quasar | 7c9b4c774fbf907cf1858ea31454992e16d6b6521f880fcd8a12433ce25b6b35

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order88983273293729387293828PDF.exe
Size

1.4MB
MD5

9c23449ea828b1d7d4473aa70f86caa8
SHA1

474136c0e6d3d7c00a2e4f1b1e41f831fbb6dcba
SHA256

7c9b4c774fbf907cf1858ea31454992e16d6b6521f880fcd8a12433ce25b6b35
SHA512

843a03c44436410ae67a56ca00e4f3c19461979f4211b848eadf0ca02641ec3ee13a38f38e03bc316e028aceaa7571e41d1163e7d0933fe0e12d28ea1fae0925
SSDEEP

12288:Er0K/EsBQT93xj6mZw7Y/zLZefq5U6t1uxSxwOz7MIAvKcz9eoJEtww2LOB:ES3V1w8kzSGOzwFV93O

Score

10^/10

quasar man discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

man

nwamama.ydns.eu:3791

Mutex

3302836a-f2f9-4646-981e-42b54ed610dd

Attributes

encryption_key
C058A6A166AF85C9027394334AA2BDC41A9B7D9C
install_name
windows update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3168-1096-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Order88983273293729387293828PDF.exe

description pid process target process

PID 2300 created 3424 2300 Order88983273293729387293828PDF.exe Explorer.EXE
Executes dropped EXE 1 IoCs

Processes:

windows update.exe

pid process

4028 windows update.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order88983273293729387293828PDF.exe

description pid process target process

PID 2300 set thread context of 3168 2300 Order88983273293729387293828PDF.exe InstallUtil.exe

description	pid	process	target process
PID 2300 created 3424	2300	Order88983273293729387293828PDF.exe	Explorer.EXE

pid	process
4028	windows update.exe

description	pid	process	target process
PID 2300 set thread context of 3168	2300	Order88983273293729387293828PDF.exe	InstallUtil.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

InstallUtil.exeschtasks.exewindows update.exeOrder88983273293729387293828PDF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order88983273293729387293828PDF.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2264 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Order88983273293729387293828PDF.exe

pid process

2300 Order88983273293729387293828PDF.exe

pid	process
2264	schtasks.exe

pid	process
2300	Order88983273293729387293828PDF.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Order88983273293729387293828PDF.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2300	Order88983273293729387293828PDF.exe
Token: SeDebugPrivilege	2300	Order88983273293729387293828PDF.exe
Token: SeDebugPrivilege	3168	InstallUtil.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Order88983273293729387293828PDF.exeInstallUtil.exe

description	pid	process	target process
PID 2300 wrote to memory of 3168	2300	Order88983273293729387293828PDF.exe	InstallUtil.exe
PID 2300 wrote to memory of 3168	2300	Order88983273293729387293828PDF.exe	InstallUtil.exe
PID 2300 wrote to memory of 3168	2300	Order88983273293729387293828PDF.exe	InstallUtil.exe
PID 2300 wrote to memory of 3168	2300	Order88983273293729387293828PDF.exe	InstallUtil.exe
PID 2300 wrote to memory of 3168	2300	Order88983273293729387293828PDF.exe	InstallUtil.exe
PID 2300 wrote to memory of 3168	2300	Order88983273293729387293828PDF.exe	InstallUtil.exe
PID 2300 wrote to memory of 3168	2300	Order88983273293729387293828PDF.exe	InstallUtil.exe
PID 2300 wrote to memory of 3168	2300	Order88983273293729387293828PDF.exe	InstallUtil.exe
PID 3168 wrote to memory of 2264	3168	InstallUtil.exe	schtasks.exe
PID 3168 wrote to memory of 2264	3168	InstallUtil.exe	schtasks.exe
PID 3168 wrote to memory of 2264	3168	InstallUtil.exe	schtasks.exe
PID 3168 wrote to memory of 4028	3168	InstallUtil.exe	windows update.exe
PID 3168 wrote to memory of 4028	3168	InstallUtil.exe	windows update.exe
PID 3168 wrote to memory of 4028	3168	InstallUtil.exe	windows update.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\Order88983273293729387293828PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\Order88983273293729387293828PDF.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows update.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2264
- - C:\Users\Admin\AppData\Roaming\SubDir\windows update.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\windows update.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\windows update.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
memory/2300-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/2300-1-0x0000000000A20000-0x0000000000B90000-memory.dmp

Filesize
1.4MB

Download
memory/2300-2-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2300-3-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/2300-4-0x0000000006950000-0x0000000006B5E000-memory.dmp

Filesize
2.1MB

Download
memory/2300-5-0x0000000007150000-0x00000000076F4000-memory.dmp

Filesize
5.6MB

Download
memory/2300-6-0x0000000006CA0000-0x0000000006D32000-memory.dmp

Filesize
584KB

Download
memory/2300-24-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-32-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-36-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-44-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-58-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-70-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-68-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-66-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-64-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-62-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-60-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-56-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-54-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-52-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-50-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-48-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-42-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-40-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-38-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-34-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-46-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-30-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-28-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-26-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-22-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-20-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-16-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-14-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-12-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-10-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-8-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-18-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-7-0x0000000006950000-0x0000000006B57000-memory.dmp

Filesize
2.0MB

Download
memory/2300-1081-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2300-1082-0x0000000006DB0000-0x0000000006F2E000-memory.dmp

Filesize
1.5MB

Download
memory/2300-1083-0x0000000007080000-0x00000000070CC000-memory.dmp

Filesize
304KB

Download
memory/2300-1087-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2300-1089-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/2300-1091-0x00000000070D0000-0x0000000007124000-memory.dmp

Filesize
336KB

Download
memory/2300-1090-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2300-1088-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2300-1094-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2300-1093-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3168-1095-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3168-1096-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3168-1097-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3168-1098-0x0000000005670000-0x000000000567A000-memory.dmp

Filesize
40KB

Download
memory/3168-1107-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4028-1106-0x0000000002CB0000-0x0000000002CCA000-memory.dmp

Filesize
104KB

Download
memory/4028-1108-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4028-1105-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/4028-1109-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4028-1111-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download