Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://89.23.100.37/...

windows7-x64

10

Resubmissions

23-06-2024 19:00

240623-xnmh4asfqp 10

Analysis

  • max time kernel
    18s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-06-2024 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://89.23.100.37/KR6nDu9fLhop1bFe.exe

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

94.228.166.40:4782

Mutex

172a89d7-b9b2-4d82-b5ed-6beb5326f544

Attributes
  • encryption_key

    7970C2029EDBB83E6BD65073BE18684AC9FF3F48

  • install_name

    KR6nDu9fLhop1bFe.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    defender.proces

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://89.23.100.37/KR6nDu9fLhop1bFe.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://89.23.100.37/KR6nDu9fLhop1bFe.exe
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2472.0.1748951300\110172827" -parentBuildID 20221007134813 -prefsHandle 1256 -prefMapHandle 1248 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e31978-74c0-480e-9dd1-05f582ba4a87} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" 1368 108f7b58 gpu
        3⤵
          PID:2400
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2472.1.1716526440\452167903" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9449d612-f072-44bf-ac22-d18d5a1c07bb} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" 1532 45d3d58 socket
          3⤵
            PID:2420
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2472.2.1945074487\1932293136" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 780 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {106df4d1-b22b-4ffd-994b-8dfedfef7f0d} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" 2080 1a09c458 tab
            3⤵
              PID:2628
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2472.3.2119886441\788990297" -childID 2 -isForBrowser -prefsHandle 2804 -prefMapHandle 1752 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 780 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57d689ab-4585-4b52-9f5e-a8f4952e70e2} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" 2816 1ce0d358 tab
              3⤵
                PID:2640
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2472.4.1601218906\935415292" -childID 3 -isForBrowser -prefsHandle 3816 -prefMapHandle 3812 -prefsLen 26385 -prefMapSize 233444 -jsInitHandle 780 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0456d6c-ab59-4fee-a3c9-cf84573c4a62} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" 3828 1eb3f558 tab
                3⤵
                  PID:2096
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2472.5.1479001048\967208409" -childID 4 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26385 -prefMapSize 233444 -jsInitHandle 780 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {228c491e-0cd7-4724-a5f2-bd53b32c78c1} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" 3924 1eb3da58 tab
                  3⤵
                    PID:2232
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2472.6.1965792437\54649346" -childID 5 -isForBrowser -prefsHandle 4116 -prefMapHandle 4120 -prefsLen 26385 -prefMapSize 233444 -jsInitHandle 780 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf812355-7069-4ebd-8a52-5310c78d160c} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" 4104 1f4b3558 tab
                    3⤵
                      PID:2080
                    • C:\Users\Admin\Downloads\KR6nDu9fLhop1bFe.exe
                      "C:\Users\Admin\Downloads\KR6nDu9fLhop1bFe.exe"
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2216
                      • C:\Windows\system32\schtasks.exe
                        "schtasks" /create /tn "defender.proces" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\KR6nDu9fLhop1bFe.exe" /rl HIGHEST /f
                        4⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1560
                      • C:\Users\Admin\AppData\Roaming\SubDir\KR6nDu9fLhop1bFe.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\KR6nDu9fLhop1bFe.exe"
                        4⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:2836
                        • C:\Windows\system32\schtasks.exe
                          "schtasks" /create /tn "defender.proces" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\KR6nDu9fLhop1bFe.exe" /rl HIGHEST /f
                          5⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2108
                    • C:\Users\Admin\Downloads\KR6nDu9fLhop1bFe.exe
                      "C:\Users\Admin\Downloads\KR6nDu9fLhop1bFe.exe"
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2180

                Network

                MITRE ATT&CK Matrix ATT&CK v13

                Initial Access

                Execution

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Credential Access

                Discovery

                System Information Discovery

                2
                T1082

                Query Registry

                2
                T1012

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Resource Development

                Reconnaissance

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  891056c69e4de2970ab12f2f551660dc

                  SHA1

                  5ec86fcaebe09676c6eb6e243ad244913c723918

                  SHA256

                  5f0411f22c61ad4898cb6dfb96a911481e3712bf5eea97f6cc8b17344baaaa20

                  SHA512

                  20a0124fc0efa4cda2ff985b1d128d491bcc3b6facf2204ce241fc76423316fd4b6cf5f92c187d600eccd54d500cd5d4f107d8a42cd95d47e8c8e1f6546bb593

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\datareporting\glean\pending_pings\04ef4794-c429-46ec-b30c-11d2fa7269c0
                  Filesize

