Overview

overview

10

Static

static

10

svchost.exe

windows7-x64

10

svchost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    209s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    3.1MB

  • MD5

    27fbdbdac166ee53df824d4e2a1807a0

  • SHA1

    2df4cdbb8cc5861277fbaf1db7790fbd5112137b

  • SHA256

    2c13c16331719db777e6d391eb027e47a12c8e6a0cc36e15d7c4003e841997d1

  • SHA512

    50d5e8309e4a8f00838026b5917c3aed5c7191d9b464e798859251ac55bd5c6b7219811e9be3766a2166dee97cc845e16bfe9a2a7253c0466956b6e656551f14

  • SSDEEP

    49152:vvHI22SsaNYfdPBldt698dBcjHQ2xE1v4LoG/kTHHB72eh2NT:vvo22SsaNYfdPBldt6+dBcjHQ2xH

Score
10/10
quasaruser01discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

User01

C2

hello383-37009.portmap.host:37009

Mutex

108151be-6bee-4922-a809-562bf18e7d5c

Attributes
  • encryption_key

    2CF5E13B7455B67B54A919C41B45066DC7333545

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    systemapps

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\systemapps\svchost.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4360
    • C:\Windows\system32\systemapps\svchost.exe
      "C:\Windows\system32\systemapps\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\systemapps\svchost.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2152
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
    1⤵
      PID:4996
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault008b3219hac29h4f8dhbc49hcdf26c35df3f
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff90d4346f8,0x7ff90d434708,0x7ff90d434718
        2⤵
          PID:2712
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13906307111035253795,3428633033628966992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
          2⤵
            PID:956
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13906307111035253795,3428633033628966992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2400
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13906307111035253795,3428633033628966992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
            2⤵
              PID:3152
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:800
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:2396

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
                Filesize

                1KB

                MD5

                baf55b95da4a601229647f25dad12878

                SHA1

                abc16954ebfd213733c4493fc1910164d825cac8

                SHA256

                ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                SHA512

                24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                Filesize

                152B

                MD5

                36988ca14952e1848e81a959880ea217

                SHA1

                a0482ef725657760502c2d1a5abe0bb37aebaadb

                SHA256

                d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

                SHA512

                d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6b10d893-5f54-4de1-9484-6dd60a67b8f5.tmp
                Filesize

                5KB

                MD5

                0a679adc2f70eb4f803f08cde07ac85c

                SHA1

                e5a48afa745a0502da2513cb71c72a7ed65b7a51

                SHA256

                3b14c149af78003a16f767226ca3b83c62ce539fad0e14af67998471a8c84583

                SHA512

                660505ed58e9086afe6fd0bb0db44ae62bb4de03911a04dceb6820c82debc3f24c2b07471a6c89f9f40d65dc582622c20d27ec0e9874f5a487a8b14c638374f5

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                Filesize

                8KB

                MD5

                9b482a1c5470d1737837d0c70ca53fc2

                SHA1

                4ee81da4b3dfd1087a609b2725b33e2c5a2d30a3

                SHA256

                705ad9ece5a06b737a32792103d1ce23274968dc4597145c0114231eb8dbc48d

                SHA512

                73fb9107f5a845a631f7fb46702cb9216d54f724af0bd4c45a7a4110af956f495b3e74ec3f0f7c513b6db121ee725f0ba238a9f19dd144db733efb1111b78db6

                Download Submit

              • C:\Windows\System32\systemapps\svchost.exe
                Filesize

                3.1MB

                MD5

                27fbdbdac166ee53df824d4e2a1807a0

                SHA1

                2df4cdbb8cc5861277fbaf1db7790fbd5112137b

                SHA256

                2c13c16331719db777e6d391eb027e47a12c8e6a0cc36e15d7c4003e841997d1

                SHA512

                50d5e8309e4a8f00838026b5917c3aed5c7191d9b464e798859251ac55bd5c6b7219811e9be3766a2166dee97cc845e16bfe9a2a7253c0466956b6e656551f14

                Download Submit

              • memory/1964-0-0x00007FF916683000-0x00007FF916685000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1964-1-0x0000000000410000-0x0000000000734000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2272-9-0x00007FF916680000-0x00007FF917141000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2272-10-0x000000001D1B0000-0x000000001D200000-memory.dmp

                Filesize

                320KB

                Download

              • memory/2272-11-0x000000001D2C0000-0x000000001D372000-memory.dmp

                Filesize

                712KB

                Download

              • memory/2272-12-0x00007FF916680000-0x00007FF917141000-memory.dmp

                Filesize

                10.8MB

                Download