Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-12-2024 05:50
General
-
Target
msgde.exe
-
Size
3.1MB
-
MD5
c9536d9bb5c51fe2741cbf206531c13b
-
SHA1
5e4e1d68dd06301cf7810fa04589917aadfefad7
-
SHA256
1dff2a45e9861cdcb8741dd196123e32e2b9004b950ee21b9bacc9f99be14fdc
-
SHA512
e3bd730edd61ef54180ca004947cdcd1de88756ecec7f7f46f0a66702e5f271243ff096b0dc3c1e93621948745374fe996704078a64d23a7d049f424e754f5f7
-
SSDEEP
49152:avBt62XlaSFNWPjljiFa2RoUYI63RJ6TbR3LoGd/THHB72eh2NT:avr62XlaSFNWPjljiFXRoUYI63RJ6F
Malware Config
Extracted
quasar
1.4.1
Office04
185.228.82.21:4782
59c47ccd-e59a-4ccb-933e-f1094e43684c
-
encryption_key
7CDE15C94B12183E5BC0673A57C6342C87E44E2A
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
msgde
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\msgde.exe"C:\Users\Admin\AppData\Local\Temp\msgde.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "msgde" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "msgde" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5c9536d9bb5c51fe2741cbf206531c13b
SHA15e4e1d68dd06301cf7810fa04589917aadfefad7
SHA2561dff2a45e9861cdcb8741dd196123e32e2b9004b950ee21b9bacc9f99be14fdc
SHA512e3bd730edd61ef54180ca004947cdcd1de88756ecec7f7f46f0a66702e5f271243ff096b0dc3c1e93621948745374fe996704078a64d23a7d049f424e754f5f7
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB