Analysis

  • max time kernel
    84s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 21:45

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    4d037c46eaf6b2e5ae5db85ef045c0d1

  • SHA1

    7bc3b6647192157a2cc4894f4c58365d9932a2cf

  • SHA256

    c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821

  • SHA512

    163d60321af8d3da76d10ea550b4c792dd0b6a18abe603ab049043246b2136fb2543f8089e3e5d3fbd6e6bfcf1786f4f7b8a96cb28e353cefbe1a2553e753ab3

  • SSDEEP

    49152:8vGlL26AaNeWgPhlmVqvMQ7XSKGSRJ6pbR3LoGd+THHB72eh2NTf:8vGL26AaNeWgPhlmVqkQ7XSKGSRJ6rP

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.154:4782

Mutex

ba502bba-c1c8-4a0b-95e6-4b1a3d5f551e

Attributes
  • encryption_key

    7195172212FD0C3E2300AE89FC3318C365A0CFF8

  • install_name

    window security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    window security

  • subdirectory

    C:\Windows\System32

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2000
    • C:\Windows\System32\window security.exe
      "C:\Windows\System32\window security.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\System32\schtasks.exe
        "schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2592
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1f99758,0x7fef1f99768,0x7fef1f99778
      2⤵
        PID:2604
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1200 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:2
        2⤵
          PID:2496
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
          2⤵
            PID:2572
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
            2⤵
              PID:2716
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:1
              2⤵
                PID:2808
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:1
                2⤵
                  PID:2832
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1504 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:2
                  2⤵
                    PID:1496
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3260 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:1
                    2⤵
                      PID:2520
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3500 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
                      2⤵
                        PID:1784
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3524 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
                        2⤵
                          PID:1624
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
                          2⤵
                            PID:1168
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3748 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
                            2⤵
                              PID:968
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
                              2⤵
                                PID:2160
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                              1⤵
                                PID:300

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

                                Filesize

                                16B

                                MD5

                                aefd77f47fb84fae5ea194496b44c67a

                                SHA1

                                dcfbb6a5b8d05662c4858664f81693bb7f803b82

                                SHA256

                                4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                                SHA512

                                b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                Filesize

                                264KB

                                MD5

                                f50f89a0a91564d0b8a211f8921aa7de

                                SHA1

                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                SHA256

                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                SHA512

                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                Filesize

                                986B

                                MD5

                                42f21bb8e8a6848858bc28b8f6f03af8

                                SHA1

                                3ee9b09659ddde09da4ea2ddae0a3587ab51d625

                                SHA256

                                09b3e3763e9d5633edbcbe004f29e2b3d3779b00b494017fb6619142c24ab829

                                SHA512

                                999ca27270bea5230aa1a0aecb75449c9b603a53d5e1fec35e78eff594ef087b324ea7a7c98add803c587bc03dec60b29663f46f5f58356e52c8fccafa48f370

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                9863317487d62d4e7316c3db4c4087f1

                                SHA1

                                49c8787b7a46755fe9ed121ca17c860250a4049f

                                SHA256

                                0136dd6678b2a90364f0b18dce680fdaeff656d089e03537c561333aad3efcf1

                                SHA512

                                cc62b5689fab2adeda1c214666a5ffcbfcc7104c6d3010f556585785651ab291306eadc4cd18f2fd49534d7e1eae90a6140f5b0606c847235bcadea464f16bc6

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                ae91bfcb0b2f1e45fe33e155f0cd90a6

                                SHA1

                                3010bb9d1bc91cf74dbf485e435bc98301b25db5

                                SHA256

                                97c48ca8a2db9bd9dfd894da62c7bf5106424c8980bda0f507aa9d053fa7b9b9

                                SHA512

                                08f6b6899d464701af16d44a8b639a005cf490bf61872a25edaf7a37dcabb8ecd1cd3ce8efa8e77f536a04ac5953714299eee30c758be91fc08bd8b33f63552b

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

                                Filesize

                                16B

                                MD5

                                18e723571b00fb1694a3bad6c78e4054

                                SHA1

                                afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                SHA256

                                8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                SHA512

                                43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                              • C:\Windows\System32\window security.exe

                                Filesize

                                3.1MB

                                MD5

                                4d037c46eaf6b2e5ae5db85ef045c0d1

                                SHA1

                                7bc3b6647192157a2cc4894f4c58365d9932a2cf

                                SHA256

                                c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821

                                SHA512

                                163d60321af8d3da76d10ea550b4c792dd0b6a18abe603ab049043246b2136fb2543f8089e3e5d3fbd6e6bfcf1786f4f7b8a96cb28e353cefbe1a2553e753ab3

                              • \??\pipe\crashpad_2684_YKFANYFXOAGZCBSG

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • memory/2212-1-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2212-2-0x000000001B1A0000-0x000000001B220000-memory.dmp

                                Filesize

                                512KB

                              • memory/2212-0-0x0000000000140000-0x0000000000468000-memory.dmp

                                Filesize

                                3.2MB

                              • memory/2212-9-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2364-8-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2364-110-0x000000001B3B0000-0x000000001B430000-memory.dmp

                                Filesize

                                512KB

                              • memory/2364-106-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

                                Filesize

                                9.9MB

                              • memory/2364-11-0x000000001B3B0000-0x000000001B430000-memory.dmp

                                Filesize

                                512KB

                              • memory/2364-10-0x0000000000F70000-0x0000000001298000-memory.dmp

                                Filesize

                                3.2MB