Analysis
-
max time kernel
101s -
max time network
122s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250207-en -
resource tags
-
submitted
09-02-2025 18:22
General
-
Target
CHEAT.rar
-
Size
36.3MB
-
MD5
203ba38accab7ff9b181c88176d7e17f
-
SHA1
33bd9fc89e77faed86bda399d018f9413f6eba73
-
SHA256
eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905
-
SHA512
2cc04354147ef18f22c753303f4417744d349d41a1eb6ea28ef8ffad3831aa3e6317b698c24b3c1dc0ef60ed4e38564d21be4afc9a485ea22ec75dbe739f76a7
-
SSDEEP
786432:cQ1zPwv64YV/iSmT3kJtj88ZEP87mD+cmodF2fppwcPX/fzi82lb7O:hLB4YMhT0JtiKmiodiHvPWJlb7O
Malware Config
Extracted
quasar
1.4.1
Office04
10.0.1.100:4782
ed337c2a-f410-44a6-a75b-740207b7d8db
-
encryption_key
6D00964D3D31D45131A3ECADA49AED6AAB6AAED0
-
install_name
CHEAT.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 1 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 5 IoCs
-
Themida packer 32 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CHEAT.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\#524#@7asRFj438!!.exe"C:\Users\Admin\Desktop\#524#@7asRFj438!!.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CHEAT.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CHEAT.exe"C:\Users\Admin\AppData\Roaming\SubDir\CHEAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CHEAT.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTFCNDk2NzItRDAyMC00OUJDLTgyRTEtNDIxOEZDQkRDNjdCfSIgdXNlcmlkPSJ7MjFGQjNEMkItNzc3My00QjgzLUEyQkItNzRBNTAwMkY4OEMwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NkFGRjAxNDAtMjk4NS00NDk5LUIzRUYtMjA3NEU4MDQ2QTREfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDQ4IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NDg5OTIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE1NzU5NDQ1MSIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\HVCI\Steam.exe"C:\Users\Admin\Desktop\HVCI\Steam.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" create InkLa1n binPath="C:\Windows\security\InkLa1n.sys" type=kernel2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" start InkLa1n2⤵
- Launches sc.exe
-
-
C:\Users\Admin\Desktop\HVCI\MbixMY.exe"C:\Users\Admin\Desktop\HVCI\MbixMY.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\HVCI\tGI5Mw.exe"tGI5Mw.exe" -R2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic csproduct get uuid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic BIOS get Manufacturer3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic BIOS get Manufacturer4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic BIOS get SMBIOSBIOSVersion3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic BIOS get SMBIOSBIOSVersion4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic BIOS get ReleaseDate3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic BIOS get ReleaseDate4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic BIOS get Version3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic BIOS get Version4⤵
-
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\HVCI\MbixMY.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Users\Admin\Desktop\HVCI\tGI5Mw.exe"C:\Users\Admin\Desktop\HVCI\tGI5Mw.exe"1⤵
-
C:\Users\Admin\Desktop\HVCI\eG6Fv9.exe"eG6Fv9.exe" -R2⤵
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\HVCI\tGI5Mw.exe"2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD509ffcbccc1a4884f357781111b762d2e
SHA1386be8f85e983815580d9a83f635dd1a802886db
SHA25638a42d31c6741ceeceedaf2ba07e753863a81bcfed604df7df03fcb975980c82
SHA512d0f656806c760c0352699ff43125876a4f264da1675400d81ea085bec9341a5cdf9834c6d5eeef0b7df417a0a86acbaebbc9babd5848096612d15a57f4a668f4
-
Filesize
19.7MB
MD509e04205ee2e4b53e2bbaa249baf2598
SHA105da5d90f8bbca7fc3999da1bd9e2b0e11de0197
SHA25660afe971d2f46a4ccf942b83c666a2f8a88927fea173fa99f227348f65cadcb0
SHA512d5393035d8507cf51168873970ae76da51113f411bb3b1998ff73307d5ed4ea979fe4d61fd88db12d81c47ce815987f239762cc683b10dd749201c0c8c7ba2b5
-
Filesize
15.9MB
MD58aac8c3763433c4633f9df18099454d8
SHA1488b942dc7da1066a2ca1531319dd91828501b44
SHA256841b830d52ffa466dcf7bc00f47f9097634782b4028ecc512ffb0ffb49107a92
SHA512200aabc46b9d25952906e3f6badab8802dd6fe2d3be598e92792ffdb6c2834042921ae441aae4c6cb8e51b9e1fadd2ad1a30f21ef7d0ff38da002b7b1ed96e7b
-
Filesize
14.4MB
MD5dfd6c9934762a3747d05d7e514ee8a15
SHA1c4d5453865f3f507dad49a54643bb526abe3b05c
SHA256abea00df377392afcd76ca9336ee1700e4fbb97877c521771e57abe0d2ae24d7
SHA51295facb4ca8dac55c3f48aa60e2c7f16ac309af47a8e11388287b61fafde9a272abc354a696e8f6d5478137fce58149a506ad4e0fd1e4be4d0400f8995a3cfb14
-
Filesize
12.0MB
MD5d5240be334757c66e6189f08ddd1e352
SHA1120db6ce417904f17cbdeb97b94aaa210993a173
SHA25609b2125885fd3cf0ad3d818c7197771221bfeb962f0951ee440026993b179073
SHA5128fbea335a9b829456332ddbd2207cfe37cbe0762b1b0c18477c4545a0866aa01de4c9570be13fe64e89afff2e8de2d767e153032290e39c6abcaa990e201731b
-
Filesize
14.2MB
MD56e3bb607d25fcb3c15d4083ad3d1d3e7
SHA155695c28171125033f5e7dc1c9caaaa54f54320b
SHA25650238546a5d795efec7ed776c81a8333566823f721333bedf0df5cacc382be6d
SHA512818efc7a410078daebaab918258fb0aef1f5ed6791917b398b268f6e42a9ce9d15278b8e93da55bacb9cafd722769e6277b55cdf8d2dd295b75c2471172434d6
-
Filesize
19.7MB
MD5fb9deecdac0b38496d5f4f3c9557c02b
SHA188caa04b1ffa567ae3b279ef8fa62f4a473c30f1
SHA25676a25d101e8ca0f623b810f53687e8110c42ba3c21a2313b384ee7eb7e25884b
SHA512a09d1680551b9d59d8c73ae29c9a8ecb95edf29c3b8c8bf12036ceba452eaaaa7d2b2a128a5fe6c6c9b94ee4ef53e913b2b1676e89480565a4539306feb562f4
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
40.9MB
-
Filesize
40.9MB
-
Filesize
40.9MB
-
Filesize
40.9MB
-
Filesize
40.9MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB
-
Filesize
50.1MB