Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 03:02

General

  • Target

    854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe

  • Size

    3.1MB

  • MD5

    051bfba0c640694d241f6b3621e241b6

  • SHA1

    a5269b7485203914af50cb932d952c10440878c9

  • SHA256

    854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09

  • SHA512

    bdfea5dfca423c4d66de1c9f435a1c0403b8615a0b7627fff665876fa2da48e8914cc2961ca9e66b7d32d2bc4004354e5e932297a479fcc90d495327d14577dc

  • SSDEEP

    49152:AvKgo2QSaNpzyPllgamb0CZof/JDj5RbR4jRoGdMOAuTHHB72eh2NT:Avjo2QSaNpzyPllgamYCZof/JDj5wFc

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

2464c7bf-a165-4397-85fe-def5290750b0

Attributes
  • encryption_key

    09BBDA8FF0524296F02F8F81158F33C0AA74D487

  • install_name

    User Application Data.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windowns Client Startup

  • subdirectory

    Quasar

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
    "C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2324
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\OLv5z8ALFq69.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2604
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2624
        • C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
          "C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:776
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1880
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\EKGquT9w1Fmc.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2268
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2100
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2528
              • C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
                "C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1660
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:484

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\EKGquT9w1Fmc.bat

        Filesize

        261B

        MD5

        42a4fdeea43e160b3d16c37aa908661b

        SHA1

        7a7fe70bc2953dbcfb4ddf5785604591cb4b5b7c

        SHA256

        520b1b721f2058f1a4fc137f5cb510a56e2d5a6a4e403bede7b7ec0a81a6b6b9

        SHA512

        47dd247c139b6f24819222525fd5d256d27583b73af334230cac581b670b771b7a478c476fe5eebe14e893e613740a21eb60cf749931be5e753eb713e6d74b96

      • C:\Users\Admin\AppData\Local\Temp\OLv5z8ALFq69.bat

        Filesize

        261B

        MD5

        4efd182cb0ef4d3a5c2383edc1317691

        SHA1

        202e88339b26c6b6e101f0eb56ec2624f29c5dfd

        SHA256

        c4919091c563dd95f08f11aae97680bf147b943d73833b6cd4cd1e7a1b78613b

        SHA512

        b7bf6cde9a28a5cdb1ae3f054037738b8903ef16125e2a51b7e62a87f013b5b4c67a31c1ba583a9966df7341ee4fb8c984613b55e2ce520a7fb80be5f7b15a9e

      • memory/776-15-0x0000000001050000-0x0000000001374000-memory.dmp

        Filesize

        3.1MB

      • memory/3052-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

        Filesize

        4KB

      • memory/3052-1-0x0000000000DE0000-0x0000000001104000-memory.dmp

        Filesize

        3.1MB

      • memory/3052-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

        Filesize

        9.9MB

      • memory/3052-3-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

        Filesize

        4KB

      • memory/3052-4-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

        Filesize

        9.9MB

      • memory/3052-13-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

        Filesize

        9.9MB