Overview

overview

10

Static

static

10

7282a7060d...a7.exe

windows7-x64

10

7282a7060d...a7.exe

windows10-2004-x64

10

7286d086dc...6f.exe

windows7-x64

10

7286d086dc...6f.exe

windows10-2004-x64

10

729c059086...ed.exe

windows7-x64

10

729c059086...ed.exe

windows10-2004-x64

10

72f303c648...1a.exe

windows7-x64

7

72f303c648...1a.exe

windows10-2004-x64

7

72f4a85245...cc.exe

windows7-x64

10

72f4a85245...cc.exe

windows10-2004-x64

10

72ff89c7cd...9f.exe

windows7-x64

10

72ff89c7cd...9f.exe

windows10-2004-x64

10

7307a761db...38.exe

windows7-x64

10

7307a761db...38.exe

windows10-2004-x64

10

7309f93555...28.exe

windows7-x64

3

7309f93555...28.exe

windows10-2004-x64

10

730efb97bd...a1.exe

windows7-x64

7

730efb97bd...a1.exe

windows10-2004-x64

7

732ab0ac86...7a.exe

windows7-x64

10

732ab0ac86...7a.exe

windows10-2004-x64

10

73522a2d41...71.exe

windows7-x64

10

73522a2d41...71.exe

windows10-2004-x64

8

7355fddf5e...6e.exe

windows7-x64

10

7355fddf5e...6e.exe

windows10-2004-x64

10

736e4ed229...93.exe

windows7-x64

7

736e4ed229...93.exe

windows10-2004-x64

10

73bc8a93cd...07.exe

windows7-x64

10

73bc8a93cd...07.exe

windows10-2004-x64

10

73d6911ed2...07.exe

windows7-x64

10

73d6911ed2...07.exe

windows10-2004-x64

10

73eb32431f...ff.exe

windows7-x64

7

73eb32431f...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7355fddf5edf9713b4450982937bca6e.exe

  • Size

    762KB

  • MD5

    7355fddf5edf9713b4450982937bca6e

  • SHA1

    fd1fbc71728fd7adc310b7ee74fdde59577010f4

  • SHA256

    4e844cff9da913e15f2d6346c97e9a6598cd512dde1e34d98b55f71e76e138a8

  • SHA512

    73030b32969d3d87512b71a8e77ebf30ed29ff360d627b4770980da87a5ed664afa3d7855eb02e0ceffb45b9b1b24c7aba93db24b55b9a0b64360cc6f9bb9576

  • SSDEEP

    12288:LiHyqAJB5a5P9Fie9OvbiaChmfwqQaXqoVYlZRFnx48KWc2SJCOaWGh4B9393Fm7:LMyDa5tEuzdq5GZRFx4ZWJSJiW5Bh2BM

Score
10/10
quasardefense_evasiondiscoveryevasionpersistencespywaretrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 2 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 4 IoCs
    defense_evasion
  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Security services 2 TTPs 16 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7355fddf5edf9713b4450982937bca6e.exe
    "C:\Users\Admin\AppData\Local\Temp\7355fddf5edf9713b4450982937bca6e.exe"
    1⤵
    • Quasar RAT
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\7355fddf5edf9713b4450982937bca6e.exe
      "C:\Users\Admin\AppData\Local\Temp\7355fddf5edf9713b4450982937bca6e.exe"
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Modifies Windows Defender TamperProtection settings
      • Modifies security service
      • UAC bypass
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies Security services
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4580
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\7355fddf5edf9713b4450982937bca6e.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4692
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /delete /tn "iceTelemetryLogtte" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1620
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
      • C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
        "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
          "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"
          4⤵
          • Modifies Windows Defender DisableAntiSpyware settings
          • Modifies Windows Defender Real-time Protection settings
          • Modifies Windows Defender TamperProtection settings
          • Modifies security service
          • UAC bypass
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Modifies Security services
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4056
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3884
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /delete /tn "iceTelemetryLogtte" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1612
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

7
T1562

Disable or Modify Tools

6
T1562.001

Modify Registry

10
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7355fddf5edf9713b4450982937bca6e.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    177b77fd022b3ad3d73efc9f9dcea706

    SHA1

    f4df163242805b1754db72594d74f8475dfa30b9

    SHA256

    dda302697805ad540c704ece26dbacd8043923917836a602b999d1a66fc020ce

    SHA512

    13af4768d7870eaabd2c22af5ddefdefe640e61a8e0b75f8630a39c52b2518eaa90966dd94a3ec895859b0105df2cef2f4c29bb41e0e738a4dfc19e3d912bea8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2yhs45ne.b4e.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
    Filesize

    762KB

    MD5

    7355fddf5edf9713b4450982937bca6e

    SHA1

    fd1fbc71728fd7adc310b7ee74fdde59577010f4

    SHA256

    4e844cff9da913e15f2d6346c97e9a6598cd512dde1e34d98b55f71e76e138a8

    SHA512

    73030b32969d3d87512b71a8e77ebf30ed29ff360d627b4770980da87a5ed664afa3d7855eb02e0ceffb45b9b1b24c7aba93db24b55b9a0b64360cc6f9bb9576

    Download Submit

  • memory/1212-56-0x0000000007DE0000-0x0000000007DEE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1212-57-0x0000000007DF0000-0x0000000007E04000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1212-49-0x0000000006E50000-0x0000000006E6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1212-59-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1212-58-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1212-55-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1212-54-0x0000000007E30000-0x0000000007EC6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1212-51-0x00000000081F0000-0x000000000886A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1212-52-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1212-53-0x0000000007C20000-0x0000000007C2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1212-38-0x0000000007A50000-0x0000000007A82000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1212-23-0x0000000005AB0000-0x00000000060D8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1212-37-0x0000000006A70000-0x0000000006ABC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1212-39-0x0000000070390000-0x00000000703DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1212-22-0x0000000002F60000-0x0000000002F96000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1212-50-0x0000000007A90000-0x0000000007B33000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1212-25-0x0000000006150000-0x00000000061B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1212-36-0x0000000006880000-0x000000000689E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1212-24-0x00000000059C0000-0x00000000059E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1212-35-0x00000000062A0000-0x00000000065F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1328-86-0x00000000703C0000-0x000000007040C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1328-98-0x0000000007760000-0x0000000007774000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1328-97-0x0000000007710000-0x0000000007721000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1328-96-0x0000000007470000-0x0000000007513000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1328-85-0x00000000061F0000-0x000000000623C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1328-83-0x0000000005AD0000-0x0000000005E24000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2364-5-0x0000000004D10000-0x0000000004D1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2364-3-0x0000000004D60000-0x0000000004DF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2364-15-0x0000000074FA0000-0x0000000075750000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2364-6-0x0000000006030000-0x0000000006040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2364-10-0x0000000009C40000-0x0000000009CDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2364-4-0x0000000074FA0000-0x0000000075750000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2364-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-2-0x0000000005310000-0x00000000058B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2364-7-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-9-0x0000000006080000-0x0000000006120000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2364-1-0x0000000000250000-0x0000000000314000-memory.dmp

    Filesize

    784KB

    Download

  • memory/2364-8-0x0000000074FA0000-0x0000000075750000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4580-67-0x0000000074FA0000-0x0000000075750000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4580-11-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/4580-20-0x0000000006CB0000-0x0000000006CEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4580-16-0x0000000074FA0000-0x0000000075750000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4580-18-0x0000000006960000-0x00000000069C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4580-14-0x0000000074FA0000-0x0000000075750000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4580-19-0x0000000006C50000-0x0000000006C62000-memory.dmp

    Filesize

    72KB

    Download