Analysis

  • max time kernel
    133s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 19:51

General

  • Target

    d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe

  • Size

    797KB

  • MD5

    7ea9f823d613c41364ebb2d1d0a6189a

  • SHA1

    4f419b26a5c1c9bf6ef7bd3c2aeb753490c0bd5b

  • SHA256

    d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1

  • SHA512

    d9d2898c90c8420ea1d0b4b75964b0f40f3d89651be36b37f9e2918f982bd08b3ebffd4455078e69c904959705e675c40d5a57f3c0686cc79ab375ef2ac5f4de

  • SSDEEP

    12288:q6K0egDGMTCm4Nj9XuVIxlJY0RJFHV0ea8d1xxHiU78Ejy2QHPlvrqfmhemL11xI:qJ0eoLTCZNjQmfJpXHjHoDfW4eqhgP

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

HTROY

C2

87.120.116.115:61510

onadeatcamsides.sytes.net:61511

Mutex

QSR_MUTEX_ZAU4jFZ758CCGtDmef

Attributes
  • encryption_key

    rK1SiSuzs11zCQEpJeMg

  • install_name

    Updates.exe

  • log_directory

    Logs

  • reconnect_delay

    30000

  • startup_key

    NewUpdates

  • subdirectory

    Mindow

Signatures

  • Quasar RAT 4 IoCs

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 7 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 12 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
    "C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe"
    1⤵
    • Quasar RAT
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
      C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
      2⤵
        PID:1848
      • C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
        C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2820
        • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
          "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
            C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
            4⤵
            • Executes dropped EXE
            PID:2840
          • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
            C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2776
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3028
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqxJfyHzrnXI.bat" "
              5⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:816
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2472
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1300
              • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2280
                • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                  C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2524
                • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                  C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:820
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1360
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\F2Kw3nME9xkh.bat" "
                    8⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2520
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2300
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 10 localhost
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:2120
                    • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                      "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"
                      9⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1872
                      • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                        10⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2784
                      • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                        10⤵
                        • Executes dropped EXE
                        PID:2788
                      • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                        10⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2096
                        • C:\Windows\SysWOW64\schtasks.exe
                          "schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f
                          11⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:1712
                • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                  C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2236
          • C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
            C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
            4⤵
            • Executes dropped EXE
            PID:2804
      • C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
        C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
        2⤵
          PID:2672

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\F2Kw3nME9xkh.bat

        Filesize

        208B

        MD5

        70e57fdd50a1c1d01f9823afd3c284ba

        SHA1

        06ecdc8b08cfe41ed808fff0af18d848579305a8

        SHA256

        cfb6028cef7ba71363eccf05dcb8f83d963016d97e8bc4dbfc2a4931cb3cabfc

        SHA512

        e15002dab1d6bb16717dc5766a7bab22c62b18f932e9c27a3ac68dd786bd3593bc1564b7a7b7d5e77028669f2be38f1bb2daf8ec649e767e03fc0ea0b5a4d323

      • C:\Users\Admin\AppData\Local\Temp\ZqxJfyHzrnXI.bat

        Filesize

        208B

        MD5

        ff6f2e0c33e6d51fa7a0f592c47c00da

        SHA1

        43a3c4a8953b1e9dae451b81c8100f54df34fb54

        SHA256

        64a7c16d11bdbf86a0b6f781766cf73045d4a61fed7251f6a04efa4a8aa7b030

        SHA512

        a7daaea7fc4898f4b17d1af2f84d255daa010dfc6b184a6238dffb746bcfb0655033834e0ca1d2780c7d433f177a383049ef609283a78bb7d2925ae20b6818f3

      • \Users\Admin\AppData\Roaming\Mindow\Updates.exe

        Filesize

        797KB

        MD5

        7ea9f823d613c41364ebb2d1d0a6189a

        SHA1

        4f419b26a5c1c9bf6ef7bd3c2aeb753490c0bd5b

        SHA256

        d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1

        SHA512

        d9d2898c90c8420ea1d0b4b75964b0f40f3d89651be36b37f9e2918f982bd08b3ebffd4455078e69c904959705e675c40d5a57f3c0686cc79ab375ef2ac5f4de

      • memory/820-54-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

      • memory/820-53-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

      • memory/1040-10-0x00000000746C0000-0x0000000074DAE000-memory.dmp

        Filesize

        6.9MB

      • memory/1040-12-0x00000000746C0000-0x0000000074DAE000-memory.dmp

        Filesize

        6.9MB

      • memory/1040-8-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

      • memory/1040-6-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

      • memory/1040-20-0x00000000746C0000-0x0000000074DAE000-memory.dmp

        Filesize

        6.9MB

      • memory/1040-4-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

      • memory/1872-70-0x0000000000250000-0x0000000000322000-memory.dmp

        Filesize

        840KB

      • memory/2280-43-0x0000000001190000-0x0000000001262000-memory.dmp

        Filesize

        840KB

      • memory/2500-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

        Filesize

        4KB

      • memory/2500-3-0x00000000746C0000-0x0000000074DAE000-memory.dmp

        Filesize

        6.9MB

      • memory/2500-2-0x0000000006F10000-0x0000000006FFE000-memory.dmp

        Filesize

        952KB

      • memory/2500-1-0x0000000000C40000-0x0000000000D12000-memory.dmp

        Filesize

        840KB

      • memory/2500-11-0x00000000746C0000-0x0000000074DAE000-memory.dmp

        Filesize

        6.9MB

      • memory/2744-19-0x0000000000230000-0x0000000000302000-memory.dmp

        Filesize

        840KB

      • memory/2784-76-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

      • memory/2784-75-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB