Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2023 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    5ddcc9baa65b17926f2262a9fe530b93

  • SHA1

    6fa7fd0df2a9928b6c063fc03b10bdcd84e26008

  • SHA256

    9ce882116ae23f4d32f4937f2b61ca8deea0c476be41fdd3158dadc14335a45f

  • SHA512

    79fd0d0ff6115972017fef2c6feeddaf26db86bb69437ca431abd2ba35d4b6c249c7150f3969fd589006b2d3defa674c589610caee5a1585e50f027b06f6aa06

  • SSDEEP

    49152:+vaY52fyaSZOrPWluWBuGG5g5hPbRJ6KbR3LoGd/THHB72eh2NT:+vv52fyaSZOrPWluWBDG5g5hPbRJ6k

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

127.0.0.1:4782

Mutex

57af6279-a68f-4f70-9b6b-439dccca1ff4

Attributes
  • encryption_key

    1B9C51B90AB1DE21D6A313176E631A6295A0C2E6

  • install_name

    Memes.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    memes

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 11 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "memes" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Memes.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:840
    • C:\Users\Admin\AppData\Roaming\SubDir\Memes.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Memes.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "memes" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Memes.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1760
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3332
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3332.0.1010923652\1124953976" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7440f319-8316-46f1-b0f0-3eb7d2d1b9c5} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" 1916 242ffe17158 gpu
        3⤵
          PID:4840
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3332.1.548287571\1663703092" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {301e35a8-5dff-4b28-a315-3f4cbae3db4a} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" 2316 24287d53258 socket
          3⤵
          • Checks processor information in registry
          PID:2360
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3332.2.1925865828\2096536925" -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 3048 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de89acf3-10c7-4555-9831-c3c1692b9487} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" 2916 2428a4f1858 tab
          3⤵
            PID:4292
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3332.3.447062748\113240061" -childID 2 -isForBrowser -prefsHandle 1228 -prefMapHandle 3604 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2196bc14-f80b-4662-95e8-421294380457} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" 1436 2428b22b658 tab
            3⤵
              PID:3720
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3332.4.386026547\918881428" -childID 3 -isForBrowser -prefsHandle 4092 -prefMapHandle 4084 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de59b2a5-21ec-4305-b04f-d7db2384d0c9} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" 4108 2428b937c58 tab
              3⤵
                PID:3320
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3332.5.1635314901\476481024" -childID 4 -isForBrowser -prefsHandle 5068 -prefMapHandle 5044 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b8702ce-c9c4-4645-8973-16384ea189d2} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" 5092 2428ceb7f58 tab
                3⤵
                  PID:1524
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3332.7.2140532343\1595007464" -childID 6 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e257c63-60f6-47f5-8602-04bfa22f0c3b} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" 5436 2428dc5d458 tab
                  3⤵
                    PID:2884
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3332.6.674197116\1550905206" -childID 5 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8623cef0-41f2-4ece-9e33-c5d55ddee289} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" 5244 2428ceb6458 tab
                    3⤵
                      PID:2740
                • C:\Windows\system32\mspaint.exe
                  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\FormatStop.jpeg" /ForceBootstrapPaint3D
                  1⤵
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:1284
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
                  1⤵
                  • Drops file in System32 directory
                  PID:4780
                • C:\Windows\system32\OpenWith.exe
                  C:\Windows\system32\OpenWith.exe -Embedding
                  1⤵
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of SetWindowsHookEx
                  PID:5088

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Scheduled Task

                1
                T1053

                Persistence

                Scheduled Task

                1
                T1053

                Privilege Escalation

                Scheduled Task

                1
                T1053

                Defense Evasion

                Credential Access

                Discovery

                Query Registry

                2
                T1012

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  149KB

                  MD5

                  df30ce0494c4872d45bc7280e774dfaa

                  SHA1

                  b32762e83a202559d605d7db3f82d9169128ed09

                  SHA256

                  3f1d61e7a5f6f1ed07554160459aa84dc1f39abcf3b73b15b9e189ed9c8055b2

                  SHA512

                  ea973381a8a0b170c5434149848aedbeb874f8c7eccdb22e57fe7b33c1f48fe7dd759438291531eb25717978ccd432a1cb5144ff97f9aec680c33f56a1e0780d

