quasar | 2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec

Analysis

max time kernel
25s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 01:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe
Size

718KB
MD5

20c404f8e7606ae61f77b329d337fbc0
SHA1

e23cd528e4da2cf73bc4b4a4fb6bf9c738f59435
SHA256

2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec
SHA512

d183123eb9518a9dfcca72e1a6e4a1368da17ef06e3f1c5f2de6131ed2e6582c895ee10d0dc9e912aeaed89af7f03a9b14dc75414cb19ee40511412803cd7043
SSDEEP

12288:FKrSjGt2H9toA/HZZvMtG6YGP0YO5qvsEhQFJlTzy:FKrS6stP5hGzFO5qUEhQFJk

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

hvhkcutuoujbobu672-22209.portmap.host:22209

Mutex

VNM_MUTEX_B9yalilhpjXcfLAYLB

Attributes

encryption_key
1QFI1TWvW55TfLRzQhy0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

behavioral2/memory/2976-2-0x00000269EC240000-0x00000269EC2CC000-memory.dmp disable_win_def
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/2976-2-0x00000269EC240000-0x00000269EC2CC000-memory.dmp family_quasar
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
8 api.ipify.org
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4836 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2804 schtasks.exe
4600 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2976 2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe

resource	yara_rule
behavioral2/memory/2976-2-0x00000269EC240000-0x00000269EC2CC000-memory.dmp	disable_win_def

resource	yara_rule
behavioral2/memory/2976-2-0x00000269EC240000-0x00000269EC2CC000-memory.dmp	family_quasar

flow	ioc
2	ip-api.com
8	api.ipify.org

pid	process
4836	PING.EXE

pid	process
2804	schtasks.exe
4600	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2976	2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe

description	pid	process	target process
PID 2976 wrote to memory of 2804	2976	2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe	schtasks.exe
PID 2976 wrote to memory of 2804	2976	2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
PID:2032

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i6i1Y4m3rcWu.bat" "
3⤵
PID:3992

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1268

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
2⤵
PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
3⤵
PID:3960

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gamnrmv1.1dh.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6i1Y4m3rcWu.bat
Filesize
207B

MD5
aed34659f546d2cc1f86a36091f89a8b

SHA1
b352950165a7c0860a99ad15875a7d37eb7dfcac

SHA256
d4178ebdb3d36cad68b9236dacc360b038e73f40487cd02506be10d354a969b6

SHA512
be2fde7b07ab73efc487f490c69c0cd918ab9996bd88223c11461a1e1a69542dd33cc85c55a3099df2b99bbda773529a56d63e7cbb991974ae1cf689fc95c83d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
718KB

MD5
20c404f8e7606ae61f77b329d337fbc0

SHA1
e23cd528e4da2cf73bc4b4a4fb6bf9c738f59435

SHA256
2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec

SHA512
d183123eb9518a9dfcca72e1a6e4a1368da17ef06e3f1c5f2de6131ed2e6582c895ee10d0dc9e912aeaed89af7f03a9b14dc75414cb19ee40511412803cd7043

Download Submit
memory/1704-12-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/1704-27-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/1704-24-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/1704-23-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/1704-19-0x000001F32CE80000-0x000001F32CEA2000-memory.dmp

Filesize
136KB

Download
memory/2032-11-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/2976-0-0x00007FF841563000-0x00007FF841565000-memory.dmp

Filesize
8KB

Download
memory/2976-6-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/2976-5-0x00007FF841563000-0x00007FF841565000-memory.dmp

Filesize
8KB

Download
memory/2976-4-0x00000269EDC10000-0x00000269EDC22000-memory.dmp

Filesize
72KB

Download
memory/2976-3-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/2976-2-0x00000269EC240000-0x00000269EC2CC000-memory.dmp

Filesize
560KB

Download
memory/2976-1-0x00000269EBE90000-0x00000269EBE98000-memory.dmp

Filesize
32KB

Download