Overview

overview

10

Static

static

1

Top4smm Di...do.zip

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    35s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-12-2024 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Top4smm Dinero Ilimitado.zip

  • Size

    1.1MB

  • MD5

    bfa47aae21e145867fa2536f3adb0fbb

  • SHA1

    b7b6eaccdf32b323421b75ad8e4e420a4527b151

  • SHA256

    a9fc07683b0c89a1a3cfba37fd4548e6b28ebf334dca8cf79d4edada41ece724

  • SHA512

    8ca4870f1949aaf6476b3ed18bfa5764110184242d0ae2d631b28b618cb167ec4de3267776be67a6bfd1de66e5f777fc75d25a8de2c75ef16578637f514906ae

  • SSDEEP

    24576:+NEcxEieY4MkUNZfAzaSbhDmRsYyAo1GMvTSplXql0pDAkddsid2g4:6Ecx5UUnfW9qRU4E2lXSH0sidD4

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    WindowsUpdate.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsUpdate

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Top4smm Dinero Ilimitado.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3720
  • C:\Users\Admin\Desktop\Top4smm Dinero Ilimitado.exe
    "C:\Users\Admin\Desktop\Top4smm Dinero Ilimitado.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1828
    • C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
  • C:\Users\Admin\Desktop\Top4smm Dinero Ilimitado.exe
    "C:\Users\Admin\Desktop\Top4smm Dinero Ilimitado.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2696
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {521cae71-c91a-4af6-b266-834b3886731e} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" gpu
        3⤵
          PID:1604
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73fdc1d4-4424-4cfb-9458-7c083032cb45} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" socket
          3⤵
          • Checks processor information in registry
          PID:2740
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3024 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3220 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67771467-5e47-4f9a-85f5-c074921920b5} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" tab
          3⤵
            PID:1288
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3740 -childID 2 -isForBrowser -prefsHandle 2732 -prefMapHandle 3728 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74923e37-04f0-4c3c-960b-76c0cd864459} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" tab
            3⤵
              PID:404
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4920 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5430f715-786c-40b8-b151-5a7bfa72a69f} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" utility
              3⤵
              • Checks processor information in registry
              PID:3024

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sd844ipy.default-release\activity-stream.discovery_stream.json
          Filesize

          19KB

          MD5

          9c8c382fc8c62a769d075148a27fe3d2

          SHA1

          111e2c10fe99dbb64aca0a59c3ef899ed13c0b26

          SHA256

          21b88d3cecc3484baa61a63b6add7366e56b897476406e23dc106a0ae5d1914e

          SHA512

          1ad9d074692349ceb5ad1ebfe09ff678b21dd3df75c74395989050f966f886618d2e012364d630439a9623e120438f2300fd1be15dd594c7b5b3746deffb0c61

          Download Submit

        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sd844ipy.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
          Filesize

          15KB

          MD5

          96c542dec016d9ec1ecc4dddfcbaac66

          SHA1

          6199f7648bb744efa58acf7b96fee85d938389e4

          SHA256

          7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

          SHA512

          cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp
          Filesize

          5KB

          MD5

          240875d96d0ecfdf62b8725f9561a5c5

          SHA1

          3e193a9b3996558abdb9054f41100f1d892d218c

          SHA256

          f9722c09dc377855911611a5b007bfe8373a5fc2af3184e922708ea284d665ab

          SHA512

          11f5395df581f4e9b8cdf8ff0ab769092b08cbb7e656ebcc6c9bce7caf4d4b688bcebea644304062275eb5b89f37099c1ea41b17297decf96cb7a8f759c06b71

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\0a96a8b4-09af-4de0-b216-c8dde3e57bb3
          Filesize

