Analysis Overview
SHA256
1db4785c2e4ffdbc8a18149d6da1ae157cb234e1837e5aae5de5db799825b0fe
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Enumerates connected drives
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 19:07
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 19:07
Reported
2024-10-27 19:10
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
140s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Windows Media Player\wmplayer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3556 wrote to memory of 2684 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 3556 wrote to memory of 2684 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 3556 wrote to memory of 2684 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 2684 wrote to memory of 1796 | N/A | C:\Windows\SysWOW64\unregmp2.exe | C:\Windows\system32\unregmp2.exe |
| PID 2684 wrote to memory of 1796 | N/A | C:\Windows\SysWOW64\unregmp2.exe | C:\Windows\system32\unregmp2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CompressInvoke.cmd" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CompressInvoke.cmd" "
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3556 -ip 3556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 3000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:4782 | tcp |
Files
memory/852-0-0x00007FFD82373000-0x00007FFD82375000-memory.dmp
memory/852-1-0x00000000000C0000-0x00000000003E4000-memory.dmp
memory/852-2-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp
memory/852-3-0x000000001BAE0000-0x000000001BB30000-memory.dmp
memory/852-4-0x000000001BBF0000-0x000000001BCA2000-memory.dmp
memory/852-5-0x00007FFD82373000-0x00007FFD82375000-memory.dmp
memory/852-6-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 90be2701c8112bebc6bd58a7de19846e |
| SHA1 | a95be407036982392e2e684fb9ff6602ecad6f1e |
| SHA256 | 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf |
| SHA512 | d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | c374c25875887db7d072033f817b6ce1 |
| SHA1 | 3a6d10268f30e42f973dadf044dba7497e05cdaf |
| SHA256 | 05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6 |
| SHA512 | 6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 304041feb81f29c21aee85dc1cba8035 |
| SHA1 | c922b032044ab9ba768699f809afbd66e375c55c |
| SHA256 | 7333c9d3bc46d6dd6d5a89e66fd2b634c0a527b80e6ea9f82107a118719b079f |
| SHA512 | f9fc92f81d3325387822e0ddefa3f90a1d30e651a683a31bfd6b75083c5fc1c27a80e45658ee32c4884f9abb919de7eef7ff0629568bf15d0fd4ac82e8ffa34b |
memory/3556-40-0x0000000008200000-0x0000000008210000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 182d447ba593045192ec7240d68be1cc |
| SHA1 | 68d6fee11bad59754fbc82ae722a56896d86889c |
| SHA256 | fc9e3aa54f926926239aa945040956ecc3f119b895749462f357820a0d3776ad |
| SHA512 | 1a80f1fbf6b1b0d6003059cae6c27648c0279681c4e5581b7a1c1465704ac74e7acffdde2ed5b34553513940642f4eda3c9b81eaf7c98d04c5826f061310a2c1 |
memory/3556-42-0x000000000AC20000-0x000000000AC30000-memory.dmp
memory/3556-45-0x000000000AC20000-0x000000000AC30000-memory.dmp
memory/3556-46-0x000000000AC20000-0x000000000AC30000-memory.dmp
memory/3556-47-0x000000000AC20000-0x000000000AC30000-memory.dmp
memory/3556-44-0x000000000AC20000-0x000000000AC30000-memory.dmp
memory/3556-43-0x000000000AC20000-0x000000000AC30000-memory.dmp
memory/3556-48-0x000000000AC20000-0x000000000AC30000-memory.dmp
memory/3556-49-0x000000000AC20000-0x000000000AC30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
| MD5 | fb77fade2ec9d8fb2f80911be1027cd0 |
| SHA1 | 85a01813faedaed649443c1cea9ddca86ce935c6 |
| SHA256 | 1a7b6bc23652f74388240d1739e1c79947378ea90342a6ca9d68d3dfd1b1dd00 |
| SHA512 | 991f852e3b15aca80118a69cce0a77046d8850c8b81e342e79808895e5285d148203b13c3d3e2471a0e1f6652093e4cfbf7db6775ae7fe0c6b65b497535f8f7e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
| MD5 | 5468d449ecdf0af9c55f42502df40653 |
| SHA1 | cc94076517626817056cba1644a693c49f728c9f |
| SHA256 | b5f8857bbb2f852ecec34a89a4d60ee5e4c197cad2ebf0c3a90c5bf61cf0d169 |
| SHA512 | 5e15b4602a2673641efae13a6626d4a040537eb26c3e1c0db4324a6a28631296c44a655c871e34789d3b44603934b8e90ca0b072bf03e925643a9a07a4d79e95 |