Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 02:26
Behavioral task
behavioral1
Sample
41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe
Resource
win10v2004-20241007-en
General
-
Target
41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe
-
Size
3.1MB
-
MD5
cf049d1ba0fceeb5348f71e15889fbc4
-
SHA1
94cc88586240456f777aed403d955027555db8d1
-
SHA256
41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7
-
SHA512
2e7a7d3415164cb453193fdceef02d46c35f9103521b33bc424c9b79659fac2e4b9deb0fe8754f0842546b51403181032b6c7a05116adfc4f2b8fd599c3ad6ed
-
SSDEEP
49152:avelL26AaNeWgPhlmVqvMQ7XSKIxOEMkek/JxwoGdeTHHB72eh2NT:avOL26AaNeWgPhlmVqkQ7XSKIxty
Malware Config
Extracted
quasar
1.4.1
RAT 5 (EPIC VERISON)
serveo.net:11453
7a1301f7-dc6f-4847-a8ee-ca627a9efa0f
-
encryption_key
3B793156AD6D884F51309D0E992DAA75D03D2783
-
install_name
Application Frame Host.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2876-1-0x0000000000B70000-0x0000000000E94000-memory.dmp family_quasar behavioral1/files/0x0034000000016d42-6.dat family_quasar behavioral1/memory/2916-8-0x0000000000A40000-0x0000000000D64000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2916 Application Frame Host.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Application Frame Host.exe\"" 41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Application Frame Host.exe\"" Application Frame Host.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2108 schtasks.exe 2236 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2876 41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe Token: SeDebugPrivilege 2916 Application Frame Host.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2108 2876 41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe 30 PID 2876 wrote to memory of 2108 2876 41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe 30 PID 2876 wrote to memory of 2108 2876 41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe 30 PID 2876 wrote to memory of 2916 2876 41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe 32 PID 2876 wrote to memory of 2916 2876 41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe 32 PID 2876 wrote to memory of 2916 2876 41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe 32 PID 2916 wrote to memory of 2236 2916 Application Frame Host.exe 33 PID 2916 wrote to memory of 2236 2916 Application Frame Host.exe 33 PID 2916 wrote to memory of 2236 2916 Application Frame Host.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe"C:\Users\Admin\AppData\Local\Temp\41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Application Frame Host.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2108
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Application Frame Host.exe"C:\Users\Admin\AppData\Roaming\SubDir\Application Frame Host.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Application Frame Host.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2236
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5cf049d1ba0fceeb5348f71e15889fbc4
SHA194cc88586240456f777aed403d955027555db8d1
SHA25641bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7
SHA5122e7a7d3415164cb453193fdceef02d46c35f9103521b33bc424c9b79659fac2e4b9deb0fe8754f0842546b51403181032b6c7a05116adfc4f2b8fd599c3ad6ed