Overview

overview

10

Static

static

10

Modificati...75.exe

windows7-x64

10

Modificati...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Modification11910275.exe

  • Size

    3.1MB

  • MD5

    fa9b1524e725c4a251d07007f15fa947

  • SHA1

    5c023619d8180b611acb544fa1cd8bd31de9e61c

  • SHA256

    0cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec

  • SHA512

    dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db

  • SSDEEP

    49152:nvKlL26AaNeWgPhlmVqvMQ7XSKrCW1JeLoGdeSTHHB72eh2NT:nvyL26AaNeWgPhlmVqkQ7XSKrCN

Score
10/10
quasarbotdiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes
  • encryption_key

    E83D6FC31962786DAEA703F111D2381786DF06CA

  • install_name

    Modification1.5.14.12.exe

  • log_directory

    Logs

  • reconnect_delay

    3126

  • startup_key

    explorer.dll

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe
    "C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1420
    • C:\Windows\system32\SubDir\Modification1.5.14.12.exe
      "C:\Windows\system32\SubDir\Modification1.5.14.12.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4140
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /delete /tn "explorer.dll" /f
        3⤵
          PID:3028
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r6m4jIKr3qZe.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:436
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2720

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\r6m4jIKr3qZe.bat
        Filesize

        215B

        MD5

        caa0205578c375a150815c03e062bb3f

        SHA1

        2e40d7ff5e1aa7c8e10d3699fabe0a2dc723e0c3

        SHA256

        d89e4cb6aedac5f365ac2926249dd7b87ca456f02a5a00b16fafbbc883cf88b3

        SHA512

        57fec04bab6f151f66f3c99c821745186eb4a3cb17c4a2f2a4ac456b13c10263d6c3c67211594984f3e955a08e0fa21b57d4bb43a3bfbe038e0f1ab84013087f

        Download Submit

      • C:\Windows\System32\SubDir\Modification1.5.14.12.exe
        Filesize

        3.1MB

        MD5

        fa9b1524e725c4a251d07007f15fa947

        SHA1

        5c023619d8180b611acb544fa1cd8bd31de9e61c

        SHA256

        0cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec

        SHA512

        dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db

        Download Submit

      • memory/1496-11-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1496-9-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1496-12-0x000000001B910000-0x000000001B960000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1496-13-0x000000001BA20000-0x000000001BAD2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1496-16-0x000000001B9A0000-0x000000001B9B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1496-17-0x000000001C120000-0x000000001C15C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1496-18-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1496-23-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2340-2-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2340-10-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2340-0-0x00007FFC30343000-0x00007FFC30345000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2340-1-0x0000000000760000-0x0000000000A84000-memory.dmp

        Filesize

        3.1MB

        Download