quasar | 79b2e8bd0d46901502869063962252c0b80b77ff909f1e497bf4c04ae2f0ec71

Reason

Machine shutdown

General

Target

ddnstest.exe
Size

3.1MB
MD5

0b301a943083061bb0e95c688ad02dcf
SHA1

b26d04fcad24a618a422ae156774218d42538d88
SHA256

79b2e8bd0d46901502869063962252c0b80b77ff909f1e497bf4c04ae2f0ec71
SHA512

58e8fa3c6dd985d89fa2cd6a6f91ce87929165cee9d85b0fb1cbb70cfb33053567a333464da804ee7cee80f33bb5b065de4817812b114b9c7dbe5ef60e6ab923
SSDEEP

49152:avyI22SsaNYfdPBldt698dBcjHF2tjmzeEoGdzTHHB72eh2NT:avf22SsaNYfdPBldt6+dBcjHF2te

Score

10^/10

quasar office04 discovery persistence privilege_escalation spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

hiimbob.ddnsking.com:9112

Mutex

91f1b164-f669-47a1-b3ec-59976d66b33a

Attributes

encryption_key
FD9ED3A6AE6574CE5C854385C6AC2FC432580344
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral3/memory/2628-1-0x0000000000B00000-0x0000000000E24000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	ddnstest.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4040	netsh.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1764	ipconfig.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	ddnstest.exe
Token: SeDebugPrivilege	1796	whoami.exe
Token: SeShutdownPrivilege	3808	shutdown.exe
Token: SeRemoteShutdownPrivilege	3808	shutdown.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2628	ddnstest.exe
2628	ddnstest.exe
2628	ddnstest.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2628	ddnstest.exe
2628	ddnstest.exe
2628	ddnstest.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2628	ddnstest.exe
1896	LogonUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4912	2628	ddnstest.exe	91
PID 2628 wrote to memory of 4912	2628	ddnstest.exe	91
PID 4912 wrote to memory of 2616	4912	cmd.exe	93
PID 4912 wrote to memory of 2616	4912	cmd.exe	93
PID 4912 wrote to memory of 1764	4912	cmd.exe	94
PID 4912 wrote to memory of 1764	4912	cmd.exe	94
PID 4912 wrote to memory of 4040	4912	cmd.exe	95
PID 4912 wrote to memory of 4040	4912	cmd.exe	95
PID 4912 wrote to memory of 1796	4912	cmd.exe	96
PID 4912 wrote to memory of 1796	4912	cmd.exe	96
PID 2628 wrote to memory of 3808	2628	ddnstest.exe	97
PID 2628 wrote to memory of 3808	2628	ddnstest.exe	97

C:\Users\Admin\AppData\Local\Temp\ddnstest.exe
"C:\Users\Admin\AppData\Local\Temp\ddnstest.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /K CHCP 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\chcp.com
    CHCP 437
    3⤵
    PID:2616
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1764
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4040
- - C:\Windows\system32\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3808

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2628-0-0x00007FFE701B3000-0x00007FFE701B5000-memory.dmp

Filesize
8KB

Download
memory/2628-1-0x0000000000B00000-0x0000000000E24000-memory.dmp

Filesize
3.1MB

Download
memory/2628-2-0x00007FFE701B0000-0x00007FFE70C72000-memory.dmp

Filesize
10.8MB

Download
memory/2628-3-0x000000001CF30000-0x000000001CF80000-memory.dmp

Filesize
320KB

Download
memory/2628-4-0x000000001D040000-0x000000001D0F2000-memory.dmp

Filesize
712KB

Download
memory/2628-7-0x00007FFE701B3000-0x00007FFE701B5000-memory.dmp

Filesize
8KB

Download
memory/2628-8-0x000000001CFC0000-0x000000001CFD2000-memory.dmp

Filesize
72KB

Download
memory/2628-9-0x000000001DC40000-0x000000001DC7C000-memory.dmp

Filesize
240KB

Download
memory/2628-10-0x00007FFE701B0000-0x00007FFE70C72000-memory.dmp

Filesize
10.8MB

Download
memory/2628-13-0x00007FFE701B0000-0x00007FFE70C72000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads