Analysis

  • max time kernel
    30s
  • max time network
    24s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    28-12-2024 15:14

General

  • Target

    Loader.exe

  • Size

    3.1MB

  • MD5

    e9a138d8c5ab2cccc8bf9976f66d30c8

  • SHA1

    e996894168f0d4e852162d1290250dfa986310f8

  • SHA256

    e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3

  • SHA512

    5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

  • SSDEEP

    49152:fvrI22SsaNYfdPBldt698dBcjHCWvXE/sGkCqILo+dPVTHHB72eh2NT:fvU22SsaNYfdPBldt6+dBcjHCWvTm

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Dystopian-62863.portmap.host:62863

Mutex

e1de8f9b-5a7a-4798-a6fb-c03591ef3442

Attributes
  • encryption_key

    8C1BB32BFD240218BA0CB04D65341FB1FDE1E001

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SubStart

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4716
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3724
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytfDY6aFWNV5.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3624
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2704
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3108
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3428
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RlRSBj8PuOSH.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1312
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4348
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3004
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2728
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4028
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dkgz0SKuabHk.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1708
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1996
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4996

        Network

        • flag-us
          DNS
          217.106.137.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          217.106.137.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          68.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          68.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          Dystopian-62863.portmap.host
          Client.exe
          Remote address:
          8.8.8.8:53
          Request
          Dystopian-62863.portmap.host
          IN A
          Response
        • flag-us
          DNS
          154.239.44.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          154.239.44.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          Dystopian-62863.portmap.host
          Client.exe
          Remote address:
          8.8.8.8:53
          Request
          Dystopian-62863.portmap.host
          IN A
          Response
        • flag-us
          DNS
          228.249.119.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          228.249.119.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          Dystopian-62863.portmap.host
          Client.exe
          Remote address:
          8.8.8.8:53
          Request
          Dystopian-62863.portmap.host
          IN A
          Response
        No results found
        • 8.8.8.8:53
          217.106.137.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          217.106.137.52.in-addr.arpa

        • 8.8.8.8:53
          68.32.126.40.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          68.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
          144 B
          1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          Dystopian-62863.portmap.host
          dns
          Client.exe
          74 B
          167 B
          1
          1

          DNS Request

          Dystopian-62863.portmap.host

        • 8.8.8.8:53
          154.239.44.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          154.239.44.20.in-addr.arpa

        • 8.8.8.8:53
          Dystopian-62863.portmap.host
          dns
          Client.exe
          74 B
          167 B
          1
          1

          DNS Request

          Dystopian-62863.portmap.host

        • 8.8.8.8:53
          228.249.119.40.in-addr.arpa
          dns
          73 B
          159 B
          1
          1

          DNS Request

          228.249.119.40.in-addr.arpa

        • 8.8.8.8:53
          Dystopian-62863.portmap.host
          dns
          Client.exe
          74 B
          167 B
          1
          1

          DNS Request

          Dystopian-62863.portmap.host

        • 8.8.8.8:53

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

          Filesize

          2KB

          MD5

          7787ce173dfface746f5a9cf5477883d

          SHA1

          4587d870e914785b3a8fb017fec0c0f1c7ec0004

          SHA256

          c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

          SHA512

          3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

        • C:\Users\Admin\AppData\Local\Temp\Dkgz0SKuabHk.bat

          Filesize

          207B

          MD5

          f15ed91bc8e7d8399b0ce895631f79a3

          SHA1

          00f5533166ed8899b8b378d9084437fedfc5061e

          SHA256

          275a61700e52f55cc0f20ce023ffdff4cfedc39e07583d44fcac32377c6423fb

          SHA512

          3a7086e7063aec4f854f687ee060600781d48d85065732b54892905abe4101df5dc0ddb3bd832458f8be99449492c01d3c53fdb2e9bec0b7d74dd407f813ff8d

        • C:\Users\Admin\AppData\Local\Temp\RlRSBj8PuOSH.bat

          Filesize

          207B

          MD5

          0f254c6fd9633b64da1f3c57ba434a71

          SHA1

          f4535746bbc298b4ef6ec7223cab23e58ec6ab44

          SHA256

          21088accfb401ee3302cbc6b8850aa4f2ef3dfe7fe7c96e701f7bc453fe9eda2

          SHA512

          61db7634efc43bfb6a306a84a3ce69ab6da996ad8573892673a5b89156791696fa94e5df74a5c3d17a5c1aed407a680fdbbe64ff1608c4994dc8ae5c945e3aa6

        • C:\Users\Admin\AppData\Local\Temp\ytfDY6aFWNV5.bat

          Filesize

          207B

          MD5

          0ba95ddb38b384e37dbf77b0d43f502a

          SHA1

          577dd2e435d1981288d9934f315dbfeb88b6ad9d

          SHA256

          05d686738b5898b6c4b2f67760fb0062d83a090be8463e19a2dc084c905c05a6

          SHA512

          9c362481e2035985d3815d276664ff82191504f26d53dee172481ef68a50c60951e0f6d9edb6d5b29f7b7eb22bdba0c2f2290e61f08ad8d3d62315635178e4fc

        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

          Filesize

          3.1MB

          MD5

          e9a138d8c5ab2cccc8bf9976f66d30c8

          SHA1

          e996894168f0d4e852162d1290250dfa986310f8

          SHA256

          e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3

          SHA512

          5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

        • memory/632-7-0x00007FFFC2FC0000-0x00007FFFC3A82000-memory.dmp

          Filesize

          10.8MB

        • memory/632-8-0x000000001C570000-0x000000001C5C0000-memory.dmp

          Filesize

          320KB

        • memory/632-9-0x000000001C680000-0x000000001C732000-memory.dmp

          Filesize

          712KB

        • memory/632-5-0x00007FFFC2FC0000-0x00007FFFC3A82000-memory.dmp

          Filesize

          10.8MB

        • memory/632-17-0x00007FFFC2FC0000-0x00007FFFC3A82000-memory.dmp

          Filesize

          10.8MB

        • memory/2044-6-0x00007FFFC2FC0000-0x00007FFFC3A82000-memory.dmp

          Filesize

          10.8MB

        • memory/2044-0-0x00007FFFC2FC3000-0x00007FFFC2FC5000-memory.dmp

          Filesize

          8KB

        • memory/2044-2-0x00007FFFC2FC0000-0x00007FFFC3A82000-memory.dmp

          Filesize

          10.8MB

        • memory/2044-1-0x0000000000490000-0x00000000007B4000-memory.dmp

          Filesize

          3.1MB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.