Analysis
-
max time kernel
41s -
max time network
43s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
13-11-2024 17:12
General
-
Target
autodist_proproctor_M2 (2).zip
-
Size
34.9MB
-
MD5
38cbe4bfde65070ccbd42fd6d4fd7517
-
SHA1
a6c8e7cea56ffe8eae93db6128f440cfdf7078e7
-
SHA256
8e42aaf1c038c992a57bbeb607e21df8d7d2f40248c5b35cd431cac0a1b5c77f
-
SHA512
251405e6b4885f2e72be95494609899c7fbd51371e5389c9d3bfdbca7201af24a4ba3724ba409c9837960277194115575c3538c921afde456b96cd763b8d0c15
-
SSDEEP
786432:qK3WRVP/LiO0hSfYxv73lwlOxWyr4Rp73lwlOxWyr4RMst9:qK67iOwSf+73lxxWyrCp73lxxWyrCMc
Malware Config
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 6 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\autodist_proproctor_M2 (2).zip"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\test\autodist_proproctor_M2\Quasar.vmp.exe"C:\Users\Admin\Desktop\test\autodist_proproctor_M2\Quasar.vmp.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
-
C:\Users\Admin\Desktop\test\autodist_proproctor_M2\Client.exe"C:\Users\Admin\Desktop\test\autodist_proproctor_M2\Client.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\test\autodist_proproctor_M2\Client-built.exe"C:\Users\Admin\Desktop\test\autodist_proproctor_M2\Client-built.exe"1⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmp37A5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp37A5.tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\DockerWorkshopV3\WindowsAudioServiceV3.exe"C:\Program Files (x86)\DockerWorkshopV3\WindowsAudioServiceV3.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Desktop\test\autodist_proproctor_M2\Quasar.vmp.exe"C:\Users\Admin\Desktop\test\autodist_proproctor_M2\Quasar.vmp.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56363a0d30ffd622f135d4a285d9dc8b1
SHA19e3787eb6c579664e5a2449e181ae21cdb8ef804
SHA2568332a10a7b5a66fc716adc1bc759ec401c2cf870ac00cdcbdf7b8e395450cadf
SHA512ddb8c2a69394391c929b2cf760327f7c53f4d076a9093c23e7d22eeb86050b527dc1a338feed30cc804ed9b7e0a473f1469dbd0a5d59d23fe2fe75243b224fbd
-
Filesize
268KB
MD50db84d4cebc40434c9d350caed5fc9d9
SHA1215a64172f15e01a0c227907be8d254877519ca8
SHA2567f7c521207ede40cca08b0d5132bd20d742db81bb09d5f75ffe6e02fe638fae8
SHA51225579389947d540948a35d28b77e407784c40f48f8eae97b393d780e95e13093104bc439fc7944fac9837e66aad93fdd3e0891d356f6778aa3fa5c9182325c9b
-
Filesize
12.4MB
MD5f7813477edabc442160c2b4bd5a28efb
SHA1b544c8c8ad68d5ae8c339a304adff69e4001f617
SHA256628bd830648e0e4e85fba4aac5b89540a2af7a69933a020aa17b42af2a0cc665
SHA5126e234439915709786536424e6a0c807c64ae2326188e78eb4b081f48a6471b86683fa125423654fc95e441b1236cbde537ecc2a243131f92ac82000f68190a23
-
Filesize
12.3MB
MD549fee9e45690cb2d12f32923ff5c7060
SHA1eaa52d56f0998b81bd54397d0d0d0c68d47e4838
SHA2564bcc56b8279bc707e0f6a21a9fddc8c67903383f84ba1bc0477b8327ab370719
SHA512e08c1fb1b1fb76dd6b6d768b397ca7b20bba1aa54affee551e248830ccf8bbf8957e888eb88be4725c047b52c592d13ebae1218771699739c31bcfb43f9d9390
-
Filesize
161B
MD5c16b0746faa39818049fe38709a82c62
SHA13fa322fe6ed724b1bc4fd52795428a36b7b8c131
SHA256d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad
SHA512cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c
-
Filesize
178KB
MD50646998ef06d1e8d3471824151d23dfe
SHA1ff3d549f20df9740847a36b218f3565f8613e0ab
SHA2566e654a9dbb543d5a68d3d6c68daec7fd983304927b49fdc2d05a6cbc90601618
SHA512f39a46864389f476c2b850bbe39e40c92706b9ae2f95755dd4a557c5a0bb9a3d58c33b53f6a5627f1715f6c18d1c17b0b9a47762b2584ab6c203c0d7eaada54c
-
Filesize
277KB
MD58df4d6b5dc1629fcefcdc20210a88eac
SHA116c661757ad90eb84228aa3487db11a2eac6fe64
SHA2563e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e
SHA512874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174
-
Filesize
45KB
MD5e3986207ac534dcc31265bbfbd2ccc79
SHA13f1139ed1a4e2332507765a60ed2bf4dc0d6c29e
SHA25689bf6331396dcf10a4d779059105f61a50b4d2fbbe7bf89cdd5dc3102296415f
SHA512ede1e4bd5763cbeee3b20b53c8678c2a73cd50ca6963235cfab5a7795fc8cc47b42a4e9e0b16b4b68d0b39590bd61fc0e63a9667ead2414e7d1bb2c5e7d95cbb
-
Filesize
2.1MB
MD5a0dace1b704c623aba724810af79fb01
SHA139ccaaa4ed9840a2f8492f0bda615ae9f8e8b8dd
SHA256ef857f86022cd05c7916f9422ea9f731277b33a4c21efd2e2a475d95d6739f6d
SHA512b6ccc516c7b506d4ad8094474c9b558f79a189e0790344aac54f240a9124f13dff7d485fdbcc05d83ea7330ce673f88bd4a51c7c09668cf5a006ca09304054dc
-
Filesize
76KB
MD564e9cb25aeefeeba3bb579fb1a5559bc
SHA1e719f80fcbd952609475f3d4a42aa578b2034624
SHA25634cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993
SHA512b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c
-
Filesize
410B
MD512251926fa9dcba8e4804f6a4b916738
SHA1e05acba7468274ad42d42f3074e26e46e2ae5474
SHA2564146117a7634ca0298529582217756dd06d19370d6806325ce0ab07878bb0c57
SHA512d9bb8b63ae15195e652412a5cfa81b863675a5405e8945dee8679b96ed65eac58ffe2af411981058ddc51640d7316a6535ccbaa9591d763df7f43380bc8ad104
-
Filesize
12.4MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
144KB
-
Filesize
4.3MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
12.4MB
-
Filesize
40KB
-
Filesize
296KB