Analysis
-
max time kernel
5s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-01-2025 14:56
General
-
Target
New Text Document mod.exe
-
Size
761KB
-
MD5
c6040234ee8eaedbe618632818c3b1b3
-
SHA1
68115f8c3394c782aa6ba663ac78695d2b80bf75
-
SHA256
bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0
-
SHA512
a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf
-
SSDEEP
12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9mWej:mnsJ39LyjbJkQFMhmC+6GD9I
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
quasar
1.3.0.0
School
gamwtonxristo.ddns.net:1717
QSR_MUTEX_M3Vba1npfJg3Ale25C
-
encryption_key
VtojWKM7f1XyCVdB41wL
-
install_name
comctl32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Startup Scan
-
subdirectory
Windows Defender
Extracted
quasar
1.4.1
Office04
0.tcp.in.ngrok.io:14296
193.161.193.99:20466
cc827307-beb6-456e-b5dd-e28a204ebd45
-
encryption_key
93486CAE624EBAD6626412E4A7DC6221B139DAA8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
xworm
5.0
137.184.74.73:5000
XukSoXxFQFDQJQvq
-
Install_directory
%ProgramData%
-
install_file
System.exe
Extracted
asyncrat
0.5.8
Default
2.tcp.eu.ngrok.io:19695
gonq3XlXWgiz
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Xworm Payload 2 IoCs
-
Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 6 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"1⤵
- Quasar RAT
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"4⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98XZmpy1bJmm.bat" "5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 22005⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe"C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Servers.exe"C:\Users\Admin\AppData\Local\Temp\a\Servers.exe"3⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe"C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe"4⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe"C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\a\mac.exe"C:\Users\Admin\AppData\Local\Temp\a\mac.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\win.exe"C:\Users\Admin\AppData\Local\Temp\a\win.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\run.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 16884⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe"C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"3⤵
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 9641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2956 -ip 29561⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
761KB
MD5c6040234ee8eaedbe618632818c3b1b3
SHA168115f8c3394c782aa6ba663ac78695d2b80bf75
SHA256bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0
SHA512a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf
-
Filesize
8KB
MD569994ff2f00eeca9335ccd502198e05b
SHA1b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA2562e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
219B
MD571d0c3acbf50b533264329492d967714
SHA1adef96ca82af526678fa717128d308db4df1906c
SHA256e7fd51c4f3f33ce78b2b7481c1b0bcc17cfe9504431bb6d581afb0cffcf2555b
SHA512a7885f203b4d0e17d3d2883293310604ce223dd7ac5182e7e4553cde0ad518c58f0afa28869257280fff082b9ed475d54f63c121676065ec81f85b999807da17
-
Filesize
21KB
MD55ab374f9af7d94646f2abaa46a4782fd
SHA10cad4b0a81aee3d8eeaa9cb022171babb3ebc72b
SHA25642f60fd5662fea2c8025e59bf18ef5794e6b32e0066fcfe12ac68ee3d7b9bde7
SHA5129ba9f82df4f20d3b6675112c33ac1480a08faaa96f9c5e36a51b461fad449559d6e3ff304e7eeac2584a2c901a006fc8bed18ad4d836a33f2a082e5b5a06fcb7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
234KB