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  c2d453758fe7be6745c3bf72c95867d4

                  SHA1

                  b06f31da3e3c00fc19e7f5138f7e42f2e2a7717a

                  SHA256

                  c53012df950fa49fa4541ebba24a595ad7db4a046ebdb62033ce05dc30e60bd8

                  SHA512

                  e7e21a5ec10d8ba91cea064bf7b2526f91fa68a6be871613c2be0a5d7384df35da2c0d8499345abdc9d64532f86f0c6b7274ae80ee8fa4158a53aa6483a149d1

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  fcd5f37e5e4066f7cffe8eb106b6ce19

                  SHA1

                  b0a1c4d3d5c96271429fb09cb71055d177c13402

                  SHA256

                  38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

                  SHA512

                  afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore.jsonlz4
                  Filesize

                  883B

                  MD5

                  b03d4171e778727285d345ab0d624092

                  SHA1

                  37fc8b12347d23ba4056e835216e5ce99e5637ec

                  SHA256

                  9a109b6e98d109e36d079f1080686034788fb64511bb8d6a882309cb03e2b9dd

                  SHA512

                  0e4f564ada31532e5c823cf209a34138db9e81f3373248610be5f3b84de053eca66a03fa380b9b1d4a7edce7480bd7bc84ade9b1831bd125d2d7bcd8e41ed611

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\SubDir\Memes.exe
                  Filesize

                  3.1MB

                  MD5

                  5ddcc9baa65b17926f2262a9fe530b93

                  SHA1

                  6fa7fd0df2a9928b6c063fc03b10bdcd84e26008

                  SHA256

                  9ce882116ae23f4d32f4937f2b61ca8deea0c476be41fdd3158dadc14335a45f

                  SHA512

                  79fd0d0ff6115972017fef2c6feeddaf26db86bb69437ca431abd2ba35d4b6c249c7150f3969fd589006b2d3defa674c589610caee5a1585e50f027b06f6aa06

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\SubDir\Memes.exe
                  Filesize

                  3.1MB

                  MD5

                  5ddcc9baa65b17926f2262a9fe530b93

                  SHA1

                  6fa7fd0df2a9928b6c063fc03b10bdcd84e26008

                  SHA256

                  9ce882116ae23f4d32f4937f2b61ca8deea0c476be41fdd3158dadc14335a45f

                  SHA512

                  79fd0d0ff6115972017fef2c6feeddaf26db86bb69437ca431abd2ba35d4b6c249c7150f3969fd589006b2d3defa674c589610caee5a1585e50f027b06f6aa06

                  Download Submit
                • memory/2704-134-0x000000001BD20000-0x000000001BD30000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2704-133-0x0000000000E00000-0x0000000001124000-memory.dmp
                  Filesize

                  3.1MB

                  Download
                • memory/4236-142-0x000000001C750000-0x000000001C7A0000-memory.dmp
                  Filesize

                  320KB

                  Download
                • memory/4236-144-0x00000000031A0000-0x00000000031B0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4236-143-0x000000001C860000-0x000000001C912000-memory.dmp
                  Filesize

                  712KB

                  Download
                • memory/4236-141-0x00000000031A0000-0x00000000031B0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4780-407-0x000002574AF90000-0x000002574AFA0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4780-411-0x000002574B860000-0x000002574B870000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4780-418-0x0000025753B20000-0x0000025753B21000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4780-420-0x0000025753BA0000-0x0000025753BA1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4780-422-0x0000025753BA0000-0x0000025753BA1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4780-423-0x0000025753C30000-0x0000025753C31000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4780-424-0x0000025753C30000-0x0000025753C31000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4780-425-0x0000025753C40000-0x0000025753C41000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4780-426-0x0000025753C40000-0x0000025753C41000-memory.dmp
                  Filesize

                  4KB

                  Download