quasar | hxxps://cdn[.]discordapp[.]com/attachments/1320426903097839636/1320475684333948959/Hellfire[.]rar?ex=6769bc50&is=67686ad0&hm=8ef26812fa3bd983f76bf4aaf08d59b130388ce89b4e535ef45ac8b1f9a0f238&

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1320426903097839636/1320475684333948959/Hellfire.rar?ex=6769bc50&is=67686ad0&hm=8ef26812fa3bd983f76bf4aaf08d59b130388ce89b4e535ef45ac8b1f9a0f238&

Score

10^/10

quasar image discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Image

192.168.56.1:4782

Mutex

312bce56-67e9-4c48-a27a-de306b9dad89

Attributes

encryption_key
691E85B569FC3C88790A081979AAACDC8A8F7C98
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c77-106.dat	family_quasar
behavioral1/memory/2112-114-0x0000000000E20000-0x0000000001146000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Hellfire.bat
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Hellfire.bat
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Hellfire.bat

Executes dropped EXE 7 IoCs

pid	Process
1268	Hellfire.bat
2112	webhook.exe
3780	Client.exe
1132	Hellfire.bat
2996	webhook.exe
3164	Hellfire.bat
684	webhook.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hellfire.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hellfire.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hellfire.bat

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2380	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1132	schtasks.exe
4784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
212	msedge.exe
212	msedge.exe
2864	identity_helper.exe
2864	identity_helper.exe
428	msedge.exe
428	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4312	7zG.exe
Token: 35	4312	7zG.exe
Token: SeSecurityPrivilege	4312	7zG.exe
Token: SeSecurityPrivilege	4312	7zG.exe
Token: SeDebugPrivilege	2112	webhook.exe
Token: SeDebugPrivilege	3780	Client.exe
Token: SeDebugPrivilege	2996	webhook.exe
Token: SeDebugPrivilege	684	webhook.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
4312	7zG.exe
3764	NOTEPAD.EXE
3780	Client.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
3780	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3780	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 1724	212	msedge.exe	83
PID 212 wrote to memory of 1724	212	msedge.exe	83
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 2592	212	msedge.exe	84
PID 212 wrote to memory of 1952	212	msedge.exe	85
PID 212 wrote to memory of 1952	212	msedge.exe	85
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86
PID 212 wrote to memory of 3520	212	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1320426903097839636/1320475684333948959/Hellfire.rar?ex=6769bc50&is=67686ad0&hm=8ef26812fa3bd983f76bf4aaf08d59b130388ce89b4e535ef45ac8b1f9a0f238&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe66e046f8,0x7ffe66e04708,0x7ffe66e04718
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,3222754976805240580,11921361289134692735,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6268 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:428

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25236:78:7zEvent27888
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4312

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Hellfire\READ ME.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:3764

C:\Users\Admin\Downloads\Hellfire\Hellfire.bat
"C:\Users\Admin\Downloads\Hellfire\Hellfire.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\webhook.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\webhook.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1132
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3780
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4784

C:\Users\Admin\Downloads\Hellfire\Hellfire.bat
"C:\Users\Admin\Downloads\Hellfire\Hellfire.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\webhook.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\webhook.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Hellfire\Hellfire.bat"
1⤵
PID:2008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Hellfire\Hellfire.bat"
1⤵
PID:3568

C:\Users\Admin\Downloads\Hellfire\Hellfire.bat
"C:\Users\Admin\Downloads\Hellfire\Hellfire.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3164
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\webhook.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\webhook.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:684

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Hellfire\Hellfire.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\webhook.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
79ee972bf7a2b3998df1a2ec44f64d28

SHA1
07c16a6ef25e48f092e95111306b21e55a702cc5

SHA256
cd52a6580882efcd9bf644995010b2bed930a4728e5bd59e1aaaebc81d24cef8

SHA512
4f94d2df84136c9d614ab09d2096eb265290cf0477582025a2904e8eabaedd8fd7d91c6a0b60dcd01785d6acd76e653bdef71083668e51af05410fff64e018c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\db54f72e-b8e7-44a1-98d0-ce3c7a327cd8.tmp

Filesize
5KB

MD5
7d384a3bc5304876dd528fd781520a5c

SHA1
8f7cb2cc8ad0f06da0fdecb7bff0d79438ac050e

SHA256
6d58ae30187e173b2d6ddec4697d0175c241187e3c12060ba46e8a30daa0029e

SHA512
40f2f4f4109a84691ad4b43d3a8bc3e4bbe20ef40e4dfcb5b49d308c19484c83f7b3011450c241a6b489d527fdff92f3f371cd8d47589fe0de33bb7aa3aab5db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
91fe45e8997342c93db1778400bc3e07

SHA1
a6325cf3d4a2a5a430d5a82c8739b9b6923d4837

SHA256
913d0511851c0bace4bce499a42519e91def61693d6e983b05e8c9296e1f81f8

SHA512
b1117fb2ab7537c0173efbed9d16bb31f679239ebc71d6a57d1f5631d4ebe5e86bb4f6a0c9310a542b4538c56ef4174f96e46e23d228398108c09af828c6940c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98985373c44c49f038957fb1f685ab42

SHA1
ae8bb136517ad5aea179c28fe0224797ff5817fb

SHA256
6b5d478ddcaddb2bf13e4b018c8ac9f8641ace0519ed0b0c803c5323b89ec655

SHA512
352d84aa4e722121fe26ac82400f653dbe8236c55d580c1f435889e8c7b65289bcb993bf13d1cc552af7bcdcb7350be94d596dc683e79f1b3cde98541b2c22e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
58262790c0b3edbb73f8017c99093acf

SHA1
f61b7576a04c034bce838ead2e8cdf4f1d39b770

SHA256
acae716bb42df8b6de030651e18da343b9b1b896a13618535c80a2888147d25b

SHA512
6ed50fec10e67b658ccd9f84dd52de66d4d58ec52f77ad1901fdcb8651afdd90ba706f09ca1bc7b4b95327e3ebed2e92add31556537880d16d00f0c566d43093

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\webhook.exe

Filesize
3.1MB

MD5
5de097cf1bab5787d9e339724dae7d70

SHA1
8b734c664fac6ffd3143ea55e61a766043c5a83b

SHA256
de9387d3cd7c812d5dd8dd9a78177ef1f265d51d859afb833b3e70684dcbfc9d

SHA512
10a285fc0f6d33b91a705021603a22dde2037766c44ee7060511b0d284b31614d7b9dd7f040e6168ca6e64cbcbb909cdb8e563d06da7c7964e7ea3ea408d1d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\faccia.png

Filesize
314KB

MD5
162d55d87003bc423db9f4cd45919f81

SHA1
990d7caa3defab0a5bb9c9c94033080f3f054313

SHA256
178663bb82c0e7a2c3afb75690b232ca34ddb1696a9168ef8c1e6ab9d5356e2c

SHA512
fce6693734b3a91504e5543ad1c2e8395b489cf526a67b91b2026176963242317feddf6de3382cc27f6d92369db3c4eabcc111b4175d55d40cb500f0e8b2b03a

Download Submit
C:\Users\Admin\Downloads\Hellfire.rar

Filesize
1.5MB

MD5
6d82bf3e1242c978edd031dbd2b7a46a

SHA1
0cc166444ca6fde2652e25cb2bce23bacb446427

SHA256
756ef2f794830fb3229136b9fd0b1e8b16bea65be0bb096788b4c4b141c4a2b6

SHA512
e809cafeb5b8e6e6a012227581665ebf891cb68902299919ad57a4d5ca54f861f22767e3fb3feb3e2d243c3c5c3a54ca2fc71f00693709586536a3b537c77831

Download Submit
C:\Users\Admin\Downloads\Hellfire\Hellfire.bat

Filesize
1.6MB

MD5
95b2529fea9aa9b77a696b8e9cb734d4

SHA1
8f5409ea4cfc08c60b7c555f132151c40484c236

SHA256
5e3c77fc511fc6c212d57c75f50a97a284668ec75f7c0e5d5604f493ead0b5d5

SHA512
40d6a3d711dae74c077e720083e96b53ca5dab41fe7bb72de4569f0d41d90b4131c00aaf707ddab0fd6c24dc607351bb62557390244d4ebcec6e7469a034a824

Download Submit
C:\Users\Admin\Downloads\Hellfire\READ ME.txt

Filesize
424B

MD5
7b497d8689cef4f7b4253598bad18037

SHA1
e8a4403bb001ff6866e22d0ed6690480305c0322

SHA256
b1f2d3d3ab07649ef94cea11621db3aca6e3b229fe9dcd2b0da97fdb589678c4

SHA512
7fd231d28e2bd9170b20bce9fb06d0b067d226c03e11cc1691e302da0e49b7954733bce8f77ca869a7fd0879bd349b28d33532b025172581ceaa15ced20a1499

Download Submit
memory/2112-114-0x0000000000E20000-0x0000000001146000-memory.dmp

Filesize
3.1MB

Download
memory/3780-121-0x000000001C350000-0x000000001C3A0000-memory.dmp

Filesize
320KB

Download
memory/3780-122-0x000000001C460000-0x000000001C512000-memory.dmp

Filesize
712KB

Download
memory/3780-123-0x000000001CB50000-0x000000001D078000-memory.dmp

Filesize
5.2MB

Download