MD5f6cd645f9c34789c5e8371e8b518871c
SHA16eac61bd26cb167b5987d94b369a9034e3979464
SHA2561a03d1b4b859424531b81e5c6e0278bad00f1995767d45055727d68de7cf3a3a
SHA512335931727d7e1c2d2ece2e8a505feb9ef17413ea82af883ab80028a83007ffc55823888db842938a9ea5b340b0779c79b608d0c8afbb7c82056fe5f3d75e3131
-
Filesize
3.1MB
MD521ce4cd2ce246c86222b57b93cdc92bd
SHA19dc24ad846b2d9db64e5bbea1977e23bb185d224
SHA256273c917fc8fddcb94de25686720df1ea12f948dfbebffa56314b6565123ae678
SHA512ff43fe890e30d6766f51922cfd1e9c36d312fd305620954fae8c61829f58d7361ae442bf9145339904eb6a88c2629c1e83f5b8a1d78ab0d13554cf6053d194f6
-
Filesize
45KB
MD59dcd35fe3cafec7a25aa3cdd08ded1f4
SHA113f199bfd3f8b2925536144a1b42424675d7c8e4
SHA256ce4f85d935fe68a1c92469367b945f26c40c71feb656ef844c30a5483dc5c0be
SHA5129a4293b2f2d0f1b86f116c5560a238ea5910454d5235aedb60695254d7cc2c3b1cd9dd1b890b9f94249ee0ca25a9fb457a66ca52398907a6d5775b0d2e2b70d3
-
Filesize
264KB
MD54ed8aa9db458acc0d65765ec16bb1346
SHA1bc3434dee8225a7b1e18ffa4654a3de098dfc11c
SHA256c80871c2c51b513894b20774fc1da5c7c0b46fb57d5085ef08eb2ebd02c11dea
SHA5124918ab97ef2ac6573ae5e30705c5d4b411953e71c04109f57b61ca2fdbaec180578e03f940f16cd42be2d305cad20d3a5f8451ea0940cde8288b638502ab4cfb
-
Filesize
35KB
MD5c95261eab6c76d4e65624919ccb13cd7
SHA19daad5cc07c35f96061ffec077454c99508f2532
SHA2566a8a6457a46f87a5d42d578b4807bee42305920cbf1bfb0402d8f3ae0c91ae30
SHA51292acd72ccee4ed8d7f66abb2e1b0520f76310d13634578aa46ce28229316ecbd6603bc6b9febe0fa91852c589f043fc3870229a921ac27020feb79f6b0dc4417
-
Filesize
3.1MB
MD5ff8c68c60f122eb7f8473106d4bcf26c
SHA10efa03e7412e7e15868c93604372d2b2e6b80662
SHA2565ff2becf2c56500cb71898f661c863e647a96af33db38d84d7921dc7dbf4f642
SHA512ab92ef844a015c3fcbfba313872b922bff54184b25623ed34f4829bd66a95af081cdeefd35425a4d3b9d9085ccf8c25045cf6093d74a5c8c35012c1b7546688e
-
Filesize
72KB
MD50076324b407d0783137badc7600327a1
SHA129e6cb1f18a43b8e293539d50272898a8befa341
SHA25655c727a9806966ec83f22702c1101c855a004c5658cf60e3c3499f895b994583
SHA51296b08dd1a7abccefabe3568637c17f6ae2c04349488db8dc05b9dcaaaef6a041c36fa4a1f1841096d6622b9775099c7c7eb1497c57581cb444afeb481563cae4
-
Filesize
28KB
MD52d3c280f66396febc80ee3024da80f8e
SHA170bda33b1a7521800a2c620cda4cf4b27487fa28
SHA256a7e4b2fd9cdb85f383f78ffe973776d40262d53727d0c58ea92c200ec1a7bd6d
SHA51226b38d618238336e36fd79f1e63b7c59490ca3e5616306da3ae3e0907415a1746aac638930e01f93529b16f3fe7968d48f5557d6bf32385f82a7bf1f944cf4ad
-
Filesize
507KB
MD54e7b96fe3160ff171e8e334c66c3205c
SHA1ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA5122e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
-
Filesize
6KB
MD5f391621b64e5287aa53ba37dfc327138
SHA15b82777d9cba4567dc1a111fd93e3ef7639ac7af
SHA2567f7488259f1de363018c36626ad42f8d2f9671f91542cb21eb5f1d7fbf5c20f6
SHA512b26f78c81db0ae7f7e294b56416ff136d747b76d1009df928401b0e4eebc6774acc4cb5ff8dd55c52edd8370ab154ce60fa9bb0bac2752cc769f47c83b4eb254
-
Filesize
165B
MD5288c58f3580883f4312443d845fd0323
SHA100932e3b83213e92770f07020df5c849728a3f1a
SHA256c942c6f38a8b4fe90b563918279596c5c0c0ae86f2283720bccb650c87dd7420
SHA5125096c123a16ce023354561da280c44f3e53f6b702679223ec20fd6fb4586db152e85ce581d7dcc54535e2ce6c9e3e3edc6c17d61585b8431583cd099bd7fc6e9
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
784KB
-
Filesize
56KB
-
Filesize
168KB
-
Filesize
136KB
-
Filesize
56KB
-
Filesize
144KB
-
Filesize
136KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
320KB
-
Filesize
3.1MB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
784KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
784KB
-
Filesize
64KB
-
Filesize
64KB