Overview

overview

10

Static

static

3

MultiTool Setup.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/03/2025, 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MultiTool Setup.exe

  • Size

    2.7MB

  • MD5

    c69d327438fde6e17346aa6aca31d925

  • SHA1

    8d029d5248d5c8213e08685b575d8e62bb1905cb

  • SHA256

    2beda275889a22bc7802f19347d682097aec3f7a3005f5c7fe263a3e625b3d8d

  • SHA512

    8e95612190b68f81726d5eb4686414c17be6de337aa0029db20e7ac322f57239aff0304f9e9ccd7059b1c1e7bf1bceb50cea598e1a7241a8d2e0afab6385d1ef

  • SSDEEP

    49152:BxXXm66OsQGuZjpAJ2EB45hN1nd3fmMDU8Sb0uRhEoy:BxHXsQG2jqq5hNSMYTRWoy

Score
10/10
quasardiscoveryexecutionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 12 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MultiTool Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\MultiTool Setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Local\Temp\is-F49KA.tmp\MultiTool Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-F49KA.tmp\MultiTool Setup.tmp" /SL5="$80070,1815390,867840,C:\Users\Admin\AppData\Local\Temp\MultiTool Setup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:5884
      • C:\Program Files (x86)\VelocityFixxer\MultiTool.exe
        "C:\Program Files (x86)\VelocityFixxer\MultiTool.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\versv\12323.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:460
        • C:\Users\Admin\AppData\Roaming\versv\12323.exe
          "C:\Users\Admin\AppData\Roaming\versv\12323.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\versv\12323.exe" /rl HIGHEST /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "$([System.Environment]::GetEnvironmentVariable('SystemDrive'))\"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3036
          • C:\Windows\SYSTEM32\netsh.exe
            "netsh" wlan show profiles
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2304
          • C:\Users\Admin\AppData\Roaming\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe
            "C:\Users\Admin\AppData\Roaming\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe" install C:\Users\Admin\AppData\Roaming\usbmmidd_v2\usbmmidd_v2\usbmmIdd.inf usbmmidd
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Suspicious use of AdjustPrivilegeToken
            PID:1124
          • C:\Users\Admin\AppData\Roaming\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe
            "C:\Users\Admin\AppData\Roaming\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe" enableidd 1
            5⤵
            • Executes dropped EXE
            PID:1640
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /delete /tn "Svchost.exe" /f
            5⤵
              PID:5540
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CB6pgOOCIRv5.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:632
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3176
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:388
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4638d64b-5bf0-3f43-b5a4-de5c1d4b6db9}\usbmmidd.inf" "9" "4f9666e1f" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\roaming\usbmmidd_v2\usbmmidd_v2"
          2⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:2288
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:d470a17d4e87d07b:MyDevice_Install:2.0.0.1:usbmmidd," "4f9666e1f" "0000000000000148" "c161"
          2⤵
          • Drops file in Drivers directory
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:1308

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      3
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      2
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Wi-Fi Discovery

      1
      T1016.002

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\VelocityFixxer\MultiTool.exe
        Filesize

        1.6MB

        MD5

        8db016220e8bc05040231b4532b49cf1

        SHA1

        100a18116cf34dc16c641ce1118491e631d3899c

        SHA256

        04b974eee78f8d3aa5b58e3af3cf0c5d259fb02597181e541b4032966a492cc4

        SHA512

        7aaca072a633497c8764c07dd637cae0cc32de502d8776bf945e81573f0c464c2f01d8594e520a403e3dc973f96cf2687aab7d18bbdaa29cdd3a57b82990d072

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CB6pgOOCIRv5.bat
        Filesize

        209B

        MD5

        84f65fbc27a50f57d9a0530630923f11

        SHA1

        44a203cf9fcbf4cb2792bfa66064d8c1b86c2623

        SHA256

        9055ce772e5314e827fe5fe2941e97528e8183b50c1647f7f2f16894c9432eb5

        SHA512

        3fad8785fbde67178103f741ceedd2437907116f071f8bfc7a3d0074bf81bc679d87fba104282f14997aa57f16db01201e0463c937516adb8707afd5b35a4cdb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1ngilqp.1pq.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-F49KA.tmp\MultiTool Setup.tmp
        Filesize

        3.4MB

        MD5

        9c60c7259169e3697ae17be1189c7ca9

        SHA1

        0dbfb6430c258d11f142faf4f476ca357cd2f1ca

        SHA256

        72a536efb861125b427ccf4aac566a7b0a5651ad30041bfa890b053d20923dce

        SHA512

        f28a9e72956d2d9e4a36dcd6d021d84e76afaf1389d9c89e6a56eadc67bd85d40ace1d9892335ebbfbb367c23bbb4487a0bc7b6c3e6da2d8a3dee335a70975b0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{4638d64b-5bf0-3f43-b5a4-de5c1d4b6db9}\x64\usbmmIdd.dll
        Filesize

