Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
27/03/2025, 04:20
General
-
Target
0x000300000001e767-21.exe
-
Size
3.1MB
-
MD5
20eeb65678c6fcffcc30cc2fc429f572
-
SHA1
182305533e4a842da880cf204604456e838878db
-
SHA256
4266be83abea2867cfa44836d014983f658f688a1f96fe74bed4b2b5f0d59c1b
-
SHA512
f32cc7a2b5fde293bc9bb6e99c75b92d5725297f128a945f6edcb9ab4d6579ca388370bca5ddff1b5532d6b5e248641bf232a71af93aa031cb86097ed745a872
-
SSDEEP
49152:fveD/2oga6ctePEl3s3jn7HZkgyoRJ6ObR3LoGdPTHHB72eh2NT:fvY/2oga6ctePEl3s3L7HZkgyoRJ6I
Malware Config
Extracted
quasar
1.4.1
Office04
epotiz-56104.portmap.host:56104
dff263c5-5f46-4ebd-b314-af4f281b1196
-
encryption_key
91AE6D01E5588CB2EC925069EE1425C401902592
-
install_name
Realtek HD Audio Manager.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Realtek HD Audio Manager
-
subdirectory
Realtek HD Audio Manager
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000300000001e767-21.exe"C:\Users\Admin\AppData\Local\Temp\0x000300000001e767-21.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Realtek HD Audio Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe"C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Realtek HD Audio Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD520eeb65678c6fcffcc30cc2fc429f572
SHA1182305533e4a842da880cf204604456e838878db
SHA2564266be83abea2867cfa44836d014983f658f688a1f96fe74bed4b2b5f0d59c1b
SHA512f32cc7a2b5fde293bc9bb6e99c75b92d5725297f128a945f6edcb9ab4d6579ca388370bca5ddff1b5532d6b5e248641bf232a71af93aa031cb86097ed745a872
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB