Malware Analysis Report

2025-01-18 04:07

Sample ID 241027-xsxvma1cja
Target Client-built.exe
SHA256 1db4785c2e4ffdbc8a18149d6da1ae157cb234e1837e5aae5de5db799825b0fe
Tags
office04 quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1db4785c2e4ffdbc8a18149d6da1ae157cb234e1837e5aae5de5db799825b0fe

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware trojan

Quasar family

Quasar payload

Quasar RAT

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 19:07

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 19:07

Reported

2024-10-27 19:10

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CompressInvoke.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CompressInvoke.cmd" "

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3556 -ip 3556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 3000

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
N/A 127.0.0.1:4782 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:4782 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:4782 tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:4782 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:4782 tcp

Files

memory/852-0-0x00007FFD82373000-0x00007FFD82375000-memory.dmp

memory/852-1-0x00000000000C0000-0x00000000003E4000-memory.dmp

memory/852-2-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

memory/852-3-0x000000001BAE0000-0x000000001BB30000-memory.dmp

memory/852-4-0x000000001BBF0000-0x000000001BCA2000-memory.dmp

memory/852-5-0x00007FFD82373000-0x00007FFD82375000-memory.dmp

memory/852-6-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 c374c25875887db7d072033f817b6ce1
SHA1 3a6d10268f30e42f973dadf044dba7497e05cdaf
SHA256 05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6
SHA512 6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 304041feb81f29c21aee85dc1cba8035
SHA1 c922b032044ab9ba768699f809afbd66e375c55c
SHA256 7333c9d3bc46d6dd6d5a89e66fd2b634c0a527b80e6ea9f82107a118719b079f
SHA512 f9fc92f81d3325387822e0ddefa3f90a1d30e651a683a31bfd6b75083c5fc1c27a80e45658ee32c4884f9abb919de7eef7ff0629568bf15d0fd4ac82e8ffa34b

memory/3556-40-0x0000000008200000-0x0000000008210000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 182d447ba593045192ec7240d68be1cc
SHA1 68d6fee11bad59754fbc82ae722a56896d86889c
SHA256 fc9e3aa54f926926239aa945040956ecc3f119b895749462f357820a0d3776ad
SHA512 1a80f1fbf6b1b0d6003059cae6c27648c0279681c4e5581b7a1c1465704ac74e7acffdde2ed5b34553513940642f4eda3c9b81eaf7c98d04c5826f061310a2c1

memory/3556-42-0x000000000AC20000-0x000000000AC30000-memory.dmp

memory/3556-45-0x000000000AC20000-0x000000000AC30000-memory.dmp

memory/3556-46-0x000000000AC20000-0x000000000AC30000-memory.dmp

memory/3556-47-0x000000000AC20000-0x000000000AC30000-memory.dmp

memory/3556-44-0x000000000AC20000-0x000000000AC30000-memory.dmp

memory/3556-43-0x000000000AC20000-0x000000000AC30000-memory.dmp

memory/3556-48-0x000000000AC20000-0x000000000AC30000-memory.dmp

memory/3556-49-0x000000000AC20000-0x000000000AC30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

MD5 fb77fade2ec9d8fb2f80911be1027cd0
SHA1 85a01813faedaed649443c1cea9ddca86ce935c6
SHA256 1a7b6bc23652f74388240d1739e1c79947378ea90342a6ca9d68d3dfd1b1dd00
SHA512 991f852e3b15aca80118a69cce0a77046d8850c8b81e342e79808895e5285d148203b13c3d3e2471a0e1f6652093e4cfbf7db6775ae7fe0c6b65b497535f8f7e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

MD5 5468d449ecdf0af9c55f42502df40653
SHA1 cc94076517626817056cba1644a693c49f728c9f
SHA256 b5f8857bbb2f852ecec34a89a4d60ee5e4c197cad2ebf0c3a90c5bf61cf0d169
SHA512 5e15b4602a2673641efae13a6626d4a040537eb26c3e1c0db4324a6a28631296c44a655c871e34789d3b44603934b8e90ca0b072bf03e925643a9a07a4d79e95