Malware Analysis Report

2024-10-19 08:42

Sample ID 240420-1eswasae76
Target Client-built.exe
SHA256 c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-20 21:34

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-20 21:34

Reported

2024-04-20 21:39

Platform

win11-20240412-en

Max time kernel

273s

Max time network

265s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\window security.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\window security.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\System32\window security.exe C:\Windows\System32\window security.exe N/A
File created C:\Windows\System32\window security.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\System32 C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\System32 C:\Windows\System32\window security.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\window security.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\window security.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f

C:\Windows\System32\window security.exe

"C:\Windows\System32\window security.exe"

C:\Windows\System32\schtasks.exe

"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp
N/A 192.168.1.154:4782 tcp

Files

memory/2652-0-0x0000000000A50000-0x0000000000D78000-memory.dmp

memory/2652-1-0x00007FF8E98D0000-0x00007FF8EA392000-memory.dmp

memory/2652-2-0x000000001BA40000-0x000000001BA50000-memory.dmp

C:\Windows\System32\window security.exe

MD5 4d037c46eaf6b2e5ae5db85ef045c0d1
SHA1 7bc3b6647192157a2cc4894f4c58365d9932a2cf
SHA256 c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821
SHA512 163d60321af8d3da76d10ea550b4c792dd0b6a18abe603ab049043246b2136fb2543f8089e3e5d3fbd6e6bfcf1786f4f7b8a96cb28e353cefbe1a2553e753ab3

memory/3968-10-0x00007FF8E98D0000-0x00007FF8EA392000-memory.dmp

memory/2652-9-0x00007FF8E98D0000-0x00007FF8EA392000-memory.dmp

memory/3968-11-0x000000001B560000-0x000000001B570000-memory.dmp

memory/3968-12-0x000000001B2B0000-0x000000001B300000-memory.dmp

memory/3968-13-0x000000001BC60000-0x000000001BD12000-memory.dmp

memory/3968-14-0x00007FF8E98D0000-0x00007FF8EA392000-memory.dmp

memory/3968-15-0x000000001B560000-0x000000001B570000-memory.dmp