Analysis

  • max time kernel
    33s
  • max time network
    35s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    15-12-2024 20:01

General

  • Target

    Panel Ejecutador MTA 3.14.zip

  • Size

    1.1MB

  • MD5

    d345c2eb24b0d3806865fda604ad1cc8

  • SHA1

    6b813317f6108f2c242babda58097070503df242

  • SHA256

    9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908

  • SHA512

    76c941b833ffcef6da121c2e2735952ed81cbf7c6a6260a227040d37abf0adaa41461045c69710331345d52d95aac89ddf0a256ebc85fbdb2ed703106999ab74

  • SSDEEP

    24576:ioRau4l48JTUIlfSsqFDxCs3+UgQYuX370FBZa:ioRUv5UIYsqOs3+UPY234m

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    WindowsUpdate.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsUpdate

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Panel Ejecutador MTA 3.14.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1596
  • C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe
    "C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:560
    • C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3816
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1172
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff992d2cc40,0x7ff992d2cc4c,0x7ff992d2cc58
      2⤵
        PID:4692
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1940 /prefetch:2
        2⤵
          PID:2420
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2228 /prefetch:3
          2⤵
            PID:2472
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2240 /prefetch:8
            2⤵
              PID:3500
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3200 /prefetch:1
              2⤵
                PID:812
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3228 /prefetch:1
                2⤵
                  PID:3144
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4564 /prefetch:1
                  2⤵
                    PID:2004
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4356,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4476 /prefetch:1
                    2⤵
                      PID:3520
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4992,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5036 /prefetch:8
                      2⤵
                        PID:3104
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3344 /prefetch:8
                        2⤵
                          PID:2136
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                        1⤵
                          PID:3532
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:3984

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            82867470f2d2e828e1b18ac93e1fa914

                            SHA1

                            bd8f3e2a7270f9d38216fb530a5ec547ef6664c6

                            SHA256

                            4c91c2f5387e98721937e417e54ad072dd28add059bdb5e3a14b0842cb45b20b

                            SHA512

                            81e38aedcc291fe79740f190e590ed6adca722baf82055b8713e7f6fec2f9c58d89bc76fa8dd9ef4f97a09ea9310f14dc9e7f5637f06f1686f66f435261213b0

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                            Filesize

                            8KB

                            MD5

                            fcb500a6e48bef3c7762f4174978b9c4

                            SHA1

                            9fce5c2c8a3f939ac26fba45a29f11b48aebb9b6

                            SHA256

                            44af1f0f40b4b06a7663696231ce7427e47b0caf9612379faa64e6f6f9bff560

                            SHA512

                            e3e04490fc88f3ad9cbd74e9a186de15f60baca88b8d42f1d713422c90d0b0f8bce9715dbfda621020d7038acf82206e0a8271359c9d3e38bbc4e4b73511ca2f

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            234KB

                            MD5

                            cab35ae428b1322b48725d65e34501b4

                            SHA1

                            7fc405b3ea55ec489b8e59f2e8f65d5c446492e1

                            SHA256

                            3678e4c489ee5012b9dac24252a69856c868c88fd6e2c8685fc483f1ce043cd6

                            SHA512

                            55f07ec6c4eb0fef51a4786d452dccea849908233aaff7f45a6bade022fcccb2c7483283f81d896a576831f332d2b3587e2b17055020f07dc24e13856f391807

                          • C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe

                            Filesize

                            3.3MB

                            MD5

                            5791d405ca0a97a89eeaeb4f2be628be

                            SHA1

                            a012d40aaaa01db12a83b0e4408d012fd383dd0b

                            SHA256

                            6c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d

                            SHA512

                            3971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd

                          • memory/3304-5-0x00007FF9981B3000-0x00007FF9981B5000-memory.dmp

                            Filesize

                            8KB

                          • memory/3304-6-0x0000000000020000-0x0000000000376000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/3304-7-0x00007FF9981B0000-0x00007FF998C72000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3304-10-0x00007FF9981B0000-0x00007FF998C72000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3816-20-0x0000000002A40000-0x0000000002A90000-memory.dmp

                            Filesize

                            320KB

                          • memory/3816-39-0x000000001C650000-0x000000001C68C000-memory.dmp

                            Filesize

                            240KB

                          • memory/3816-38-0x000000001C5F0000-0x000000001C602000-memory.dmp

                            Filesize

                            72KB

                          • memory/3816-37-0x000000001D0C0000-0x000000001D5E8000-memory.dmp

                            Filesize

                            5.2MB

                          • memory/3816-21-0x000000001C690000-0x000000001C742000-memory.dmp

                            Filesize

                            712KB