Analysis

  • max time kernel
    20s
  • max time network
    28s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    09-12-2024 21:44

General

  • Target

    Panel Ejecutador MTA 3.14.zip

  • Size

    1.1MB

  • MD5

    d345c2eb24b0d3806865fda604ad1cc8

  • SHA1

    6b813317f6108f2c242babda58097070503df242

  • SHA256

    9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908

  • SHA512

    76c941b833ffcef6da121c2e2735952ed81cbf7c6a6260a227040d37abf0adaa41461045c69710331345d52d95aac89ddf0a256ebc85fbdb2ed703106999ab74

  • SSDEEP

    24576:ioRau4l48JTUIlfSsqFDxCs3+UgQYuX370FBZa:ioRUv5UIYsqOs3+UPY234m

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    WindowsUpdate.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsUpdate

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Panel Ejecutador MTA 3.14.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2364
  • C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe
    "C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2740
    • C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2360

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    checkappexec.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    checkappexec.microsoft.com
    IN A
    Response
    checkappexec.microsoft.com
    IN CNAME
    prod-atm-wds-apprep.trafficmanager.net
    prod-atm-wds-apprep.trafficmanager.net
    IN CNAME
    prod-agic-uw-3.ukwest.cloudapp.azure.com
    prod-agic-uw-3.ukwest.cloudapp.azure.com
    IN A
    51.11.108.188
  • flag-gb
    POST
    https://checkappexec.microsoft.com/windows/shell/actions
    Remote address:
    51.11.108.188:443
    Request
    POST /windows/shell/actions HTTP/2.0
    host: checkappexec.microsoft.com
    accept-encoding: gzip, deflate
    user-agent: SmartScreen/2814751014982010
    authorization: SmartScreenHash eyJhdXRoSWQiOiJhZGZmZjVhZC1lZjllLTQzYTYtYjFhMy0yYWQ0MjY3YWVlZDUiLCJoYXNoIjoic25qR3dUYUJWYU09Iiwia2V5IjoiNFBwb1JYNDhVU1JZTFNXbHJBMWpZZz09In0=
    content-length: 1162
    content-type: application/json; charset=utf-8
    cache-control: no-cache
    Response
    HTTP/2.0 200
    date: Mon, 09 Dec 2024 21:45:07 GMT
    content-type: application/json; charset=utf-8
    content-length: 183
    server: Kestrel
    cache-control: max-age=0, private
    request-context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
  • flag-us
    DNS
    188.108.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    188.108.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    203.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    203.197.79.204.in-addr.arpa
    IN PTR
    Response
    203.197.79.204.in-addr.arpa
    IN PTR
    a-0003a-msedgenet
  • flag-us
    DNS
    azxq0ap.localto.net
    WindowsUpdate.exe
    Remote address:
    8.8.8.8:53
    Request
    azxq0ap.localto.net
    IN A
    Response
    azxq0ap.localto.net
    IN A
    23.158.232.33
  • flag-us
    DNS
    33.232.158.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    33.232.158.23.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ipwho.is
    WindowsUpdate.exe
    Remote address:
    8.8.8.8:53
    Request
    ipwho.is
    IN A
    Response
    ipwho.is
    IN A
    195.201.57.90
  • flag-de
    GET
    https://ipwho.is/
    WindowsUpdate.exe
    Remote address:
    195.201.57.90:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
    Host: ipwho.is
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 09 Dec 2024 21:45:10 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: ipwhois
    Access-Control-Allow-Headers: *
    X-Robots-Tag: noindex
  • flag-us
    DNS
    90.57.201.195.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.57.201.195.in-addr.arpa
    IN PTR
    Response
    90.57.201.195.in-addr.arpa
    IN PTR
    static9057201195clients your-serverde
  • 51.11.108.188:443
    https://checkappexec.microsoft.com/windows/shell/actions
    tls, http2
    2.8kB
    7.6kB
    20
    15

    HTTP Request

    POST https://checkappexec.microsoft.com/windows/shell/actions

    HTTP Response

    200
  • 23.158.232.33:3425
    azxq0ap.localto.net
    tls
    WindowsUpdate.exe
    78.8kB
    4.5kB
    75
    55
  • 195.201.57.90:443
    https://ipwho.is/
    tls, http
    WindowsUpdate.exe
    831 B
    6.2kB
    8
    8

    HTTP Request

    GET https://ipwho.is/

    HTTP Response

    200
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    checkappexec.microsoft.com
    dns
    72 B
    191 B
    1
    1

    DNS Request

    checkappexec.microsoft.com

    DNS Response

    51.11.108.188

  • 8.8.8.8:53
    188.108.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    188.108.11.51.in-addr.arpa

  • 8.8.8.8:53
    203.197.79.204.in-addr.arpa
    dns
    73 B
    106 B
    1
    1

    DNS Request

    203.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    azxq0ap.localto.net
    dns
    WindowsUpdate.exe
    65 B
    81 B
    1
    1

    DNS Request

    azxq0ap.localto.net

    DNS Response

    23.158.232.33

  • 8.8.8.8:53
    33.232.158.23.in-addr.arpa
    dns
    72 B
    152 B
    1
    1

    DNS Request

    33.232.158.23.in-addr.arpa

  • 8.8.8.8:53
    ipwho.is
    dns
    WindowsUpdate.exe
    54 B
    70 B
    1
    1

    DNS Request

    ipwho.is

    DNS Response

    195.201.57.90

  • 8.8.8.8:53
    90.57.201.195.in-addr.arpa
    dns
    72 B
    129 B
    1
    1

    DNS Request

    90.57.201.195.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe

    Filesize

    3.3MB

    MD5

    5791d405ca0a97a89eeaeb4f2be628be

    SHA1

    a012d40aaaa01db12a83b0e4408d012fd383dd0b

    SHA256

    6c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d

    SHA512

    3971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd

  • memory/3840-4-0x00007FFECD193000-0x00007FFECD195000-memory.dmp

    Filesize

    8KB

  • memory/3840-5-0x0000000000770000-0x0000000000AC6000-memory.dmp

    Filesize

    3.3MB

  • memory/3840-6-0x00007FFECD190000-0x00007FFECDC52000-memory.dmp

    Filesize

    10.8MB

  • memory/3840-9-0x00007FFECD190000-0x00007FFECDC52000-memory.dmp

    Filesize

    10.8MB

  • memory/4424-10-0x000000001B270000-0x000000001B2C0000-memory.dmp

    Filesize

    320KB

  • memory/4424-11-0x000000001C790000-0x000000001C842000-memory.dmp

    Filesize

    712KB

  • memory/4424-14-0x000000001C730000-0x000000001C742000-memory.dmp

    Filesize

    72KB

  • memory/4424-15-0x000000001CF90000-0x000000001CFCC000-memory.dmp

    Filesize

    240KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.