Analysis Overview
SHA256
c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-20 21:34
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-20 21:34
Reported
2024-04-20 21:39
Platform
win11-20240412-en
Max time kernel
273s
Max time network
265s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\window security.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\window security.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\System32\window security.exe | C:\Windows\System32\window security.exe | N/A |
| File created | C:\Windows\System32\window security.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32 | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\System32 | C:\Windows\System32\window security.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\window security.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\window security.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2652 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2652 wrote to memory of 3968 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\System32\window security.exe |
| PID 2652 wrote to memory of 3968 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\System32\window security.exe |
| PID 3968 wrote to memory of 3516 | N/A | C:\Windows\System32\window security.exe | C:\Windows\System32\schtasks.exe |
| PID 3968 wrote to memory of 3516 | N/A | C:\Windows\System32\window security.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f
C:\Windows\System32\window security.exe
"C:\Windows\System32\window security.exe"
C:\Windows\System32\schtasks.exe
"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp |
Files
memory/2652-0-0x0000000000A50000-0x0000000000D78000-memory.dmp
memory/2652-1-0x00007FF8E98D0000-0x00007FF8EA392000-memory.dmp
memory/2652-2-0x000000001BA40000-0x000000001BA50000-memory.dmp
C:\Windows\System32\window security.exe
| MD5 | 4d037c46eaf6b2e5ae5db85ef045c0d1 |
| SHA1 | 7bc3b6647192157a2cc4894f4c58365d9932a2cf |
| SHA256 | c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821 |
| SHA512 | 163d60321af8d3da76d10ea550b4c792dd0b6a18abe603ab049043246b2136fb2543f8089e3e5d3fbd6e6bfcf1786f4f7b8a96cb28e353cefbe1a2553e753ab3 |
memory/3968-10-0x00007FF8E98D0000-0x00007FF8EA392000-memory.dmp
memory/2652-9-0x00007FF8E98D0000-0x00007FF8EA392000-memory.dmp
memory/3968-11-0x000000001B560000-0x000000001B570000-memory.dmp
memory/3968-12-0x000000001B2B0000-0x000000001B300000-memory.dmp
memory/3968-13-0x000000001BC60000-0x000000001BD12000-memory.dmp
memory/3968-14-0x00007FF8E98D0000-0x00007FF8EA392000-memory.dmp
memory/3968-15-0x000000001B560000-0x000000001B570000-memory.dmp