        69KB

        MD5

        ee848c427145609d998725a38e7ad9af

        SHA1

        6b97d9ab1c3978cdc2d6735c227adca8f0aabddb

        SHA256

        dc135d675127113915a7e5aa9fe57c84edad6be41d0890b265ef124ab26ea9e3

        SHA512

        5bd0eca69d16a6fe32856978047967e44f0d49c59cd611b02e9d24ca59c0d862ad5f8a4d50c6bed816fa11e2f4fee6fabbe3d6d735224084f47161693eee8007

        Download Submit

      • C:\Users\Admin\AppData\Roaming\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe
        Filesize

        158KB

        MD5

        41283e1240acfc163f0e697073f07413

        SHA1

        a10cf33fbb23c4465921e6590c934873f3155317

        SHA256

        e9baa02cdae921acf0aae4d8e8c29a4cdf4057ab61f9c60862b7cc439e2753f7

        SHA512

        d7361a1656c8a8bf0b2bb8fa332105912285d23933bbc37ebe955b36e3fc158472216757bd87638860542cefadbbc17d36d5ef16cbd910b64fc25a2d7f42cfaf

        Download Submit

      • C:\Users\Admin\AppData\Roaming\usbmmidd_v2\usbmmidd_v2\usbmmIdd.inf
        Filesize

        5KB

        MD5

        0a09dab1c9a7f2e685cd7f8b5bd43ec0

        SHA1

        14b5fae8397fbda873dcc9ffd5cc189f14490c28

        SHA256

        a8750ca15a86742f3012886c9932bb974158cd2d9779cf891c730d976a47726a

        SHA512

        f6cc96686f06f1871ae95ddbe9e553bbff506765965e4c846ee02328c6566730a9f4df493c36ab2104565d41dbd7ea67d054984163e45bc414a8f1efba293368

        Download Submit

      • \??\c:\users\admin\appdata\roaming\usbmmidd_v2\usbmmidd_v2\usbmmIdd.cat
        Filesize

        11KB

        MD5

        e5f60b2f3a491983eac00dc7dc7c408b

        SHA1

        2566bf2ddc9e58f5262a2b11dda0c451d5ec9468

        SHA256

        470149c4cf9970ba59070aa7c9409c9f63a15727de99bab53e7e51f55310779f

        SHA512

        55b31a4da61b837891be7977bdf7b96457e5b54c5216e867bb1aca4580a84145f885896b13fcb72e937d3f424fec1105b4f9c0a9706dfabbec95fb53c7a302f5

        Download Submit

      • memory/2216-39-0x0000000000B90000-0x0000000000C74000-memory.dmp

        Filesize

        912KB

        Download

      • memory/2216-0-0x0000000000B90000-0x0000000000C74000-memory.dmp

        Filesize

        912KB

        Download

      • memory/2216-2-0x0000000000B91000-0x0000000000C3E000-memory.dmp

        Filesize

        692KB

        Download

      • memory/2216-8-0x0000000000B90000-0x0000000000C74000-memory.dmp

        Filesize

        912KB

        Download

      • memory/2480-46-0x00000203C2780000-0x00000203C27BC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2480-47-0x00000203C2910000-0x00000203C2922000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2480-60-0x00000203C2560000-0x00000203C256A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2480-40-0x00000203C2140000-0x00000203C2190000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2480-41-0x00000203C2570000-0x00000203C2622000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2480-42-0x00000203C20F0000-0x00000203C213E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2480-45-0x00000203C2510000-0x00000203C2522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3036-48-0x000001EEE9900000-0x000001EEE9922000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3036-59-0x000001EEE9E20000-0x000001EEE9F6F000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3476-27-0x00000281E6AD0000-0x00000281E6C74000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3476-26-0x00007FFCE5D83000-0x00007FFCE5D85000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3476-36-0x00007FFCE5D80000-0x00007FFCE6842000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3476-29-0x00007FFCE5D80000-0x00007FFCE6842000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3476-28-0x00000281E8860000-0x00000281E887A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5884-38-0x0000000000D60000-0x00000000010D7000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/5884-9-0x0000000000D60000-0x00000000010D7000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/5884-10-0x0000000000660000-0x0000000000661000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5884-6-0x0000000000660000-0x0000000000661000-memory.dmp

        Filesize

        4KB

        Download