Overview

overview

10

Static

static

10

hello.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hello.exe

  • Size

    3.1MB

  • MD5

    b92b7e16f21a97fbe21c4c45deb00587

  • SHA1

    e4af65acfac45c31dceacdf9a2e1d18cde2537c2

  • SHA256

    651ed1a03871a47dcf548e56fe4cefb8862a89a27f01f2e377bd68dfe1ca531f

  • SHA512

    7c5813bf73ee7deca78774861b2632d4a0fb7b3b62996cc54ae0b16baa62a0f360f31fa810b73c5fc922321b6ce0807e69bc02e35f98d7f350086283f8836931

  • SSDEEP

    49152:zvOlL26AaNeWgPhlmVqvMQ7XSK8Hzh7mzBSoGdtkTHHB72eh2NT:zv+L26AaNeWgPhlmVqkQ7XSK2zhv

Score
10/10
quasartestspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Test

C2

47.134.26.200:4782

193.161.193.99:23325
Mutex

9cabbafb-503b-49f1-ab22-adc756455c10

Attributes
  • encryption_key

    8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    MS Build Tools

  • subdirectory

    Microsoft-Build-Tools

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 63 IoCs
  • Suspicious use of SendNotifyMessage 61 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\hello.exe
    "C:\Users\Admin\AppData\Local\Temp\hello.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1804
    • C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3484
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4904
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd0083ab58,0x7ffd0083ab68,0x7ffd0083ab78
      2⤵
        PID:4348
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:2
        2⤵
          PID:2428
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:8
          2⤵
            PID:3756
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2296 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:8
            2⤵
              PID:32
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:1
              2⤵
                PID:3184
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:1
                2⤵
                  PID:3584
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3720 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:1
                  2⤵
                    PID:1180
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:8
                    2⤵
                      PID:3316
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:8
                      2⤵
                        PID:2280
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:8
                        2⤵
                          PID:4548
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:8
                          2⤵
                            PID:3484
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:8
                            2⤵
                              PID:3128
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4524 --field-trial-handle=1900,i,9103765663947946463,11227189992208124187,131072 /prefetch:1
                              2⤵
                                PID:3324
                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                              1⤵
                                PID:1088

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                Filesize

                                857B

                                MD5

                                aac62d13dd70b600ac7107757c1e3375

                                SHA1

                                7ec4aa724de345ca2a001d34ad4a9f5e53d12cee

                                SHA256

                                8dfe64ced5d393256c6c3da46c26f84556230c8d856106989f8dbe3a72a4d26e

                                SHA512

                                9b3066870e4d0ab66a9f1d7eccfb2bb4b9ffd26a3d1a0914b614c0ce73291053adf1fb8750192f51070f5a7f4ef6cf2c74317ed8ce30d6eabc8897bf15b93ba1

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                76216701fb17b0f03921646a9ae78b91

                                SHA1

                                d10b56288f5ce58587d04ee42648b9d166270971

                                SHA256

                                9ce3ca9bec7039b0b500ffda3ba18b03f199efa2eaee6d7f8f3eee1025e5ad63

                                SHA512

                                b531a43f0ea70f44ad93ec05c0a9ed70e3f9d2ebb769e5b85d15e1b66bdfdbf7058814ea939af722287e3be662521a731dc53247448ac0be61983e75df9307df

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                Filesize

                                16KB

                                MD5

                                865e600b254989a8e117fc8a593cf995

                                SHA1

                                0db0fd174d9893de83b9e83dd15da68e658f1cd0

                                SHA256

                                97316a719fa1b5f1294822a29ccd53757bdd75f127a4e94ba33c45e1990ba9e3

                                SHA512

                                f62ef706b1e6f40f7afc8d1044c98f8102189e6891b82fc22af8677ea1e8c1aedf6d29a5f4e2363628568b6e638d61bd51fd69d62df44813cba1daeb369b02ab

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                257KB

                                MD5

                                803a135bd5a3e65454acc93a77518300

                                SHA1

                                26b167fba26a84e0b0d15136e5fdf9ba64fc20cd

                                SHA256

                                5477ef9497404bb1d014eeed7dce31821e868bdb26230f3c264d8a513e8f25b3

                                SHA512

                                12939e15986bc3224f7f3a8f735ccde13e6771ede161615bd91ca87e2bb518276d076b5b113a345e43c06b7deb7354c3e3baa28692d0fb9cf2b33b786db4a837

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                260KB

                                MD5

                                0703bb1365963f7fd820a3c2f3fe8aa5

                                SHA1

                                5bf940912864d2ccf0481c75c3466dda0d358a52

                                SHA256

                                9fd01ea7a19df16a170ade99584c36a74341c22601a3c249d6dfbc83dcc4c57f

                                SHA512

                                886b6f6c61a282532bcd9988e82db30e5954577b6ed7088f94dfe408452dc76da2f16c5f74783c3dbbb9c67c39f3efcb4056fcc168d9730460ce6415f206c1fd

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe
                                Filesize

                                3.1MB

                                MD5

                                b92b7e16f21a97fbe21c4c45deb00587

                                SHA1

                                e4af65acfac45c31dceacdf9a2e1d18cde2537c2

                                SHA256

                                651ed1a03871a47dcf548e56fe4cefb8862a89a27f01f2e377bd68dfe1ca531f

                                SHA512

                                7c5813bf73ee7deca78774861b2632d4a0fb7b3b62996cc54ae0b16baa62a0f360f31fa810b73c5fc922321b6ce0807e69bc02e35f98d7f350086283f8836931

                                Download Submit

                              • \??\pipe\crashpad_2516_NVOBAWHIVTRUSPKN
                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                Download Submit

                              • memory/1460-1-0x00000000003C0000-0x00000000006E4000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/1460-2-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/1460-9-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/1460-0-0x00007FFD06B13000-0x00007FFD06B15000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/2264-11-0x000000001B6D0000-0x000000001B720000-memory.dmp

                                Filesize

                                320KB

                                Download

                              • memory/2264-63-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2264-8-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2264-10-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2264-12-0x000000001B7E0000-0x000000001B892000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/2264-69-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4904-22-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4904-19-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4904-15-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4904-14-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4904-20-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4904-21-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4904-13-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4904-25-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4904-23-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4904-24-0x0000015854A20000-0x0000015854A21000-memory.dmp

                                Filesize

                                4KB

                                Download