Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-01-2025 23:02
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
quasar
1.4.1
Office04
biseo-48321.portmap.host:48321
14.243.221.170:2654
cb74f432-50f1-4947-8163-7687a0292fb0
-
encryption_key
D1BBEF3C04D88FE8F97EE2745041632CE9C760EE
-
install_name
Svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Svchost
-
subdirectory
Svchost
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 4 IoCs
-
Downloads MZ/PE file 3 IoCs
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 7 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Downloads MZ/PE file
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe"C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUSd9LjTsydx.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgeqTkv8jQEw.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9IcNPfZWUpYj.bat" "8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CTsvZHeM0WnJ.bat" "10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\45qpLfIjo3Xf.bat" "12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQFd5C0wbT9m.bat" "14⤵
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lo0g7okaSe42.bat" "16⤵
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Runtime%20Broker.exe"C:\Users\Admin\AppData\Local\Temp\Files\Runtime%20Broker.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
209B
MD54edaac69fa688cdbc053be82724b0a0e
SHA1658bbc652a6ed1d136e4f097bda2ad8f8ecf1db7
SHA25669bac7e792aa4792954ee56f5f6b7404cc7647d09b99d39c32e99db2e51cab8a
SHA512b443e661c983a061f95ae23a044cb3ca66520960cd279eb63619bbfdb50bc9c21915f5e16cf1c4f82e156fca76ec87afef1f77a5e0f43291467947b4cf3d6401
-
Filesize
209B
MD57560e30806640ff76abdace6d6161004
SHA1255fc5b7b9d9571a1280a4ad3d5d65a06539a4fb
SHA2566beb516848e5a2f7790490576af51de5a5b3327de8b865afce427a987775a84c
SHA5126ba2b0ba2b7df9d3cd391674ba9fccf6d1f51db519789d849cbd00b974fac238e2625deab61b67fe1727724ca40694de854250e18656f2eb71c04481cc54561e
-
Filesize
209B
MD50c82b32c5310adcb05510ee7cf2309c1
SHA18fa242646123fbe0dd20b9faba5de6526215c18b
SHA25666234e613c6d3e54e42237fca8c05d72a5871b895b51fb0da750b9f31a7b2137
SHA512a0dd8eb120be08cccf67a45fb626eb9e43a9537e7d79e54e78112c92b540d9a1f5c3e9d45d7107bb7f2307c750a26e6a77cf3b90fa1bd47f34efea15cdcdd0d5
-
Filesize
127B
MD5294317134d9f8c66330f71049ee83041
SHA1710c07c3bffa3a3939edc0bc8d00e57fe31cf1c8
SHA2565d91d78ba765b994ce05b94ad50eadd2d18689077b25e5452fcbf551656d7267
SHA5129e5ae4669a677ccd4778feafc29436e295b6b4fb1fbdf6ac103f81699b1fc41d7c71f551d53b9358aeb62bcf4446cec1e052e0f3c73118f26760f9c09fed45d4
-
Filesize
3.1MB
MD5f9fd797dbef56a3900d2fe9d0a6e2e86
SHA1c5d002cc63bd21fa35fdad428ca4c909f34c4309
SHA256b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
SHA512c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1
-
Filesize
3.1MB
MD56f154cc5f643cc4228adf17d1ff32d42
SHA110efef62da024189beb4cd451d3429439729675b
SHA256bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff
SHA512050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1
-
Filesize
5.9MB
MD5557401ef9c2dc1c5af9441e015c38db3
SHA1af1fd1da7c1c90ba1416651fc64390b0eea5aad4
SHA25679d55475a80f2635c1e56b45b0f9f28834bda1c1828a69fe14b4a47f7175e4be
SHA5123976c255508ea86411076a4becff60ad11d8d13e15bc0b49489d0f95110755ab27830d0ec6e094097a5f8221a8840cf4a9024f9f0090b14284375359aec72ffe
-
Filesize
209B
MD5375c381096a1ee19a411783155b0629f
SHA17ee3b28e44e456c2b9a087496a2a23de6b35a80d
SHA256e09bb9dd8bcac62b7418f4785b3fc2ab762c701c25a53d119e802a57f230e7b0
SHA51261e4a45ba8f06df1f0d55771f3ab1c738160759d982425525a0333ac6c8aa773ee542601e429b1ca9f6aec07239e10404870721761b4e1ca48ab1ec06397c122
-
Filesize
209B
MD5502a487edd68c14c2dab1cfdabd2664a
SHA1fb8e2b0bf820ac4367f8cebedec216b41b06b839
SHA25665fd2553ef0dd2da984095cc503014cf2ba1679e371aea2ece7f5f3fa273d0c7
SHA5125f48a6afbcfc9b62741e03c1939d1d68e4e40e3691965c293ac4c0dbba6e2ec20ea3b2be76be87e12a1fd1847d3eb1e7a9ee1d7190d70496dab507ed602d2a91
-
Filesize
209B
MD5d2955636478ead79d0116c20b8a64185
SHA1c7ebe112e792b3d71996abb55750493483f6e4c9
SHA2568c6ce36f2c48239becab7cb397b86707bc50ead4d08bd6da55aa4c16e9cc3554
SHA512ac9618d57f06a186e396a8c99545c94b4c05ca5842b0249876f837ae717ced25f80d1ae3a724a7ba4408ad99c2c171ef29d9d8bdba68abd3b94e06b64607a0a2
-
Filesize
209B
MD507c5d41873d4361183274980cb215ebb
SHA184318b4eb750ce3c110dc27cf58b4dca1d994a55
SHA256a6fe7f2af4c5ac907bd42ec6b8d737aea3330de7b158bd800fdc9e1665e2b9d0
SHA512c0689b40fd0623aeb2ed09fe65ae4eb93dfdc4c6b95aa77e9d273d58d9697dd4dd3436eb7f89b8336e73de60dab289e479a2c00b51ec4e938277da9821ddcbcd
-
Filesize
3.1MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
712KB
-
Filesize
320KB