Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 03:28

General

  • Target

    e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe

  • Size

    3.7MB

  • MD5

    96493f8a0252e4e492de924d83db5a8a

  • SHA1

    09dad264469e86a858f0183ed6e5bfe2d53781f4

  • SHA256

    e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879

  • SHA512

    29d6192b4aae0af83fe15d015be5cf3e1b8832e154c6e847d71de1834c30421f435192490fc9f5b868c99e71f2bbdb92685582985ece2e7694d02799cd315b78

  • SSDEEP

    49152:wBeT66BYzsKDeAo4hJFXMOqlI9XGhvPEpCaZKfpObuLkEnmnK0QnFRhe5+ET8QVY:TTF7GbIlDvPEpz4ptnHhK87nhUnIJb

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

JEKWU

C2

Zyg.ydns.eu:5829

Opy.ydns.eu:5829

Mutex

9c58b2ba-07eb-415a-b48b-21bbb68d32285e

Attributes
  • encryption_key

    C5B555A83D127A9553D4FB1FCECB35CE8E91A447

  • install_name

    outlooks.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Outlooks

  • subdirectory

    WindowsUpdates

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe
    "C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EPhabVgXw.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37A.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2744
    • C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe
      "C:\Users\Admin\AppData\Local\Temp\e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:688
      • C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe
        "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1908
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EPhabVgXw.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2140
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPhabVgXw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp473D.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2396
        • C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe
          "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:680
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp37A.tmp

    Filesize

    1KB

    MD5

    4887894597819ce06dad3ed1a45c6ae7

    SHA1

    91a1363c4bcf35b4b104886a26e55a9b4d031fb7

    SHA256

    782881d7161754ac9e61f760de99a08413d6c4605a6a9e58aab45012c615dde9

    SHA512

    d92b2bca9901f334c17a58da292d3cabae0d5ec136ad8305c6d7394b76ad3a6fb7f71d8b48b52f00e5c3bd17d09184be233480cb30f3d6fb87dbbd21456813db

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SS9YOBBPGDFPMM4Q2FPG.temp

    Filesize

    7KB

    MD5

    7e1efe3c7da68dc4ab1c4c68059c3549

    SHA1

    c6a7cb60017add46fcfa3e5b3e44437c7c91ee2e

    SHA256

    ee88a8630034ee038eb11c45af55928650ab83b3e3101850ca9d3cf8f8bd8274

    SHA512

    b0b458b0804101339e426a32c0b89f6fb1d9dc71ca51b3a51dfd32b9f144b9352504e932cb6ad240834e6eddeb275523a978a0b93a57b3e7dc60a3884449b9bd

  • C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe

    Filesize

    3.7MB

    MD5

    96493f8a0252e4e492de924d83db5a8a

    SHA1

    09dad264469e86a858f0183ed6e5bfe2d53781f4

    SHA256

    e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879

    SHA512

    29d6192b4aae0af83fe15d015be5cf3e1b8832e154c6e847d71de1834c30421f435192490fc9f5b868c99e71f2bbdb92685582985ece2e7694d02799cd315b78

  • memory/680-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1792-32-0x0000000074400000-0x0000000074AEE000-memory.dmp

    Filesize

    6.9MB

  • memory/1792-5-0x0000000074400000-0x0000000074AEE000-memory.dmp

    Filesize

    6.9MB

  • memory/1792-6-0x0000000007BA0000-0x0000000007F08000-memory.dmp

    Filesize

    3.4MB

  • memory/1792-4-0x000000007440E000-0x000000007440F000-memory.dmp

    Filesize

    4KB

  • memory/1792-3-0x00000000003A0000-0x00000000003B8000-memory.dmp

    Filesize

    96KB

  • memory/1792-1-0x0000000001260000-0x000000000160C000-memory.dmp

    Filesize

    3.7MB

  • memory/1792-0-0x000000007440E000-0x000000007440F000-memory.dmp

    Filesize

    4KB

  • memory/1792-2-0x0000000074400000-0x0000000074AEE000-memory.dmp

    Filesize

    6.9MB

  • memory/2420-40-0x00000000009F0000-0x0000000000D9C000-memory.dmp

    Filesize

    3.7MB

  • memory/2916-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2916-25-0x0000000000400000-0x0000000000724000-memory.dmp

    Filesize

    3.1MB

  • memory/2916-29-0x0000000000400000-0x0000000000724000-memory.dmp

    Filesize

    3.1MB

  • memory/2916-23-0x0000000000400000-0x0000000000724000-memory.dmp

    Filesize

    3.1MB

  • memory/2916-21-0x0000000000400000-0x0000000000724000-memory.dmp

    Filesize

    3.1MB

  • memory/2916-28-0x0000000000400000-0x0000000000724000-memory.dmp

    Filesize

    3.1MB

  • memory/2916-31-0x0000000000400000-0x0000000000724000-memory.dmp

    Filesize

    3.1MB

  • memory/2916-19-0x0000000000400000-0x0000000000724000-memory.dmp

    Filesize

    3.1MB