Overview

overview

10

Static

static

3

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2025 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    2.6MB

  • MD5

    6416961fe33e1461e8f5c455c2cf0ec9

  • SHA1

    190754691dffb4d873bd32f48722d150d338f51d

  • SHA256

    616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1

  • SHA512

    8fe2fa84a62cf92d1136110e0b39bfb7f07646816ff9d9944a0d8523d26d2f2d46653ec2a9f1153fac6b3c585e0f742753959d496cab1f5a62c761dd0db1fc18

  • SSDEEP

    49152:Ux8Gt7KDrJd8spKaFxZWVAItl6dXg84Hk6BOUjbqmQnN/DAP8khk2d4zV:C974P57k6dQ8bIO2uN/DAP8khkj

Score
10/10
quasar1discoveryexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

1

C2

87.228.57.81:4782

Mutex

f832b3aa-9229-4dd0-81ec-c101146b1831

Attributes
  • encryption_key

    19A0FAF8459F69650B5965C225752D425C429EEC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to execute payload.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Users\Admin\AppData\Local\Temp\is-9EB7S.tmp\random.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9EB7S.tmp\random.tmp" /SL5="$80070,2299112,208384,C:\Users\Admin\AppData\Local\Temp\random.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3764
      • C:\Users\Admin\AppData\Local\Temp\random.exe
        "C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Users\Admin\AppData\Local\Temp\is-6SIHL.tmp\random.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-6SIHL.tmp\random.tmp" /SL5="$9004E,2299112,208384,C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:400
          • C:\Windows\SysWOW64\regsvr32.exe
            "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3696
            • C:\Windows\system32\regsvr32.exe
              /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"
              6⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4504
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv' }) { exit 0 } else { exit 1 }"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2144
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{3A3172EA-6DCE-439D-EB99-0CFB598DC85A}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3152
  • C:\Windows\system32\regsvr32.EXE
    C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv' }) { exit 0 } else { exit 1 }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1220
  • C:\Windows\system32\regsvr32.EXE
    C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv' }) { exit 0 } else { exit 1 }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f25c85b2bb354d280391b5de0f2e74e6

    SHA1

    8255ba9443f52eaee33c1483e4b00217bcc0bed6

    SHA256

    59d0837a17ff3728035f1b7d7a6be1410cb76796ad4e9c261ec5334d751a8f3b

    SHA512

    927c91edc8ae45c3136ba2bf5cf640abaabd08472f390cebaf1f1edcf084217ed370bbcebf675010a207ebed1105ff6fd02c4865848f3180a6cc616d3b56b2e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    6b3f025e0fe16f90a195d5a845ea92c4

    SHA1

    2039ca9aedf7bde38d5f538991ac4c3684651a07

    SHA256

    cc1288db96dcc16fd4bef4fa2dd6d85e313af2e4c23fdf7f23b7f654cd61575a

    SHA512

    ac8c18b21ed5d090808d99c3d657691f9d47894e77d18a35d8906cbbcc2e6e5c3f5b6926241a492068b01c74263161967a7ecd4f1b1972e65ae509bf5df5a20e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    9331400580376899f1c17da98b87e707

    SHA1

    b4e4a3e92db87cc8659e389bcbb7de9fdb306e00

    SHA256

    2fbdf49ae199e56f2e8e9140c375b954ebc8fee4ece3090baeb3f17b4c268c11

    SHA512

    59781d1409a4e9aad0b84f46096f329329fab78b5ab61d02035904399c0b43eb0cae98871d90950c5a3d045f92dfe8a112ff64c9d61087b61f5c077fc706aa3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4afxtxxf.mrg.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-9EB7S.tmp\random.tmp
    Filesize

    1.2MB

    MD5

    1db83d1bc949e72509f0e752316ec5d0

    SHA1

    154d7bd59581ea106d8a02586feaf5c38f806d39

    SHA256

    57c68e06bd351b2fde4f25f04c89fc265c0c3ce3184fb0caca3410b6eac04a49

    SHA512

    ff0eba3e3a9407107d2e5875d4369be68c1f1f43144aea8c9b530824f3b9c837705ecd0c7d94bbaadfa59bb273b7e59392bef3d9aaf643353e4b935f8745d4b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-GMFKL.tmp\_isetup\_isdecmp.dll
    Filesize

    13KB

    MD5

    a813d18268affd4763dde940246dc7e5

    SHA1

    c7366e1fd925c17cc6068001bd38eaef5b42852f

    SHA256

    e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

    SHA512

    b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-P64O3.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv
    Filesize

    4.1MB

    MD5

    6fb91b9f96c8a0f6e20e75377152363a

    SHA1

    be3ed35dee6b517b9e846bc431197c2d6239f8e1

    SHA256

    be67966b82dcb5e838095d0ebcccbc854b6eae9d6ac30329457019f2d7d119ae

    SHA512

    da994e4ee32aee52d98d21ab69887d94efe186d9e0a34b2cc09e0da949fb25a10de464136c305a66c332457d876e5e6ce2acaf6c4f1ba00f7e6345cdda030996

    Download Submit

  • memory/400-32-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/400-50-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2144-61-0x000002672C4D0000-0x000002672C4F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2996-53-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2996-23-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2996-21-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3224-2-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3224-25-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3224-0-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3764-7-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3764-24-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3912-122-0x00007FFB0A540000-0x00007FFB0A941000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4504-83-0x000000001B8F0000-0x000000001B940000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4504-84-0x000000001C9D0000-0x000000001CA82000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4504-85-0x00007FFB0A540000-0x00007FFB0A941000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4504-82-0x000000001BA30000-0x000000001BD54000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4696-102-0x00007FFB0A540000-0x00007FFB0A941000-memory.dmp

    Filesize

    4.0MB

    Download