Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17-12-2024 04:35
General
-
Target
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe
-
Size
3.1MB
-
MD5
dd7a806c734df62ecf4802977fa0b3e9
-
SHA1
42eae42e0fcfe9d9a54e493a670adde5241377da
-
SHA256
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f
-
SHA512
0f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf
-
SSDEEP
49152:yvkt62XlaSFNWPjljiFa2RoUYIO8RJ6IbR3LoGdaTHHB72eh2NT:yv462XlaSFNWPjljiFXRoUYIO8RJ6i
Malware Config
Extracted
quasar
1.4.1
Aryszx
Apichat:4782
181f4a12-4cad-46a9-9896-1001033c5b69
-
encryption_key
F4F359BEF442D9221F73F7D64267E0E300CC68CE
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Runtime Broker
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 10 IoCs
-
Executes dropped EXE 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 12 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe"C:\Users\Admin\AppData\Local\Temp\cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1TSvUeg4yeUR.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1iqhytH3Kt2o.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C9S6eBrk2XcF.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\G9f0e5OlX3MT.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gR5DHQRdpEBX.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\evU1PuLRxKbK.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Wqnbok2CPsPG.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XnP3hG3M6rMs.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VdtuvE5huO7V.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AuUkjNvi0lWa.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LoLC1KjsUhHY.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YPRDxbNQL3mE.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD558cea857a2d655a22baf422fbccd3ed8
SHA1212f8494a3f3ce1895116e8c78a9ed9bc8086028
SHA256871f70fca82d0fc4088f6b0d1f91ab4a0b37eb95c98d7e0de3493d63e3e16257
SHA5123a25982fb792f8ce77e3bca2f2c50438fe7dda311939947562af58942e2a04b3a872398eec27a4bb12e8017574023e928a31dd01d74bd44d20a195379f52455f
-
Filesize
208B
MD590c28db29b2a44addfe2398a4c289fec
SHA111cfe37c91cd0d7b23b07b96242f2521a552b565
SHA256ec1a4180d097fc2adbe02ac27a02faead27fcfe35bea29d380dc0ecef38fdc53
SHA512a5ba66032890047a67a7027670b3954f39d78573565860ea3fa56c756948d17a093f97f21eff39948643aed0efb56c98d4749b311881284aedb1a02397259628
-
Filesize
208B
MD50bd259621a603da49ed3247aa87449f0
SHA1a367ec35e21e76a8f2bad6604503094b74d7d9fb
SHA256a9460b7a03d262fba0a07a3633ca5b639b0b397ed31958295169cd3fdbdad45a
SHA5126b9d403209bd5881044d52e16eb4d7263841a859a3a03190b2a7780155a96f20e977c3f08fa354379107fea94ef72cfe86340142ec2e5afa47ed24ace32c6dcf
-
Filesize
208B
MD5f9c759c92a0a208ba3b0e7cb18966a53
SHA1e5f1b1a0e9958d201994d7026686f1c8ae38faa7
SHA2561410506663ad1656e2363db68cb59870249255a4c4bb58741322a16fea950a50
SHA51277e9ebb10899561357e20c5b1d751d7bafd8d30657282ef12c2676bb2288a873c1e5b7ea5bfbdf8bfa48223a73d0d11e230bc96a9d2ea91d5b29250f3e53ee19
-
Filesize
208B
MD5c2214aff4e658a8fb8b4791ef85de4a7
SHA15d4350481550cd2c396ce714c6e7ca1883faff44
SHA2561dc7db5448da7b59edba2b00c50ab9c7081dbc07c2a10dffa52bce97c723ce5c
SHA5129fa46338308593240debfd628f53b0091743997e6557f7a8e2f47df99b9396ac08fa87fea0d7d6df35232eaa2b607b10fa1dedc722e8fe88553891837ea71138
-
Filesize
208B
MD590ffe5d344999857b7a03a9b549233f7
SHA11b50b44009524ee12527ffcc5a3b4e53f1a00189
SHA256c8df60614bf381b9f46843ed773c984f6d4f9b86bd795720eec73f4ddc076d4a
SHA512cbfbdf23039a544fed2e2fd4a97a3f5f685425e96e7d00560f2534f228d479bac786bcbc1ac2461379ac137a5122046898c3de955356cdd76c9eec886491c866
-
Filesize
208B
MD5e54cfd40ea027d5b9dde9718805ab4b9
SHA1e4d3d7da3bc886f6680bb2f01268cf30895ed46b
SHA256de70d8c6095660e2f3fb1e70c20c79a4206318f38fc4d0cef255350865f7df6e
SHA5128a5201e57e1c073a5d8b368663c8608e2cc358e9493d8a6da0ef6d536679a992aece7a3dda4fd0fb05e81ca276011b85003f68d49f2aed4a5214fe54b62923dc
-
Filesize
208B
MD5b25338ab140a06b46bf968bcb30e7d80
SHA16088a01c0ac95cab4c494a236117ed99b57c647b
SHA2560ce9ac0419f77faca2cd432a24ef077e19de63be49dbb0e35d25d7023662fd96
SHA512118bcebcf2cbe2d8425852c18fbd400a10d63653c9eb52d2af1335ee821a224c6dd4c5f2f976e140381dd5c88e7b35e418df756cdbba8cc6eca0432a1ad7fbce
-
Filesize
208B
MD56922f7829f73155ac5aede46e71aa4e6
SHA140c8d5d539c5be682234d674f94628e95185aa7b
SHA256f4d9077ab837fc0e5da1a9a7376e41c002a82c5ed95e26c98088f3a8fb55b2d3
SHA51289d9c9d7c6b6ea2081b6436f0dcfa0ae57f4d34b6689edae4f450b08e6a10d987473bd4e7a43c4e94a163280b0973e791da1de2c55d8f699b12de9ae1d219147
-
Filesize
208B
MD573a4184a3c7fa32d04d686877371e3f0
SHA1f0acb2e5985d12cf37d696748d752c93aecdb199
SHA2566b582632dee4316377ee9ea0e007df02acf84e7d6ae05b2189d61be421670a40
SHA5127edb2718c930ff719b376caa7e3b5084f5a83f5d5504251271039b85217db16f03a909d06a6dd6908c2ffa6d9cf09afd8daa68fef68b96a02ec514c51c67e9d3
-
Filesize
208B
MD55d87541ccda6d759dd4fc9a7f0133f00
SHA16e9ea3012ae1c4507f3153f5e0053598156852a8
SHA25686cd2a24c814d6e0cff6afd01d5f0db962797410f179c3f2e6842d29dac1e5fd
SHA51264ac15548bd05a43bd51f2ab11a813410c78e37b89dc1c765894a626e36c7640cdd7acdf4a96192e5162a17db7cc35d24d8a430aa1c3e0379805c927d489eb9b
-
Filesize
208B
MD557c456e33e34d63e62b16ee1021ddb09
SHA1aad449862161b2e5d1929a19fda655180a5c81c3
SHA2560580a99df691e6c78b771f66082ce9946703a9029a170ba9c9e51339d42c6dc6
SHA512dc4867b6700096b374a9df8ddcb8eaaecd1cbe54c8cfedacfbbcca2f9aab58336a43634c93f208237623d9c113dc1d77fa3d815342ce6f0813bad501eba6e07b
-
Filesize
3.1MB
MD5dd7a806c734df62ecf4802977fa0b3e9
SHA142eae42e0fcfe9d9a54e493a670adde5241377da
SHA256cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f
SHA5120f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB