Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 06:30

General

  • Target

    SGVP Client program.exe

  • Size

    3.1MB

  • MD5

    1ece671b499dd687e3154240e73ff8a0

  • SHA1

    f66daf528e91d1d0050f93ad300447142d8d48bc

  • SHA256

    c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

  • SHA512

    0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

  • SSDEEP

    49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes
  • encryption_key

    09BBDA8FF0524296F02F8F81158F33C0AA74D487

  • install_name

    User Application Data.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windowns Client Startup

  • subdirectory

    Quasar

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SGVP Client program.exe
    "C:\Users\Admin\AppData\Local\Temp\SGVP Client program.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3056
    • C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2220
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lrttbvw24mwN.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1760
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1416
          • C:\Program Files\Quasar\User Application Data.exe
            "C:\Program Files\Quasar\User Application Data.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3060
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:948
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwz6dbqo6rKg.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2052
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3008
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2580
                • C:\Program Files\Quasar\User Application Data.exe
                  "C:\Program Files\Quasar\User Application Data.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:664
                  • C:\Windows\system32\schtasks.exe
                    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2044

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Quasar\User Application Data.exe

        Filesize

        3.1MB

        MD5

        1ece671b499dd687e3154240e73ff8a0

        SHA1

        f66daf528e91d1d0050f93ad300447142d8d48bc

        SHA256

        c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

        SHA512

        0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

      • C:\Users\Admin\AppData\Local\Temp\Lrttbvw24mwN.bat

        Filesize

        208B

        MD5

        ec416fb1742be00376914ee7cc1de866

        SHA1

        d28983ec321dbe7aa5b0b6f37a761986c4247192

        SHA256

        8848aeead975a03a8f2751d8796e99fd74d377ba57bddeee03ff3e2fcb0ab387

        SHA512

        d956dcfc2ade3d3e5c4c8400be57abe466bfdac7a06435ee745b200f9f22d2c338c1f23b8320d2159cd60e13fa91d2d46207081eb4a6a01514ff14d60068f70c

      • C:\Users\Admin\AppData\Local\Temp\pwz6dbqo6rKg.bat

        Filesize

        208B

        MD5

        362d8d19f66d737c0725127d9ba01f27

        SHA1

        44d0b8a26dde685180fad034657a1027e7d8031e

        SHA256

        b1c77cdecc076b18e0f8d511f81e968c7486a548734ac8752650ddb1a110924a

        SHA512

        d8d6cf45fe8c158ce7e432154ef17a30aa55889a78332d47a7544f9ae33acf34f8c8a8ee1a19401b7bd24e5b70ffc6b0fd804881e6eb52fccc064a86f1a354e5

      • memory/664-35-0x00000000013D0000-0x00000000016F4000-memory.dmp

        Filesize

        3.1MB

      • memory/1672-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

        Filesize

        4KB

      • memory/1672-1-0x0000000000280000-0x00000000005A4000-memory.dmp

        Filesize

        3.1MB

      • memory/1672-8-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

        Filesize

        9.9MB

      • memory/1672-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

        Filesize

        9.9MB

      • memory/2280-12-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

        Filesize

        9.9MB

      • memory/2280-21-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

        Filesize

        9.9MB

      • memory/2280-11-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

        Filesize

        9.9MB

      • memory/2280-10-0x0000000000270000-0x0000000000594000-memory.dmp

        Filesize

        3.1MB

      • memory/2280-9-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

        Filesize

        9.9MB

      • memory/3060-24-0x0000000000040000-0x0000000000364000-memory.dmp

        Filesize

        3.1MB