Malware Analysis Report

2024-10-19 08:41

Sample ID 240418-1ve95sha3v
Target Client-built.exe
SHA256 a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar RAT

Quasar payload

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-18 21:58

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 21:57

Reported

2024-04-18 21:58

Platform

win7-20240215-en

Max time kernel

32s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File created C:\Windows\system32\SubDir\updale.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\updale.exe N/A
N/A N/A C:\Windows\system32\SubDir\updale.exe N/A
N/A N/A C:\Windows\system32\SubDir\updale.exe N/A
N/A N/A C:\Windows\system32\SubDir\updale.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\updale.exe N/A
N/A N/A C:\Windows\system32\SubDir\updale.exe N/A
N/A N/A C:\Windows\system32\SubDir\updale.exe N/A
N/A N/A C:\Windows\system32\SubDir\updale.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\updale.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\schtasks.exe
PID 764 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\schtasks.exe
PID 764 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\schtasks.exe
PID 764 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\SubDir\updale.exe
PID 764 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\SubDir\updale.exe
PID 764 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\SubDir\updale.exe
PID 1948 wrote to memory of 2656 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 1948 wrote to memory of 2656 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 1948 wrote to memory of 2656 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 1948 wrote to memory of 2692 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 2692 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 2692 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2692 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2692 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2692 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2692 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2692 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2692 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 2692 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 2692 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 2452 wrote to memory of 2972 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 2452 wrote to memory of 2972 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 2452 wrote to memory of 2972 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 2452 wrote to memory of 1592 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 2452 wrote to memory of 1592 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 2452 wrote to memory of 1592 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 1592 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1592 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1592 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1592 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 1592 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 1592 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 2992 wrote to memory of 852 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 2992 wrote to memory of 852 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 2992 wrote to memory of 852 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 2992 wrote to memory of 1920 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 1920 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 1920 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1920 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1920 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1920 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1920 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1920 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1920 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 1920 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 1920 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 2068 wrote to memory of 480 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 2068 wrote to memory of 480 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 2068 wrote to memory of 480 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\schtasks.exe
PID 2068 wrote to memory of 1752 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 2068 wrote to memory of 1752 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 2068 wrote to memory of 1752 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1752 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1752 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1752 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1752 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1752 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gr2I1MOKHAkw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FFtqHX0hE9Kn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jR2ZObGD7JDf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fn5vsx1QIngE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 funlink.ddns.net udp

Files

memory/764-0-0x0000000001140000-0x0000000001464000-memory.dmp

memory/764-1-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/764-2-0x000000001B2C0000-0x000000001B340000-memory.dmp

C:\Windows\System32\SubDir\updale.exe

MD5 2c1fba8d6624adf6c582fb2d5fb43b28
SHA1 bd45ee984e9476d604824f83c6cf6111a9db2467
SHA256 a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
SHA512 cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19

memory/764-8-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/1948-9-0x0000000001120000-0x0000000001444000-memory.dmp

memory/1948-11-0x000000001AF60000-0x000000001AFE0000-memory.dmp

memory/1948-10-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gr2I1MOKHAkw.bat

MD5 590d82d8e8a4f503e49fadea281133c6
SHA1 c0190faffb6983c8f801748d5adbb70d2ad56616
SHA256 4423a5abd96f27128398dd320ca43c9ce8ce69c461d07e4efd1d7b8f410f57a2
SHA512 bcc76d9980b3e8cd49e5f8984b65848b75e16977281ef8427e76dc9b65df81f24442848b96a1c91ec4dcae2c5e241573eb6f4c504f71ec8b08fa0af4edebdcd5

memory/1948-20-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

memory/2452-23-0x00000000013D0000-0x00000000016F4000-memory.dmp

memory/2452-24-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

memory/2452-25-0x000000001B470000-0x000000001B4F0000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\FFtqHX0hE9Kn.bat

MD5 370de616496f2ce55fe25cc0ec576a3b
SHA1 418a2d1f85a8c2b2a40e04eaab5ceccdac8b1215
SHA256 6759873dd19605915c91f604abdc375f1f82a02616d24ef061fd1b82e3db2273
SHA512 e577ad8ce9c080768b1685268530d383f00a56d52b847544b553919e0b50166d6309ee6bbb955892064f43c50b9df01328313e2d84d7b79fd52f635e79a03758

memory/2452-35-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

memory/2992-38-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

memory/2992-39-0x000000001AFA0000-0x000000001B020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jR2ZObGD7JDf.bat

MD5 c14ac3ea67dd5970c2221cd5d5ce5803
SHA1 9e29cde296d25436f1127ec66d8b5cba1955f93c
SHA256 ebeca62a9ca902e0cf69fecc604134d511910aaf4ed471fe78aeb87831fb0cd8
SHA512 d624e0c5e7385d6155cd028d4cdea4f38b817adf88a6df95d2387a603dc3eb9ef47a5eba7590bb7ba7117116eb6e0103f83a2092bc9952eda084373fc7e7bfdf

memory/2992-49-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

memory/2068-51-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fn5vsx1QIngE.bat

MD5 8d5e164e2bc664938a4b6328f584f804
SHA1 38dd10f2de3a825b6f3543e68783b786323db4af
SHA256 ac1ea5cc8dfc8806181b3c9b44888fa660b592b75cb26fb4ee9a749daa933b15
SHA512 afa8f166b5bd1095f54ba84bbe0e87bc66b651b2ddcf6a9059eb331eccf2b6ad1745e794cf8fcc09e4b0b4c2e4268bcb1c05fcbe9132f30c3e242bf5a04c6f2e

memory/2068-61-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp