Malware Analysis Report

2024-10-23 21:29

Sample ID 240412-s2jl5sbf92
Target UzpnR6.exe
SHA256 ffcedb5228f316086a811d910fb0e423ef4d16878369b64808a44ccc8f23ae26
Tags
quasar office04 spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ffcedb5228f316086a811d910fb0e423ef4d16878369b64808a44ccc8f23ae26

Threat Level: Known bad

The file UzpnR6.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware stealer trojan

Quasar RAT

Quasar payload

Reads WinSCP keys stored on the system

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 15:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 15:37

Reported

2024-04-12 15:40

Platform

win10-20240319-en

Max time kernel

163s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4740 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 4740 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 4740 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4392 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4392 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4392 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe
PID 4392 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe
PID 4548 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4548 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4548 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe C:\Windows\System32\shutdown.exe
PID 4548 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe C:\Windows\System32\shutdown.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe

"C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client-built.exe'

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DisableAV.bat" "

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" /s /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3ae9855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 us1.localto.net udp
US 162.212.154.8:38905 us1.localto.net tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 8.154.212.162.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/4740-0-0x00000000002D0000-0x0000000000402000-memory.dmp

memory/4740-1-0x00007FFD4E3B0000-0x00007FFD4ED9C000-memory.dmp

memory/4740-2-0x000000001B580000-0x000000001B590000-memory.dmp

memory/1916-7-0x00007FFD4E3B0000-0x00007FFD4ED9C000-memory.dmp

memory/1916-10-0x0000013CD3980000-0x0000013CD3990000-memory.dmp

memory/1916-9-0x0000013CD3980000-0x0000013CD3990000-memory.dmp

memory/1916-8-0x0000013CD3990000-0x0000013CD39B2000-memory.dmp

memory/1916-13-0x0000013CD3B40000-0x0000013CD3BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xuww4rv3.fyc.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1916-26-0x0000013CD3980000-0x0000013CD3990000-memory.dmp

memory/1916-49-0x0000013CD3980000-0x0000013CD3990000-memory.dmp

memory/1916-53-0x00007FFD4E3B0000-0x00007FFD4ED9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 383aa601a1a3e6722935b017a215f4b8
SHA1 3855b5d5ba3ba2f161bd6d60caac5415e93bd482
SHA256 6d03d6c26940eb9f2f6eaaa1d0a49d3f24a2941ec85bc7f12d3fb72162d780c8
SHA512 ceff9701a5cbc5bc6d61d5ebf0764b54aa056bdb311789f4dec7065a0910050932024498d0ee3a0a7f6b3cce2e5b77ff89d132120a4581536aa33822684f10eb

memory/4392-64-0x00007FFD4E3B0000-0x00007FFD4ED9C000-memory.dmp

memory/4740-65-0x00007FFD4E3B0000-0x00007FFD4ED9C000-memory.dmp

memory/4392-63-0x00000000004B0000-0x00000000007D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DisableAV.bat

MD5 78645ad9e97d2b5f440e02959d9a1985
SHA1 63aae2a1e9a2a346a02faef58552449e25bfca0b
SHA256 83a149d70fcae8ce1bc42082383d09c98141673df509351294f40bb1cb77177d
SHA512 2b6141e0570fb1d44bf9fd5d7dff987ea97f46d58448d4549a5efb9876a9adb8c061c759fb9b0c6be68207df64633f5a7355949597aa5da2aac5a9b7d65de0bf

memory/4392-67-0x0000000000F60000-0x0000000000F70000-memory.dmp

memory/4392-74-0x00007FFD4E3B0000-0x00007FFD4ED9C000-memory.dmp

memory/4548-75-0x00007FFD4E3B0000-0x00007FFD4ED9C000-memory.dmp

memory/4548-76-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/4548-77-0x000000001BE80000-0x000000001BED0000-memory.dmp

memory/4548-78-0x000000001BF90000-0x000000001C042000-memory.dmp

memory/4548-79-0x000000001C780000-0x000000001CCA6000-memory.dmp

memory/4548-82-0x000000001BF20000-0x000000001BF32000-memory.dmp

memory/4548-83-0x000000001C250000-0x000000001C28E000-memory.dmp

memory/4548-85-0x00007FFD4E3B0000-0x00007FFD4ED9C000-memory.dmp

memory/4548-86-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/4548-87-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/4548-88-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/4548-93-0x00007FFD4E3B0000-0x00007FFD4ED9C000-memory.dmp