Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 03:26

General

  • Target

    d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe

  • Size

    3.1MB

  • MD5

    f611f4dd12e51ca7a946f308ebd5e04c

  • SHA1

    2f7d049ec2b3ae6a8113b499d92ebc117eed890c

  • SHA256

    d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73

  • SHA512

    7057884406612bff108f1e315efacf83a99f1ec725b4496e737a57938b67edf5f23476b8f99395ec9f8ba355a68779fd5a2668b9caf0ca32b8862529eb413b83

  • SSDEEP

    49152:rvuz92YpaQI6oPZlhP3ReybewozV+vJH4RoGdeJYTHHB72eh2NT:rv092YpaQI6oPZlhP3YybewozV+e

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a27420c6-f346-4b84-b7bd-6b3eab5a43cb

Attributes
  • encryption_key

    09BBDA8FF0524296F02F8F81158F33C0AA74D487

  • install_name

    User Application Data.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windowns Client Startup

  • subdirectory

    Quasar

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe
    "C:\Users\Admin\AppData\Local\Temp\d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3644
    • C:\Windows\system32\Quasar\User Application Data.exe
      "C:\Windows\system32\Quasar\User Application Data.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1040
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiJwtPvwdg68.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1004
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1628
          • C:\Windows\system32\Quasar\User Application Data.exe
            "C:\Windows\system32\Quasar\User Application Data.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3964
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1548
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gN4Uxy3CGPAl.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3608
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3936
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4968
                • C:\Windows\system32\Quasar\User Application Data.exe
                  "C:\Windows\system32\Quasar\User Application Data.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4368
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4264

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\User Application Data.exe.log

        Filesize

        2KB

        MD5

        8f0271a63446aef01cf2bfc7b7c7976b

        SHA1

        b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

        SHA256

        da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

        SHA512

        78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

      • C:\Users\Admin\AppData\Local\Temp\gN4Uxy3CGPAl.bat

        Filesize

        211B

        MD5

        f6243329240a0ee4d83708ede08bbf76

        SHA1

        fab36e333b34af1780a1a32b2ca18687f4ece0c4

        SHA256

        597b748483bbd0b69668e0a1a4e56dbe4af9aa23a6a49d65fadcf78c314a7323

        SHA512

        34dc4c5dfb2c1f3056f02a9c3c0acd4f644e9831c28d34a291d1f31621a4965fd393e238621386c81a28be007a41f7a8b6a1d77ed9180bbc65a476c201e77345

      • C:\Users\Admin\AppData\Local\Temp\iiJwtPvwdg68.bat

        Filesize

        211B

        MD5

        4b5d4597021bba14a9a08ca8daf176d1

        SHA1

        853bb48b88e6c7c1b048024a96fcd8183b211be3

        SHA256

        0d2813833a69c0f1b7f67d9c76010d358ea0fda51c6320d621081d80ad2346c5

        SHA512

        daa28097f1411a93d3e000df6230baf0457a3a6e4b634d147604b8ff455af92c5fc58e78c4c9d080fed76dd46005fd6fa82036edbb99f0a208ea62318b93707d

      • C:\Windows\System32\Quasar\User Application Data.exe

        Filesize

        3.1MB

        MD5

        f611f4dd12e51ca7a946f308ebd5e04c

        SHA1

        2f7d049ec2b3ae6a8113b499d92ebc117eed890c

        SHA256

        d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73

        SHA512

        7057884406612bff108f1e315efacf83a99f1ec725b4496e737a57938b67edf5f23476b8f99395ec9f8ba355a68779fd5a2668b9caf0ca32b8862529eb413b83

      • memory/1476-1-0x0000000000EB0000-0x00000000011D4000-memory.dmp

        Filesize

        3.1MB

      • memory/1476-2-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

        Filesize

        10.8MB

      • memory/1476-10-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

        Filesize

        10.8MB

      • memory/1476-0-0x00007FF8470A3000-0x00007FF8470A5000-memory.dmp

        Filesize

        8KB

      • memory/3944-11-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

        Filesize

        10.8MB

      • memory/3944-14-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

        Filesize

        10.8MB

      • memory/3944-19-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

        Filesize

        10.8MB

      • memory/3944-13-0x000000001BF50000-0x000000001C002000-memory.dmp

        Filesize

        712KB

      • memory/3944-12-0x0000000002C40000-0x0000000002C90000-memory.dmp

        Filesize

        320KB

      • memory/3944-9-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

        Filesize

        10.8MB