Analysis Overview
SHA256
3581567130d8c7081fcb2f9c51e066487c7da1d62833169817725ae57874a243
Threat Level: Known bad
The file IMVUdineroilimitado.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Executes dropped EXE
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-13 06:55
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-13 06:55
Reported
2024-12-13 06:58
Platform
win7-20240903-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe
"C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
"C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | azxq0ap.localto.net | udp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
Files
memory/2068-0-0x000007FEF66F3000-0x000007FEF66F4000-memory.dmp
memory/2068-1-0x0000000000230000-0x0000000000582000-memory.dmp
memory/2068-2-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
| MD5 | a6b8a25d0eeac0fe978cc16a1e377e37 |
| SHA1 | dae6ed3a24af41e4247872f718b0e1bb0dcc7bff |
| SHA256 | 3581567130d8c7081fcb2f9c51e066487c7da1d62833169817725ae57874a243 |
| SHA512 | 7dd56e27b1f112df4f4ca6e6f9846848d50496d78cdfcc913f0179c39a21c57b0a04bffabe9c1d1c85fcfda79e2ec0bd55aa38537e8325b7073970d6ede59713 |
memory/2820-9-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp
memory/2820-8-0x0000000000340000-0x0000000000692000-memory.dmp
memory/2820-10-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp
memory/2068-11-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp
memory/2820-12-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-13 06:55
Reported
2024-12-13 06:58
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3616 wrote to memory of 1152 | N/A | C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3616 wrote to memory of 1152 | N/A | C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3616 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe |
| PID 3616 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe |
| PID 1628 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1628 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe
"C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
"C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | azxq0ap.localto.net | udp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
| US | 23.158.232.33:3425 | azxq0ap.localto.net | tcp |
Files
memory/3616-0-0x00007FFA367A3000-0x00007FFA367A5000-memory.dmp
memory/3616-1-0x0000000000870000-0x0000000000BC2000-memory.dmp
memory/3616-2-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
| MD5 | a6b8a25d0eeac0fe978cc16a1e377e37 |
| SHA1 | dae6ed3a24af41e4247872f718b0e1bb0dcc7bff |
| SHA256 | 3581567130d8c7081fcb2f9c51e066487c7da1d62833169817725ae57874a243 |
| SHA512 | 7dd56e27b1f112df4f4ca6e6f9846848d50496d78cdfcc913f0179c39a21c57b0a04bffabe9c1d1c85fcfda79e2ec0bd55aa38537e8325b7073970d6ede59713 |
memory/1628-9-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp
memory/1628-10-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp
memory/1628-11-0x000000001B000000-0x000000001B050000-memory.dmp
memory/1628-12-0x000000001D0C0000-0x000000001D172000-memory.dmp
memory/3616-13-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp
memory/1628-14-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp