Overview

overview

10

Static

static

10

6d6c9c719e...a7.exe

windows7-x64

10

6d6c9c719e...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d6c9c719e2f757442374af378c343a7.exe

  • Size

    3.1MB

  • MD5

    6d6c9c719e2f757442374af378c343a7

  • SHA1

    a58a2aa6dae2dbdf64472614985cac2adce4eddb

  • SHA256

    444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646

  • SHA512

    a3ef795e64b1d43ca300da97abc7d211e5987064c1c7cafa7a1dadcd1cb35902fb230f5b8e9a008ced4bc1d33573403bad2d99a4ccca9b6b749355110eb10210

  • SSDEEP

    49152:HwElUPhZwv68DkG17WlqTz5oqM/p7vGJfAHdkTHHB72eh2NT:HwYUPhZwv68DkG17WlqTzeqM/p6t

Score
10/10
quasaroffice04defense_evasionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.2

Botnet

Office04

C2

193.31.28.181:4004

Mutex

704ccf6d-01bf-4037-a807-12a60509b1a4

Attributes
  • encryption_key

    379B83B5AFE5908E0BC4583EBB5A83D7B76D2E00

  • install_name

    Client.exe

  • log_directory

    $77-Logs

  • reconnect_delay

    3000

  • startup_key

    $77-cmd

  • subdirectory

    $77-cmd

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d6c9c719e2f757442374af378c343a7.exe
    "C:\Users\Admin\AppData\Local\Temp\6d6c9c719e2f757442374af378c343a7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "$77-cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1080
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /d "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /f
        3⤵
        • Modifies registry class
        PID:1100
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f
        3⤵
        • Modifies registry class
        PID:1476
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3196
        • C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe
          "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3996
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "$77-cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe" /rl HIGHEST /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1404
      • C:\Windows\system32\timeout.exe
        timeout /t 2 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:2236
      • C:\Windows\system32\reg.exe
        reg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f
        3⤵
        • Modifies registry class
        PID:2864
      • C:\Windows\system32\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat"
        3⤵
          PID:3544
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Windows\system32\reg.exe
          reg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f
          3⤵
            PID:2240
          • C:\Windows\system32\reg.exe
            reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /d "C:\Users\Admin\AppData\Roaming\$77-cmd\Install.exe" /f
            3⤵
            • Modifies registry class
            PID:3352
          • C:\Windows\system32\reg.exe
            reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f
            3⤵
            • Modifies registry class
            PID:4344
          • C:\Windows\system32\fodhelper.exe
            fodhelper.exe
            3⤵
              PID:4708
            • C:\Windows\system32\timeout.exe
              timeout /t 2 /nobreak
              3⤵
              • Delays execution with timeout.exe
              PID:1980
            • C:\Windows\system32\reg.exe
              reg delete "HKCU\Software\Classes\ms-settings\shell\open\command" /f
              3⤵
              • Modifies registry class
              PID:2272
            • C:\Windows\system32\cmd.exe
              cmd /c del "C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat"
              3⤵
                PID:1828
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$77-cmd\Melt.bat" "
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:116
              • C:\Windows\system32\timeout.exe
                timeout /t 5 /nobreak
                3⤵
                • Delays execution with timeout.exe
                PID:2760

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\$77-cmd\Client.exe
            Filesize

            3.1MB

            MD5

            6d6c9c719e2f757442374af378c343a7

            SHA1

            a58a2aa6dae2dbdf64472614985cac2adce4eddb

            SHA256

            444c97f6db0626069965d9e4ddb4bf315326954c51b123b3dc7d64084e7fb646

            SHA512

            a3ef795e64b1d43ca300da97abc7d211e5987064c1c7cafa7a1dadcd1cb35902fb230f5b8e9a008ced4bc1d33573403bad2d99a4ccca9b6b749355110eb10210

            Download Submit

          • C:\Users\Admin\AppData\Roaming\$77-cmd\Melt.bat
            Filesize

            118B

            MD5

            de5e036a2f08f6ca6f6c501e906ee183

            SHA1

            a3c38b7d2ea31066d0bae492fb56649c22a73153

            SHA256

            d6c0337116e52ef3fb46fcab1ade26cf9538e47f892c362f5317de3dd98d27ae

            SHA512

            80ae4c5985b78fc2a74ab8946125f6a04ae8ca9102ad313fe543772a7aace610af1a8c17efaaadcbdad29cb1fa3170de632a984ec183e24fa7cdfeb81664c384

            Download Submit

          • C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass1.bat
            Filesize

            368B

            MD5

            2c3953fd265ea1d97e348ff0a6daa80a

            SHA1

            f794d9fc87e3011b1b134b45a20a5a3b7762497c

            SHA256

            5b580991ef331e03c600f18fcdcae08763ee887c4ffa4d714244fa19dc762082

            SHA512

            7b442c0934db9aca25cbc2d5b6d84f762905837f60120bc083b83d4858e6c24dec5633db5dff89825435f67f2fde9c1de5bf05ec21c6e6851c3e2ec0e853dad0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\$77-cmd\UACBypass2.bat
            Filesize

            401B

            MD5

            8702552763fe86626d3cb6c766578cc8

            SHA1

            53f2b99da6b2e1edc557fd999801b8e768699da0

            SHA256

            e199e4c1f8ce95a86356655c6863bbdc0c4266bee73c872e97398419672ed626

            SHA512

            355063c41d254ad0675c36f535b84d4bf1c6d716dc785bcdd668edb53d76454d3b372bacfe0c382a38be2b813eb463545deed47bf724c3d6d4fd52aa129b79e3

            Download Submit

          • memory/3996-11-0x0000000002CB0000-0x0000000002D00000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3996-12-0x000000001D690000-0x000000001D742000-memory.dmp

            Filesize

            712KB

            Download

          • memory/5064-0-0x00007FFC53833000-0x00007FFC53835000-memory.dmp

            Filesize

            8KB

            Download

          • memory/5064-1-0x0000000000610000-0x0000000000934000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/5064-2-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5064-20-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

            Filesize

            10.8MB

            Download