Analysis Overview
score
10/10
SHA256
6b517b4c93d1e289ea050f303ff87dcdd1e92068932ffdbbccc7744563a926bc
Threat Level: Known bad
The file Release.rar was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Quasar family
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 21:23
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 21:23
Reported
2024-06-14 21:25
Platform
win10v2004-20240611-en
Max time kernel
12s
Max time network
6s
Command Line
"C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe"
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe
"C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/4384-0-0x000000007503E000-0x000000007503F000-memory.dmp
memory/4384-1-0x0000000000DC0000-0x000000000103A000-memory.dmp
memory/4384-2-0x0000000005F90000-0x0000000006534000-memory.dmp
memory/4384-3-0x0000000005A80000-0x0000000005B12000-memory.dmp
memory/4384-4-0x0000000005A50000-0x0000000005A5A000-memory.dmp
memory/4384-5-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/4384-6-0x00000000083C0000-0x0000000008470000-memory.dmp
memory/4384-7-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/4384-8-0x00000000084D0000-0x00000000084F2000-memory.dmp
memory/4384-9-0x0000000008500000-0x0000000008854000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 21:23
Reported
2024-06-14 21:27
Platform
win11-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
"C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe"
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Client-Built.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "13" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\NodeSlot = "14" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "12" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000020000000100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Downloads" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e8005398e082303024b98265d99428e115f0000 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000018848e965fbcda0156e555985fbcda0121bc37ba5fbcda0114000000 | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Client-Built.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Client-Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Client-Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Client-Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Client-Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe |
| PID 5008 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe |
| PID 5008 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe | C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe
"C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe
"C:\Users\Admin\AppData\Local\Temp\Release\net452\Quasar.exe"
C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe
"C:\Users\Admin\AppData\Local\Temp\Release\net452\Phantom.exe"
C:\Users\Admin\Desktop\Client-Built.exe
"C:\Users\Admin\Desktop\Client-Built.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| N/A | 127.0.0.1:4782 | tcp |
Files
memory/3308-0-0x000000007469E000-0x000000007469F000-memory.dmp
memory/3308-1-0x0000000000D90000-0x000000000100A000-memory.dmp
memory/3308-2-0x00000000062A0000-0x0000000006846000-memory.dmp
memory/3308-3-0x0000000005B50000-0x0000000005BE2000-memory.dmp
memory/3308-4-0x0000000005AC0000-0x0000000005ACA000-memory.dmp
memory/3308-5-0x0000000074690000-0x0000000074E41000-memory.dmp
memory/3308-6-0x0000000008490000-0x0000000008540000-memory.dmp
memory/3308-7-0x0000000074690000-0x0000000074E41000-memory.dmp
memory/3308-8-0x00000000085A0000-0x00000000085C2000-memory.dmp
memory/3308-9-0x00000000085D0000-0x0000000008927000-memory.dmp
memory/3308-10-0x0000000074690000-0x0000000074E41000-memory.dmp
memory/3308-11-0x0000000074690000-0x0000000074E41000-memory.dmp
memory/5008-12-0x0000022C13600000-0x0000022C1373E000-memory.dmp
memory/5008-13-0x00007FFE17003000-0x00007FFE17005000-memory.dmp
memory/5008-14-0x0000022C13B90000-0x0000022C13BA6000-memory.dmp
memory/5008-15-0x00007FFE17000000-0x00007FFE17AC2000-memory.dmp
memory/5008-18-0x0000022C30470000-0x0000022C30488000-memory.dmp
memory/5008-19-0x0000022C304E0000-0x0000022C30530000-memory.dmp
memory/5008-20-0x0000022C305F0000-0x0000022C306A2000-memory.dmp
memory/5008-21-0x0000022C30530000-0x0000022C3057C000-memory.dmp
memory/5008-24-0x0000022C325F0000-0x0000022C3260A000-memory.dmp
memory/5008-23-0x0000022C32C60000-0x0000022C32CBE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Release\net452\input.txt
| MD5 | da9cdde3bd350fca87db62d4d6159f9d |
| SHA1 | 353d66fa0a781fe14627ecb24dcffde31c65164d |
| SHA256 | b88f6c4b5d9bcabc2d92d2d6369c0b0cb83509ff83594742d093ade88d84fe8e |
| SHA512 | 4ad85d4c2bcb821ac5a28c66aa90180e03c2a4ba5771449dd96fa16fed36f8ed6cfa47b78d6cc44e69a513eee7263ad373927444c6a7e8f79dc2309c99403577 |
memory/5008-33-0x00007FFE17003000-0x00007FFE17005000-memory.dmp
memory/5008-34-0x00007FFE17000000-0x00007FFE17AC2000-memory.dmp
C:\Users\Admin\Desktop\Client-Built.exe
| MD5 | 1bfae77e0ead574124d2c7d77230f599 |
| SHA1 | 28a14000ac5d843016ba55ec9324192ab74cdd1d |
| SHA256 | 38ab5d396047ba4b9b7c26663c5303a7c4c7a42f654961be25590c25054a2540 |
| SHA512 | 7f328efe20756970483d3dbd9190933ebbda188a01502123e6b3823be75a374b8e5e79c30d3c1e15f4b60bd53f84427ee0fae7e73ac94c6f24669e1c9695fff6 |
memory/4064-37-0x0000000000E00000-0x0000000001124000-memory.dmp
memory/4064-38-0x000000001C750000-0x000000001C762000-memory.dmp
memory/4064-39-0x000000001C800000-0x000000001C83C000-memory.dmp