Overview

overview

10

Static

static

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    6c0a0f358f0a60055f0426822240fdc6

  • SHA1

    8e9bf932812121416df746c4290e6eaf52a6ba83

  • SHA256

    1db4785c2e4ffdbc8a18149d6da1ae157cb234e1837e5aae5de5db799825b0fe

  • SHA512

    c81992d751e8122e0fe34b5f9dd79220091bcfc2c777421693edf344bfc427f07239e39bf266ab8974f2c2b28463a5e830e42b4401615615202e551903a6dbab

  • SSDEEP

    49152:avbI22SsaNYfdPBldt698dBcjHhXYRxkDvJcQoGdPTHHB72eh2NT:avk22SsaNYfdPBldt6+dBcjHEk7

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

127.0.0.1:4782

127.0.0.1:80
Mutex

41dbc4e3-4c49-4e37-971d-bce5c6356d47

Attributes
  • encryption_key

    5446A6EE72AE0400FB80FEE45AC7AEB6FA7DD14B

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:852
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CompressInvoke.cmd" "
    1⤵
      PID:4452
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CompressInvoke.cmd" "
      1⤵
        PID:3460
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
        1⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Windows\SysWOW64\unregmp2.exe
          "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\system32\unregmp2.exe
            "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
            3⤵
            • Enumerates connected drives
            • Suspicious use of AdjustPrivilegeToken
            PID:1796
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 3000
          2⤵
          • Program crash
          PID:800
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
        1⤵
        • Drops file in Windows directory
        PID:712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3556 -ip 3556
        1⤵
          PID:3244

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
          Filesize

          64KB

          MD5

          c374c25875887db7d072033f817b6ce1

          SHA1

          3a6d10268f30e42f973dadf044dba7497e05cdaf

          SHA256

          05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6

          SHA512

          6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
          Filesize

          1024KB

          MD5

          182d447ba593045192ec7240d68be1cc

          SHA1

          68d6fee11bad59754fbc82ae722a56896d86889c

          SHA256

          fc9e3aa54f926926239aa945040956ecc3f119b895749462f357820a0d3776ad

          SHA512

          1a80f1fbf6b1b0d6003059cae6c27648c0279681c4e5581b7a1c1465704ac74e7acffdde2ed5b34553513940642f4eda3c9b81eaf7c98d04c5826f061310a2c1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
          Filesize

          498B

          MD5

          90be2701c8112bebc6bd58a7de19846e

          SHA1

          a95be407036982392e2e684fb9ff6602ecad6f1e

          SHA256

          644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

          SHA512

          d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
          Filesize

          9KB

          MD5

          7050d5ae8acfbe560fa11073fef8185d

          SHA1

          5bc38e77ff06785fe0aec5a345c4ccd15752560e

          SHA256

          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

          SHA512

          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
          Filesize

          1KB

          MD5

          304041feb81f29c21aee85dc1cba8035

          SHA1

          c922b032044ab9ba768699f809afbd66e375c55c

          SHA256

          7333c9d3bc46d6dd6d5a89e66fd2b634c0a527b80e6ea9f82107a118719b079f

          SHA512

          f9fc92f81d3325387822e0ddefa3f90a1d30e651a683a31bfd6b75083c5fc1c27a80e45658ee32c4884f9abb919de7eef7ff0629568bf15d0fd4ac82e8ffa34b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
          Filesize

          1KB

          MD5

          fb77fade2ec9d8fb2f80911be1027cd0

          SHA1

          85a01813faedaed649443c1cea9ddca86ce935c6

          SHA256

          1a7b6bc23652f74388240d1739e1c79947378ea90342a6ca9d68d3dfd1b1dd00

          SHA512

          991f852e3b15aca80118a69cce0a77046d8850c8b81e342e79808895e5285d148203b13c3d3e2471a0e1f6652093e4cfbf7db6775ae7fe0c6b65b497535f8f7e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
          Filesize

          3KB

          MD5

          5468d449ecdf0af9c55f42502df40653

          SHA1

          cc94076517626817056cba1644a693c49f728c9f

          SHA256

          b5f8857bbb2f852ecec34a89a4d60ee5e4c197cad2ebf0c3a90c5bf61cf0d169

          SHA512

          5e15b4602a2673641efae13a6626d4a040537eb26c3e1c0db4324a6a28631296c44a655c871e34789d3b44603934b8e90ca0b072bf03e925643a9a07a4d79e95

          Download Submit

        • memory/852-5-0x00007FFD82373000-0x00007FFD82375000-memory.dmp

          Filesize

          8KB

          Download

        • memory/852-6-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/852-0-0x00007FFD82373000-0x00007FFD82375000-memory.dmp

          Filesize

          8KB

          Download

        • memory/852-4-0x000000001BBF0000-0x000000001BCA2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/852-1-0x00000000000C0000-0x00000000003E4000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/852-3-0x000000001BAE0000-0x000000001BB30000-memory.dmp

          Filesize

          320KB

          Download

        • memory/852-2-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3556-45-0x000000000AC20000-0x000000000AC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-46-0x000000000AC20000-0x000000000AC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-47-0x000000000AC20000-0x000000000AC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-44-0x000000000AC20000-0x000000000AC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-43-0x000000000AC20000-0x000000000AC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-48-0x000000000AC20000-0x000000000AC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-49-0x000000000AC20000-0x000000000AC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-42-0x000000000AC20000-0x000000000AC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-40-0x0000000008200000-0x0000000008210000-memory.dmp

          Filesize

          64KB

          Download