Analysis
-
max time kernel
591s -
max time network
601s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
30-06-2024 14:27
General
-
Target
DriverInstall.exe
-
Size
3.1MB
-
MD5
2428d390c58c3ce2390bf4f6a00f27f2
-
SHA1
525322b7d43603e80d9d5c062baa9a1c4eb8c66f
-
SHA256
0b0f5f4a1afe5fc657325c8286e311c4b81a5ce7a516486b36ef7e5980dd120e
-
SHA512
d0a682e2b529e48b9f28fbef6d56c850c7a21ce03858755b28f4abe7ced2af6337f7b45e83f081faa37627f2e3d8a1dac46c3b75624478ed5f4ab33219e484b6
-
SSDEEP
49152:GvUt62XlaSFNWPjljiFa2RoUYIi3xh1v4LoGf7mTHHB72eh2NT:GvI62XlaSFNWPjljiFXRoUYIi3xK
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.178.86:4782
bcb4ded3-f479-4472-930f-985b13a156fc
-
encryption_key
E65A63C5070648ABDC8CAD5F2CB118AA164CFD24
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Driver.exe
-
subdirectory
WOW646464
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DriverInstall.exe"C:\Users\Admin\AppData\Local\Temp\DriverInstall.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Driver.exe" /sc ONLOGON /tr "C:\Windows\system32\WOW646464\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\WOW646464\Client.exe"C:\Windows\system32\WOW646464\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Driver.exe" /sc ONLOGON /tr "C:\Windows\system32\WOW646464\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\system32\WOW646464\Client.exeFilesize
3.1MB
MD52428d390c58c3ce2390bf4f6a00f27f2
SHA1525322b7d43603e80d9d5c062baa9a1c4eb8c66f
SHA2560b0f5f4a1afe5fc657325c8286e311c4b81a5ce7a516486b36ef7e5980dd120e
SHA512d0a682e2b529e48b9f28fbef6d56c850c7a21ce03858755b28f4abe7ced2af6337f7b45e83f081faa37627f2e3d8a1dac46c3b75624478ed5f4ab33219e484b6
-
memory/3540-10-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmpFilesize
10.8MB
-
memory/3540-11-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmpFilesize
10.8MB
-
memory/3540-12-0x00000000027A0000-0x00000000027F0000-memory.dmpFilesize
320KB
-
memory/3540-13-0x000000001B910000-0x000000001B9C2000-memory.dmpFilesize
712KB
-
memory/3540-14-0x000000001C100000-0x000000001C628000-memory.dmpFilesize
5.2MB
-
memory/3540-15-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmpFilesize
10.8MB
-
memory/3540-16-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmpFilesize
10.8MB
-
memory/3932-0-0x00007FFB360B3000-0x00007FFB360B5000-memory.dmpFilesize
8KB
-
memory/3932-1-0x0000000000E50000-0x0000000001174000-memory.dmpFilesize
3.1MB
-
memory/3932-2-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmpFilesize
10.8MB
-
memory/3932-9-0x00007FFB360B0000-0x00007FFB36B72000-memory.dmpFilesize
10.8MB