Analysis Overview
SHA256
f2e04196e1353ad216e077e0aeb2e1ab8ee93b8b16b205422b4cc6d8adc50cc2
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Executes dropped EXE
Unsigned PE
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-31 00:37
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-31 00:37
Reported
2024-03-31 01:07
Platform
win10v2004-20240226-en
Max time kernel
1796s
Max time network
1799s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3416 wrote to memory of 1416 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3416 wrote to memory of 1416 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3416 wrote to memory of 4552 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe |
| PID 3416 wrote to memory of 4552 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe |
| PID 4552 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4552 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe
"C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 140.238.91.110:44867 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 110.91.238.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp |
Files
memory/3416-0-0x0000000000A50000-0x0000000000D74000-memory.dmp
memory/3416-1-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp
memory/3416-2-0x000000001BA90000-0x000000001BAA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe
| MD5 | 57045c2bf3377b12aa5abce21cc0a99d |
| SHA1 | 217202ed404f25fc550ad70fd7066b0fe8773ef9 |
| SHA256 | f2e04196e1353ad216e077e0aeb2e1ab8ee93b8b16b205422b4cc6d8adc50cc2 |
| SHA512 | 9ab46cc194eeaabb75777457a01328f5a8d2ebf604efba0623575cf25c04e206e416ee72db17e3c92a9d363330f82fa3ce2aac64c2a4a61d4dce34d79b73366e |
memory/3416-8-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp
memory/4552-9-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp
memory/4552-10-0x000000001BDC0000-0x000000001BDD0000-memory.dmp
memory/4552-11-0x000000001BCF0000-0x000000001BD40000-memory.dmp
memory/4552-12-0x000000001C6A0000-0x000000001C752000-memory.dmp
memory/4552-15-0x000000001BDA0000-0x000000001BDB2000-memory.dmp
memory/4552-16-0x000000001C620000-0x000000001C65C000-memory.dmp
memory/4552-17-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp
memory/3704-18-0x0000025ADA360000-0x0000025ADA370000-memory.dmp
memory/3704-34-0x0000025ADA460000-0x0000025ADA470000-memory.dmp
memory/3704-50-0x0000025AE27D0000-0x0000025AE27D1000-memory.dmp
memory/3704-52-0x0000025AE2800000-0x0000025AE2801000-memory.dmp
memory/3704-53-0x0000025AE2800000-0x0000025AE2801000-memory.dmp
memory/3704-54-0x0000025AE2910000-0x0000025AE2911000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-31 00:37
Reported
2024-03-31 01:07
Platform
win11-20240221-en
Max time kernel
1796s
Max time network
1800s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4780 wrote to memory of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4780 wrote to memory of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4780 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe |
| PID 4780 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe |
| PID 1928 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1928 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe
"C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| GB | 140.238.91.110:44867 | tcp | |
| US | 8.8.8.8:53 | 110.91.238.140.in-addr.arpa | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 52.111.229.19:443 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp |
Files
memory/4780-0-0x0000000000E70000-0x0000000001194000-memory.dmp
memory/4780-1-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/4780-2-0x000000001BE80000-0x000000001BE90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe
| MD5 | 57045c2bf3377b12aa5abce21cc0a99d |
| SHA1 | 217202ed404f25fc550ad70fd7066b0fe8773ef9 |
| SHA256 | f2e04196e1353ad216e077e0aeb2e1ab8ee93b8b16b205422b4cc6d8adc50cc2 |
| SHA512 | 9ab46cc194eeaabb75777457a01328f5a8d2ebf604efba0623575cf25c04e206e416ee72db17e3c92a9d363330f82fa3ce2aac64c2a4a61d4dce34d79b73366e |
memory/1928-8-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/4780-9-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/1928-10-0x000000001AFB0000-0x000000001AFC0000-memory.dmp
memory/1928-11-0x000000001B740000-0x000000001B790000-memory.dmp
memory/1928-12-0x000000001B850000-0x000000001B902000-memory.dmp
memory/1928-15-0x000000001B7E0000-0x000000001B7F2000-memory.dmp
memory/1928-16-0x000000001C360000-0x000000001C39C000-memory.dmp
memory/1928-17-0x00007FFDA5710000-0x00007FFDA61D2000-memory.dmp
memory/1928-18-0x000000001AFB0000-0x000000001AFC0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-31 00:37
Reported
2024-03-31 01:07
Platform
win10-20240221-en
Max time kernel
1798s
Max time network
1810s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4584 wrote to memory of 4176 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4584 wrote to memory of 4176 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4584 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe |
| PID 4584 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe |
| PID 4600 wrote to memory of 840 | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4600 wrote to memory of 840 | N/A | C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe
"C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 110.91.238.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp | |
| GB | 140.238.91.110:44867 | tcp |
Files
memory/4584-0-0x0000000000A30000-0x0000000000D54000-memory.dmp
memory/4584-1-0x00007FFB8B6F0000-0x00007FFB8C0DC000-memory.dmp
memory/4584-2-0x000000001BB10000-0x000000001BB20000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe
| MD5 | 57045c2bf3377b12aa5abce21cc0a99d |
| SHA1 | 217202ed404f25fc550ad70fd7066b0fe8773ef9 |
| SHA256 | f2e04196e1353ad216e077e0aeb2e1ab8ee93b8b16b205422b4cc6d8adc50cc2 |
| SHA512 | 9ab46cc194eeaabb75777457a01328f5a8d2ebf604efba0623575cf25c04e206e416ee72db17e3c92a9d363330f82fa3ce2aac64c2a4a61d4dce34d79b73366e |
memory/4584-9-0x00007FFB8B6F0000-0x00007FFB8C0DC000-memory.dmp
memory/4600-8-0x00007FFB8B6F0000-0x00007FFB8C0DC000-memory.dmp
memory/4600-10-0x000000001BAC0000-0x000000001BAD0000-memory.dmp
memory/4600-11-0x000000001C1E0000-0x000000001C230000-memory.dmp
memory/4600-12-0x000000001C2F0000-0x000000001C3A2000-memory.dmp
memory/4600-15-0x000000001C250000-0x000000001C262000-memory.dmp
memory/4600-16-0x000000001C2B0000-0x000000001C2EE000-memory.dmp
memory/4600-17-0x00007FFB8B6F0000-0x00007FFB8C0DC000-memory.dmp
memory/4600-18-0x000000001BAC0000-0x000000001BAD0000-memory.dmp