Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 06:30

General

  • Target

    SGVP Client program.exe

  • Size

    3.1MB

  • MD5

    1ece671b499dd687e3154240e73ff8a0

  • SHA1

    f66daf528e91d1d0050f93ad300447142d8d48bc

  • SHA256

    c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

  • SHA512

    0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

  • SSDEEP

    49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes
  • encryption_key

    09BBDA8FF0524296F02F8F81158F33C0AA74D487

  • install_name

    User Application Data.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windowns Client Startup

  • subdirectory

    Quasar

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SGVP Client program.exe
    "C:\Users\Admin\AppData\Local\Temp\SGVP Client program.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3332
    • C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3204
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZBfRBDy2fifR.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1384
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3320
          • C:\Program Files\Quasar\User Application Data.exe
            "C:\Program Files\Quasar\User Application Data.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1952
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4424
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ozHGLl9mBqud.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2380
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1064
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3028
                • C:\Program Files\Quasar\User Application Data.exe
                  "C:\Program Files\Quasar\User Application Data.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3768
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4348

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Quasar\User Application Data.exe

        Filesize

        3.1MB

        MD5

        1ece671b499dd687e3154240e73ff8a0

        SHA1

        f66daf528e91d1d0050f93ad300447142d8d48bc

        SHA256

        c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

        SHA512

        0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\User Application Data.exe.log

        Filesize

        2KB

        MD5

        8f0271a63446aef01cf2bfc7b7c7976b

        SHA1

        b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

        SHA256

        da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

        SHA512

        78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

      • C:\Users\Admin\AppData\Local\Temp\ZBfRBDy2fifR.bat

        Filesize

        208B

        MD5

        1846241831915f968fee83d74f7feb2d

        SHA1

        27557ba23b72c1e2db5abc74089d2bb98a65155b

        SHA256

        0012449802ceb115e6ce56c88ff99d9ba87f562dcdd9bfd6544fb1c5ea489df9

        SHA512

        6091a6a66acf6cad8e8876f9ecefdfb46db54fd007f7912c8de2e9791345e6af3f06a956ebb2305292d5b1ad7a369dd62ff67d8143178d2744b0f703d28c8925

      • C:\Users\Admin\AppData\Local\Temp\ozHGLl9mBqud.bat

        Filesize

        208B

        MD5

        7c00677cf97ef0a1c509b15dba14f0e1

        SHA1

        d72ffab1a3b4cb8b0df44e4ff21c1a92bc2a01b3

        SHA256

        3704861734c65dc99fc101e277d1e4dcd789d23fc1931ac14d1954b7d2a86d95

        SHA512

        bce708f694ffdebc12af5bfa193c3359ca0e16e6f58e1648ae53bb2b05f780eb3b1b4b7ac926d32c481745dfb6c8e9a1e2d829ce0ae3be9bbe4a867442acc11a

      • memory/3112-1-0x0000000000DB0000-0x00000000010D4000-memory.dmp

        Filesize

        3.1MB

      • memory/3112-2-0x00007FF9A4C40000-0x00007FF9A5701000-memory.dmp

        Filesize

        10.8MB

      • memory/3112-9-0x00007FF9A4C40000-0x00007FF9A5701000-memory.dmp

        Filesize

        10.8MB

      • memory/3112-0-0x00007FF9A4C43000-0x00007FF9A4C45000-memory.dmp

        Filesize

        8KB

      • memory/4900-11-0x00007FF9A4C40000-0x00007FF9A5701000-memory.dmp

        Filesize

        10.8MB

      • memory/4900-14-0x00007FF9A4C40000-0x00007FF9A5701000-memory.dmp

        Filesize

        10.8MB

      • memory/4900-19-0x00007FF9A4C40000-0x00007FF9A5701000-memory.dmp

        Filesize

        10.8MB

      • memory/4900-13-0x000000001C570000-0x000000001C622000-memory.dmp

        Filesize

        712KB

      • memory/4900-12-0x00000000031E0000-0x0000000003230000-memory.dmp

        Filesize

        320KB

      • memory/4900-10-0x00007FF9A4C40000-0x00007FF9A5701000-memory.dmp

        Filesize

        10.8MB