1f4f34bfb
SHA51268418311a5e6cf5a81205513cb2beefc164a913c8f361c7405698948977f77ef4e682aeef651844f9e2da1b6fba978d6f5b97f9fe0780d6b0b91d34a0ea6570a
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
1020KB
-
Filesize
5.2MB