Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 06:32

General

  • Target

    nj.exe

  • Size

    3.1MB

  • MD5

    fd683344e5fc0a2dc8693f32ff45bf1f

  • SHA1

    285fbe54593c2d616caecbaba986ba15cc4972ab

  • SHA256

    4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e

  • SHA512

    b272fe1b94e5b8a55167956d7baf1795fc1fc638cb8af12268bfc40c05a6f8dc22bbf06feb0e5c315ed327b60c6e14c11586d569612c8742ceb27f66c04caa79

  • SSDEEP

    49152:qvVt62XlaSFNWPjljiFa2RoUYI7mcH+mZHLo0dPBNTHHB72eh2NT:qvn62XlaSFNWPjljiFXRoUYIicHBtB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

209.145.59.89:443

Mutex

9d1a4f0d-2ea1-4330-81b0-244a91bf932c

Attributes
  • encryption_key

    B90D9A43F7C3BF3BBA75403410E571B5F80BA7E1

  • install_name

    winboot.exe

  • log_directory

    Logs

  • reconnect_delay

    5000

  • startup_key

    UEFI boot

  • subdirectory

    bootufi

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nj.exe
    "C:\Users\Admin\AppData\Local\Temp\nj.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2124
    • C:\Windows\system32\bootufi\winboot.exe
      "C:\Windows\system32\bootufi\winboot.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2204

Network

    No results found
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
  • 209.145.59.89:443
    tls
    winboot.exe
    409 B
    2.2kB
    6
    5
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\bootufi\winboot.exe

    Filesize

    3.1MB

    MD5

    fd683344e5fc0a2dc8693f32ff45bf1f

    SHA1

    285fbe54593c2d616caecbaba986ba15cc4972ab

    SHA256

    4c15728c688fd0ef27d2effeb6e37f8b05f104dc07da04926b8e0386b5e58a0e

    SHA512

    b272fe1b94e5b8a55167956d7baf1795fc1fc638cb8af12268bfc40c05a6f8dc22bbf06feb0e5c315ed327b60c6e14c11586d569612c8742ceb27f66c04caa79

  • memory/1192-0-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

    Filesize

    4KB

  • memory/1192-1-0x0000000001030000-0x0000000001354000-memory.dmp

    Filesize

    3.1MB

  • memory/1192-2-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

    Filesize

    9.9MB

  • memory/1192-8-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

    Filesize

    9.9MB

  • memory/1744-10-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

    Filesize

    9.9MB

  • memory/1744-9-0x00000000012B0000-0x00000000015D4000-memory.dmp

    Filesize

    3.1MB

  • memory/1744-11-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

    Filesize

    9.9MB

  • memory/1744-12-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

    Filesize

    9.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.