                  745B

                  MD5

                  c8228e815ddb7c05b9b888a4d2dc53b5

                  SHA1

                  5d6e3c8c91c9346944bd2c430912e49109769638

                  SHA256

                  c398e9030e6d33c770114dbfccf4b9445d9666bcc5362701df21da9c3e361957

                  SHA512

                  88fb0e765a8de077677b4602ba84c9fe105258db29b5265978556ae3e22e698753b6b64af96b04d6f7bbb2f61377ff4368967b21532bd144dc3ce8f545be8590

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\datareporting\glean\pending_pings\9f933e3f-cd96-4a0b-b850-3494c2f92d51
                  Filesize

                  11KB

                  MD5

                  991c5147f8f84a3823f3d7e2d0a411d8

                  SHA1

                  ebed174e7a5b3ceac550643b40efecbc262094a7

                  SHA256

                  eba7abe05ab4ecc1c87c0fb6712c7470b41d555860f663240a1fb67979cc259b

                  SHA512

                  3d1e1a7ade10fa93eab51afc151694da9adb1c421ccadd5ce20a2bb08ce7d504dfb5cc335c62e68c8caa1aaa648eef9bcd3185a6149ead5d2b5ed7e6b81719d2

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  940B

                  MD5

                  110d05034bb66522ebd5e40a096060fe

                  SHA1

                  5f33c1a315e8d368ca2385d45121f6ea5ab0a47a

                  SHA256

                  e8ec765f3a5ebe372c95c61ade6935c431f2632d910a61c8018ce796efdb8e18

                  SHA512

                  fb162e6112919ffb0e0b737d906a2ad400aab8f1c58b135c09d37f78f5ef1f173d833021b095d068e92ee520d3f7fbec913bb43502923a7ae1f35eff53bad654

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  184KB

                  MD5

                  ed3047ddf717c6a90e7ed327d658c240

                  SHA1

                  a45d848c1ee0ffff15d71d07c38dfa29404b5bc1

                  SHA256

                  32a3fb02c0112e33cca0c6996b13a61e5a9d5ec5bc5dc287cf606778f2310c1c

                  SHA512

                  8ca70044aba75052d8cbb0d01144ff12e31996b28d6e93ea8f077b475c3986aa5cb409c2f7a5c7b45e6cd695516103d32227e1c09b38e71bd5003f4ef978371f

                  Download Submit
                • C:\Users\Admin\Downloads\KR6nDu9fLhop1bFe.exe
                  Filesize

                  3.1MB

                  MD5

                  3a52e34c074990eee6ed67e3237c4c9c

                  SHA1

                  b7df84535c4d8002cdd7675866617cf9884455c6

                  SHA256

                  a451e748bc1e4c05bdaa722b35a5f6dd1a78765ac8967187a61b846f819c8bf6

                  SHA512

                  1553aa7e90b404f715c9b025937da6a4941fd287de9a69afe52e970731c48b3a6e62ae898a4e16164fa57e20183ff86999b37c7ff9c9f77fa0a85bce3916b19c

                  Download Submit
                • C:\Users\Admin\Downloads\KR6nDu9fLhop1bFe.ohUc6bAj.exe.part
                  Filesize

                  12KB

                  MD5

                  007119a9c9b91b6a4313f340f31c77d1

                  SHA1

                  2a8293406126223e248f21149ad0d46d407d88b6

                  SHA256

                  985b4ae58b1ab643fb79cfb05f13b1773fbc0122d703c7dac7334b7ab39b8abe

                  SHA512

                  94c34f0485de0a948278de67a6874a1edb84824a7442277c0aa88db9faa0f1b92b538203efa16b13cde9bca5a307b02316b03bb072efd97574e0db6256e321a1

                  Download Submit
                • memory/2180-144-0x0000000001360000-0x0000000001684000-memory.dmp
                  Filesize

                  3.1MB

                  Download
                • memory/2216-120-0x0000000000250000-0x0000000000574000-memory.dmp
                  Filesize

                  3.1MB

                  Download
                • memory/2216-121-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp
                  Filesize

                  9.9MB

                  Download
                • memory/2216-119-0x000007FEF43B3000-0x000007FEF43B4000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2216-150-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp
                  Filesize

                  9.9MB

                  Download
                • memory/2836-130-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp
                  Filesize

                  9.9MB

                  Download
                • memory/2836-131-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp
                  Filesize

                  9.9MB

                  Download
                • memory/2836-129-0x0000000000CC0000-0x0000000000FE4000-memory.dmp
                  Filesize

                  3.1MB

                  Download