Overview

overview

10

Static

static

10

6c53c68831...f9.exe

windows7-x64

10

6c53c68831...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c53c6883113580b6118856a433c5b2fb49a208e33d2faedb77d1e8609919af9.exe

  • Size

    3.2MB

  • MD5

    39234b4b1387d417161e87d99f46f5d4

  • SHA1

    1b9239eea2e7cbf721cc4b71a7397ea49d3d0348

  • SHA256

    6c53c6883113580b6118856a433c5b2fb49a208e33d2faedb77d1e8609919af9

  • SHA512

    0afaf23be317dafb306365e21134a00aeb650b5bb1749d8e65f9361a67200c417c042233704f01628609ca3f2c2ed9295cdcb0b945a74b99ef9e1dee541a3817

  • SSDEEP

    49152:lnvnI22SsaNYfdPBldt698dBcjHGcHZmzO8oGdG6THHB72eh2NT:lnvI22SsaNYfdPBldt6+dBcjHGcHQ

Score
10/10
quasarddnsdiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

DDNS

C2

193.161.193.99:32471

Mutex

807f3187-d087-4fff-beff-e73293a32af8

Attributes
  • encryption_key

    81A0C14D4C705B3C678E573C849DE7F6A3671A8B

  • install_name

    jusched.exe

  • log_directory

    CachedLogs

  • reconnect_delay

    3000

  • startup_key

    Java Update Scheduler

  • subdirectory

    Java

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c53c6883113580b6118856a433c5b2fb49a208e33d2faedb77d1e8609919af9.exe
    "C:\Users\Admin\AppData\Local\Temp\6c53c6883113580b6118856a433c5b2fb49a208e33d2faedb77d1e8609919af9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
      "C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4444
      • C:\Users\Admin\AppData\Roaming\Java\jusched.exe
        "C:\Users\Admin\AppData\Roaming\Java\jusched.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3384
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:628
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /delete /tn "Java Update Scheduler" /f
          4⤵
            PID:4408
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5AVbzwhEg6HB.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4832
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:3676
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1032
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4796

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jusched.exe.log
        Filesize

        1KB

        MD5

        baf55b95da4a601229647f25dad12878

        SHA1

        abc16954ebfd213733c4493fc1910164d825cac8

        SHA256

        ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

        SHA512

        24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5AVbzwhEg6HB.bat
        Filesize

        210B

        MD5

        a17eb39696625e57114629f29f0ceb6a

        SHA1

        cb09fcc16f3a3a8ad29b7b13fea33deb3e218e62

        SHA256

        a0d480707538774f5d3776de59e74e2a65b6f4fbecab6ccd0ee1fa061438a0b5

        SHA512

        1491642bd78bbc9e58bf2f53560013d4b7cfcffd0b1ebec8d76b119fbdba9f2915c081aacf61c4c787856ea7876578d794060b3434fcc80b22033951a31691f8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
        Filesize

        3.1MB

        MD5

        de7dbb5ed397ff41da4b1de1af4fbac5

        SHA1

        fcf8b29628d4cae9109b642c3a65a20178cca98a

        SHA256

        acfffb20520bcc954ecf5cc107521efa96c76b0a43e61a83628f580dae87c996

        SHA512

        182afaabf28848d5ea2f2a55dc6e7ac5d1903f97e0f0640710e1ff8470c31f01ba68c0d8c548f16261a13a29488c34c91b61a2f8b958736eae126b766a42c5d8

        Download Submit

      • memory/2960-13-0x00007FFAEEA33000-0x00007FFAEEA35000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2960-14-0x00000000003F0000-0x0000000000714000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2960-15-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2960-23-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3384-24-0x000000001C2C0000-0x000000001C310000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3384-25-0x000000001C3D0000-0x000000001C482000-memory.dmp

        Filesize

        712KB

        Download

      • memory/3384-28-0x000000001C340000-0x000000001C352000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3384-29-0x000000001CBD0000-0x000000001CC0C000-memory.dmp

        Filesize

        240KB

        Download