Analysis Overview
SHA256
f476d4a86bf9063ba1334eee663c9a45845ba503c8401dad9de284efa6e89e64
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Quasar family
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 20:31
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 20:31
Reported
2024-10-29 20:32
Platform
win10ltsc2021-20241023-en
Max time kernel
55s
Max time network
56s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSH7gzXyT47B.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WvN2oY4nVDK0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DW82EvYB8Itz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ej4kbkuWVhWg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qTEvcthkMb6W.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G1SMXZd5fmYL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | testforum.ddns.net | udp |
| US | 8.8.8.8:53 | testforum.ddns.net | udp |
| US | 8.8.8.8:53 | testforum.ddns.net | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | testforum.ddns.net | udp |
| US | 8.8.8.8:53 | testforum.ddns.net | udp |
| US | 8.8.8.8:53 | testforum.ddns.net | udp |
Files
memory/3504-0-0x00007FFCF4243000-0x00007FFCF4245000-memory.dmp
memory/3504-1-0x0000000000200000-0x0000000000524000-memory.dmp
memory/3504-2-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 1e6dc980a23fe52763adff15539cde1a |
| SHA1 | 1c98e8583b306a7c8b5d85b98af872f9658e95da |
| SHA256 | f476d4a86bf9063ba1334eee663c9a45845ba503c8401dad9de284efa6e89e64 |
| SHA512 | 2ad6297bf837bd10ea5ceb328940c56ddc6e85015d087e37e3edb2ebebbd28155019879211edeb9df4190e3b22c8b18ab5c316519bff0d3b99c54a67a0941d68 |
memory/3504-5-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp
memory/4428-6-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp
memory/4428-7-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp
memory/4428-8-0x000000001CC50000-0x000000001CCA0000-memory.dmp
memory/4428-9-0x000000001CD60000-0x000000001CE12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kSH7gzXyT47B.bat
| MD5 | 66387d9db442d9ccaa7a29ed9b1fcff2 |
| SHA1 | e84d082a19e058ef18421835ec35a83c7c6a4e98 |
| SHA256 | b8db2c2499278235a648a0b746dff96950f1d857eab3834fa09ecb80e4b11394 |
| SHA512 | 38642e62a4ccbc54a42e7f69674884ba3c69ac429456269ea094accb20f1620d6432ca8772d6f9412cfe6afc25f6542bb8adc6c0829122e9446dd1be51e372a2 |
memory/4428-17-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 7787ce173dfface746f5a9cf5477883d |
| SHA1 | 4587d870e914785b3a8fb017fec0c0f1c7ec0004 |
| SHA256 | c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1 |
| SHA512 | 3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff |
C:\Users\Admin\AppData\Local\Temp\WvN2oY4nVDK0.bat
| MD5 | c0aba8f3833a33ef0f6bf0a73cb57eb6 |
| SHA1 | 4bc141f5594bd9096a2a2aa124c5d830bcb65812 |
| SHA256 | a3597048c9796299d8426736d68da90601561045047ca2f51d99fe06763e663f |
| SHA512 | 524071a4c4d12a7587335fdd803568f664fff00c892020abe8c3aed84abef48dffad201758a298d3d47ba89f932cce609b211888cb66a137278ff5b36d5cb300 |
C:\Users\Admin\AppData\Local\Temp\DW82EvYB8Itz.bat
| MD5 | 3b9e56acfad1897330d12dd591f79c9c |
| SHA1 | 1ba682ad875a9466cb4541c004979e76fd362f64 |
| SHA256 | 843bfb780393bf11867dd99e2dcac0b4bd5bb15078527056f809a1bf712f905f |
| SHA512 | 13e22ccdc95bccb7abbc881905d0d8987d5034e51abaae9d315f551cfec02760c982efec65f43bc90e2002d83e2478f3ef95da2867cd70c989e63d55f278b023 |
C:\Users\Admin\AppData\Local\Temp\Ej4kbkuWVhWg.bat
| MD5 | 5fcf3c7b862803d0a82988250870bcdd |
| SHA1 | 01478a279e24b61b99639dace5224523a344832b |
| SHA256 | b843733c790be0a129129feec8890ba1bc46638ea6ed4a325635b3abc21e2561 |
| SHA512 | 6572f73d53218b4ffcf8d9ab42b57954a566d2e0ee04fa9106488b173873502c46f4d025220e4591f492cc3a0cce161b1e650a4b8a8d814f9955cecacdf8d107 |
C:\Users\Admin\AppData\Local\Temp\qTEvcthkMb6W.bat
| MD5 | 392c069bb65a298c2ac9502d703d2ffb |
| SHA1 | 7ea6807eed3a2a4c38aff709790e50aff1e6b793 |
| SHA256 | 4d7a463a49221eb1403e21cc1acd0350c540dcdb43189c222d9f91a8e72e083b |
| SHA512 | 923540b68c51a9e10cfba0b8a06a6425285c202567b2af2231c22c51d6c5e4a3019f417879b88c85755d72f4b25e527e8a04eba6f4ab1641667496c334a3b827 |
C:\Users\Admin\AppData\Local\Temp\G1SMXZd5fmYL.bat
| MD5 | f2a72ba5635b2c451bb88482ffe75508 |
| SHA1 | 1a7774965061a6ff49fa8ad8b236acd19168b2bc |
| SHA256 | 939f194509657e6e4c0f4d26de15123a0f81c34de1b7f8ed06d5b063c2e80ecf |
| SHA512 | af926e5e024dab3e02892ab1fb542266a15994aa499608f586fa86da17914488890e6b29ca8154a3af65285c3f8ce089adb8b30eaac891f7c6a838cc627c4675 |