          671B

          MD5

          dbd7cbf73c810cc9c7962566fa059653

          SHA1

          d4860be0c626ecd4d6997b8770b9778fbd17d1b6

          SHA256

          649ec2024833cc4a3df5fb2e84e1a9bdf54dd370c3fb2ddfecb1ac090b110ffc

          SHA512

          cb9eafa884cd479307a9ffcb162a42b0f3a00d309e9f2e34a375fb809e9bf42fd105ab8f701501d7638cd0e4c223c6c0048e774024ebc4c3e4c346d32c9a058a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\2c081491-42e7-451c-a9dd-1e4b56fdc109
          Filesize

          982B

          MD5

          a2122304dd84a01f4d0b70cf56dc73de

          SHA1

          7d8e20b93719708445c90c4ac3abc2ae551f0a5b

          SHA256

          7ea0261dd2bba2aacb46468ece365937856d0246bc0be0afdde21bdd93ff8e96

          SHA512

          863689fb594d5248a2df5930db67050488248dda1331d907bfbcba9e849c54d3eef92fa68d4457698f1587b1b883f6c7aba271129bef35d54671a88d3493e08e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\5ea5b371-b434-4b59-b698-8fa93733e2c4
          Filesize

          25KB

          MD5

          0ca0a483f0c121cac0cbf3b7dae51749

          SHA1

          ef3a1d46ec8fcc71432471761eff6a527fdf811e

          SHA256

          bd6afd8c9984e2d9c101b992f9b9461430a0f0b09f3c0a371cf7259a18d2443e

          SHA512

          6465c6e2d5110aee2b1564a907145cad3a83ed563941a6dbbb6bbc5eaa29a31f74dad93111cc8e299403872147a7098f33bc8f2e4b2300ee6f4d40e8c28835b1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs-1.js
          Filesize

          10KB

          MD5

          ada76192d1847df66cec69fdf445a8f5

          SHA1

          0a8529d9723b5c61d4f1bec66a86c4491f548849

          SHA256

          0850508cf1cc135010623f3866ff8e581e948c7afa284e018b1d787f4e8863af

          SHA512

          8502101d312e30b9b16b0f6e349747a60186cd1e515b0729ba01d6877c57be08b945dad22fa2cbd855d7b3a6235e1a49de79219a22f6025789ae1dc6d4fb3239

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js
          Filesize

          11KB

          MD5

          bf93ae10a70ce8b6c31f0ae1e92b57fc

          SHA1

          46c62498f719c975f9421e011305cbee214b489f

          SHA256

          4a39cc3614b22d7a981efd2324e4cae944f58361e13fde89b4d6cd8f00648ff7

          SHA512

          7921f6a5122ef026194e17f3d59a56ebd76a09bb12aa766b5fe17dfbcc5ec930b698c7018fc24eceb461a44c8483e7e63f1e52e302e0be86d5240e8080a8130c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\sessionCheckpoints.json.tmp
          Filesize

          288B

          MD5

          362985746d24dbb2b166089f30cd1bb7

          SHA1

          6520fc33381879a120165ede6a0f8aadf9013d3b

          SHA256

          b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

          SHA512

          0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

          Download Submit

        • C:\Users\Admin\Desktop\Top4smm Dinero Ilimitado.exe
          Filesize

          3.2MB

          MD5

          74474ce327c2d8e2b74eba981a7e3249

          SHA1

          48544696b4ce7c96559a791efb58ec7481092454

          SHA256

          46ca3722c1851d6a68aea45c19e64a4c735eb236403e172422d02bbff4e35cca

          SHA512

          0c5b75305b19e0dcaacb9f3df556cdb136c002a5732625cb096fdd0a69e4a6a4b96507bb2948b847e2726d98e424462a237e0c0cecb1210c45cef52c7c1accc1

          Download Submit

        • memory/4156-10-0x00007FFC6AD30000-0x00007FFC6B7F2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4156-6-0x00007FFC6AD30000-0x00007FFC6B7F2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4156-5-0x0000000000400000-0x0000000000732000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/4156-4-0x00007FFC6AD33000-0x00007FFC6AD35000-memory.dmp

          Filesize

          8KB

          Download