Malware Analysis Report

2024-10-19 08:36

Sample ID 240728-snfcka1bjr
Target 1d686b05f745875e28939abe357baedd169b59f5a0d88.exe
SHA256 1d686b05f745875e28939abe357baedd169b59f5a0d8825b602fd803a6303ba3
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d686b05f745875e28939abe357baedd169b59f5a0d8825b602fd803a6303ba3

Threat Level: Known bad

The file 1d686b05f745875e28939abe357baedd169b59f5a0d88.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 15:16

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 15:16

Reported

2024-07-28 15:18

Platform

win7-20240704-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d686b05f745875e28939abe357baedd169b59f5a0d88.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\browser\edge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d686b05f745875e28939abe357baedd169b59f5a0d88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\browser\edge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\browser\edge.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1d686b05f745875e28939abe357baedd169b59f5a0d88.exe

"C:\Users\Admin\AppData\Local\Temp\1d686b05f745875e28939abe357baedd169b59f5a0d88.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\browser\edge.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\browser\edge.exe

"C:\Users\Admin\AppData\Roaming\browser\edge.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\browser\edge.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp
DE 193.42.11.9:4329 tcp

Files

memory/1656-0-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

memory/1656-1-0x00000000002C0000-0x00000000005E4000-memory.dmp

memory/1656-2-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

C:\Users\Admin\AppData\Roaming\browser\edge.exe

MD5 e3e1f7fa42dd68f410bb885f0aefe5e3
SHA1 d51edc519d86a11e6533cd4cac8f190dd3f7d4bb
SHA256 1d686b05f745875e28939abe357baedd169b59f5a0d8825b602fd803a6303ba3
SHA512 92ac0379074366a4dbb9235d8c61935be6d8086629611dbcdecdaf680a0a8636f7810d4f6394dbdee5b1e463842284ab9855534da4627677965557e8eb609aa3

memory/3064-7-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/3064-8-0x0000000000060000-0x0000000000384000-memory.dmp

memory/1656-9-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/3064-10-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/3064-11-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/3064-12-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 15:16

Reported

2024-07-28 15:18

Platform

win10v2004-20240709-en

Max time kernel

121s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d686b05f745875e28939abe357baedd169b59f5a0d88.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\browser\edge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d686b05f745875e28939abe357baedd169b59f5a0d88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\browser\edge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\browser\edge.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1d686b05f745875e28939abe357baedd169b59f5a0d88.exe

"C:\Users\Admin\AppData\Local\Temp\1d686b05f745875e28939abe357baedd169b59f5a0d88.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\browser\edge.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\browser\edge.exe

"C:\Users\Admin\AppData\Roaming\browser\edge.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\browser\edge.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 193.42.11.9:4329 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.11.42.193.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 36.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4100-0-0x00007FF9EC0D3000-0x00007FF9EC0D5000-memory.dmp

memory/4100-1-0x00000000000B0000-0x00000000003D4000-memory.dmp

memory/4100-2-0x00007FF9EC0D0000-0x00007FF9ECB91000-memory.dmp

C:\Users\Admin\AppData\Roaming\browser\edge.exe

MD5 e3e1f7fa42dd68f410bb885f0aefe5e3
SHA1 d51edc519d86a11e6533cd4cac8f190dd3f7d4bb
SHA256 1d686b05f745875e28939abe357baedd169b59f5a0d8825b602fd803a6303ba3
SHA512 92ac0379074366a4dbb9235d8c61935be6d8086629611dbcdecdaf680a0a8636f7810d4f6394dbdee5b1e463842284ab9855534da4627677965557e8eb609aa3

memory/2980-8-0x00007FF9EC0D0000-0x00007FF9ECB91000-memory.dmp

memory/4100-9-0x00007FF9EC0D0000-0x00007FF9ECB91000-memory.dmp

memory/2980-10-0x00007FF9EC0D0000-0x00007FF9ECB91000-memory.dmp

memory/2980-11-0x000000001C540000-0x000000001C590000-memory.dmp

memory/2980-12-0x000000001C650000-0x000000001C702000-memory.dmp

memory/2980-15-0x000000001C5F0000-0x000000001C602000-memory.dmp

memory/2980-16-0x000000001CD50000-0x000000001CD8C000-memory.dmp

memory/2980-17-0x00007FF9EC0D0000-0x00007FF9ECB91000-memory.dmp

memory/2980-18-0x00007FF9EC0D0000-0x00007FF9ECB91000-memory.dmp