quasar | 538962a772724887e06411bdca86db10e9d4ab08147e330b2e7ebc17d796ffeb | Triage

Analysis

max time kernel
294s
max time network
298s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-12-2024 20:58

Sharing

Report Analysis Logs

General

Target

wmm.exe
Size

3.1MB
MD5

16cd26bec647159bbecaa3eeed061bf0
SHA1

276c745df06dca1dafb9dc6f82717a59b816c99c
SHA256

538962a772724887e06411bdca86db10e9d4ab08147e330b2e7ebc17d796ffeb
SHA512

5f905a129ffe433687fe64732160e9e2064f8a20f0ebeb819e2b536c5de9309805f7d7a0bbbc922b4809ee68480d618c87d34aac2414f8638b431772b860e6c0
SSDEEP

49152:KvzI22SsaNYfdPBldt698dBcjH9JRJ6YbR3LoGdUTHHB72eh2NT:KvM22SsaNYfdPBldt6+dBcjH9JRJ6y

Score

10^/10

quasar indexer spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

indexer

C2

jt8iyre.localto.net:55644

Mutex

7861b74d-57c7-453f-9218-a4a2335c1a0d

Attributes

encryption_key
54717FCDBD30C7781F669403FBC8E35733C37E34
install_name
searchindexer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
searchindexer
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral4/memory/3380-1-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral4/files/0x0028000000045062-3.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3824	searchindexer.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SubDir\searchindexer.exe	wmm.exe
File opened for modification	C:\Program Files\SubDir	wmm.exe
File opened for modification	C:\Program Files\SubDir\searchindexer.exe	searchindexer.exe
File opened for modification	C:\Program Files\SubDir	searchindexer.exe
File created	C:\Program Files\SubDir\searchindexer.exe	wmm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4272	schtasks.exe
4820	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	wmm.exe
Token: SeDebugPrivilege	3824	searchindexer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3824	searchindexer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3824	searchindexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3824	searchindexer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4272	3380	wmm.exe	80
PID 3380 wrote to memory of 4272	3380	wmm.exe	80
PID 3380 wrote to memory of 3824	3380	wmm.exe	82
PID 3380 wrote to memory of 3824	3380	wmm.exe	82
PID 3824 wrote to memory of 4820	3824	searchindexer.exe	83
PID 3824 wrote to memory of 4820	3824	searchindexer.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\wmm.exe
"C:\Users\Admin\AppData\Local\Temp\wmm.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "searchindexer" /sc ONLOGON /tr "C:\Program Files\SubDir\searchindexer.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4272
- C:\Program Files\SubDir\searchindexer.exe
  "C:\Program Files\SubDir\searchindexer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "searchindexer" /sc ONLOGON /tr "C:\Program Files\SubDir\searchindexer.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SubDir\searchindexer.exe

Filesize
3.1MB

MD5
16cd26bec647159bbecaa3eeed061bf0

SHA1
276c745df06dca1dafb9dc6f82717a59b816c99c

SHA256
538962a772724887e06411bdca86db10e9d4ab08147e330b2e7ebc17d796ffeb

SHA512
5f905a129ffe433687fe64732160e9e2064f8a20f0ebeb819e2b536c5de9309805f7d7a0bbbc922b4809ee68480d618c87d34aac2414f8638b431772b860e6c0

Download Submit
memory/3380-0-0x00007FFBA02D3000-0x00007FFBA02D5000-memory.dmp

Filesize
8KB

Download
memory/3380-1-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/3380-2-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download
memory/3380-5-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download
memory/3824-6-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download
memory/3824-7-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download
memory/3824-8-0x000000001CDC0000-0x000000001CE10000-memory.dmp

Filesize
320KB

Download
memory/3824-9-0x000000001CED0000-0x000000001CF82000-memory.dmp

Filesize
712KB

Download
memory/3824-10-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download