Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-01-2025 21:07
General
-
Target
RC7old.exe
-
Size
3.1MB
-
MD5
5efb08d03470612d11124136accc84fa
-
SHA1
46abe602f6566ff6103f504ef8ae73f43eae19c1
-
SHA256
853cf003dd01ec972a222a28b1e8b260fb06fab20245e609cb7df103d110343f
-
SHA512
13a1fbeae357662e2e2a60e511a3bce2f63fef40a96ba49f25e745dd466ca3da24de5155f0f2233e8d15941f353a21df14247ab7b4ebf84ee419ca7d7b7ae74a
-
SSDEEP
49152:CvHI22SsaNYfdPBldt698dBcjHuYREEf/yk/65LoGdvYAFTHHB72eh2NT:Cvo22SsaNYfdPBldt6+dBcjHuYRkp
Malware Config
Extracted
quasar
1.4.1
RC7old
yellow-parts.gl.at.ply.gg:52085
8356bffd-2b62-44f9-937c-4adee31d9ea3
-
encryption_key
5471C1CD3CF5D10BA14E0A632D9E07BC5FEE0E2B
-
install_name
RC7old.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
System
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RC7old.exe"C:\Users\Admin\AppData\Local\Temp\RC7old.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Windows\system32\System\RC7old.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\System\RC7old.exe"C:\Windows\system32\System\RC7old.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Windows\system32\System\RC7old.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55efb08d03470612d11124136accc84fa
SHA146abe602f6566ff6103f504ef8ae73f43eae19c1
SHA256853cf003dd01ec972a222a28b1e8b260fb06fab20245e609cb7df103d110343f
SHA51213a1fbeae357662e2e2a60e511a3bce2f63fef40a96ba49f25e745dd466ca3da24de5155f0f2233e8d15941f353a21df14247ab7b4ebf84ee419ca7d7b7ae74a
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
10.8MB