quasar | 8e42aaf1c038c992a57bbeb607e21df8d7d2f40248c5b35cd431cac0a1b5c77f

Analysis

max time kernel
136s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autodist_proproctor_M2/Client-built.exe
Size

12.4MB
MD5

f7813477edabc442160c2b4bd5a28efb
SHA1

b544c8c8ad68d5ae8c339a304adff69e4001f617
SHA256

628bd830648e0e4e85fba4aac5b89540a2af7a69933a020aa17b42af2a0cc665
SHA512

6e234439915709786536424e6a0c807c64ae2326188e78eb4b081f48a6471b86683fa125423654fc95e441b1236cbde537ecc2a243131f92ac82000f68190a23
SSDEEP

393216:nTHuJuMZfRcpDfuSkqJc5YYR4FjlHN4Ol:THJY5c1uSkqJc5l6ZtP

Score

10^/10

quasar discovery evasion persistence spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/2700-1-0x0000000000050000-0x0000000000CB0000-memory.dmp	family_quasar
behavioral1/files/0x0005000000019217-5.dat	family_quasar
behavioral1/memory/2792-11-0x0000000000100000-0x000000000014A000-memory.dmp	family_quasar
behavioral1/memory/2816-21-0x0000000000DC0000-0x0000000000E0A000-memory.dmp	family_quasar

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Client-built.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2792	tmp122A.tmp.exe
2816	WindowsAudioServiceV3.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	Client-built.exe
2792	tmp122A.tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Docker Service = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp122A.tmp.exe\""	tmp122A.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Docker Service = "\"C:\\Program Files (x86)\\DockerWorkshopV3\\WindowsAudioServiceV3.exe\""	WindowsAudioServiceV3.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Client-built.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Client-built.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	api.ipify.org

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DockerWorkshopV3\WindowsAudioServiceV3.exe	tmp122A.tmp.exe
File opened for modification	C:\Program Files (x86)\DockerWorkshopV3\WindowsAudioServiceV3.exe	tmp122A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client-built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp122A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsAudioServiceV3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	Client-built.exe
Token: SeDebugPrivilege	2792	tmp122A.tmp.exe
Token: SeDebugPrivilege	2816	WindowsAudioServiceV3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	WindowsAudioServiceV3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2792	2700	Client-built.exe	31
PID 2700 wrote to memory of 2792	2700	Client-built.exe	31
PID 2700 wrote to memory of 2792	2700	Client-built.exe	31
PID 2700 wrote to memory of 2792	2700	Client-built.exe	31
PID 2792 wrote to memory of 2816	2792	tmp122A.tmp.exe	32
PID 2792 wrote to memory of 2816	2792	tmp122A.tmp.exe	32
PID 2792 wrote to memory of 2816	2792	tmp122A.tmp.exe	32
PID 2792 wrote to memory of 2816	2792	tmp122A.tmp.exe	32

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Client-built.exe

C:\Users\Admin\AppData\Local\Temp\autodist_proproctor_M2\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\autodist_proproctor_M2\Client-built.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2700
- C:\Users\Admin\AppData\Local\Temp\tmp122A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp122A.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Program Files (x86)\DockerWorkshopV3\WindowsAudioServiceV3.exe
    "C:\Program Files (x86)\DockerWorkshopV3\WindowsAudioServiceV3.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\tmp122A.tmp.exe

Filesize
268KB

MD5
0db84d4cebc40434c9d350caed5fc9d9

SHA1
215a64172f15e01a0c227907be8d254877519ca8

SHA256
7f7c521207ede40cca08b0d5132bd20d742db81bb09d5f75ffe6e02fe638fae8

SHA512
25579389947d540948a35d28b77e407784c40f48f8eae97b393d780e95e13093104bc439fc7944fac9837e66aad93fdd3e0891d356f6778aa3fa5c9182325c9b

Download Submit
memory/2700-0-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x0000000000050000-0x0000000000CB0000-memory.dmp

Filesize
12.4MB

Download
memory/2700-2-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-13-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/2700-22-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2792-10-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2792-11-0x0000000000100000-0x000000000014A000-memory.dmp

Filesize
296KB

Download
memory/2792-12-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2792-20-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2816-21-0x0000000000DC0000-0x0000000000E0A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads