quasar | 3b3900adf2232fb5a995c9f6884feededfbe4a862a076ac3af936e4b5a858887

Analysis

max time kernel
96s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

96dbf079644fad007ddee4a898bdb096
SHA1

3eec62ed768ce4a1181f00a0dd6cca3564e1f9f1
SHA256

3b3900adf2232fb5a995c9f6884feededfbe4a862a076ac3af936e4b5a858887
SHA512

356a13c7ab5bb02ee79a2ff9525f0f8ca832302fba37cf140af8264d31933a00745b59d7f742a42ef0576964f6e112580430996ac068f63c4112907c69471385
SSDEEP

49152:KvDI22SsaNYfdPBldt698dBcjHEpSu1J/goGdXTHHB72eh2NT:Kv822SsaNYfdPBldt6+dBcjHEpSJ

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.102:4782

Mutex

a84f48f3-00c9-414a-a093-49d616e432d3

Attributes

encryption_key
D440572F816847D4B5AD6EAA65627B5DFFF00151
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/308-1-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016c80-6.dat	family_quasar
behavioral1/memory/2848-9-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
2848	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38A8ABC1-990F-11EF-BD4E-7E1302FB0A39} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000008832d838f7eb2dda862a3aa4ef734926e36693c72f4c9fcaf0cb94bdb76ca56f000000000e800000000200002000000026c4a1616382498771a859ca1fb088c51fdfb263d2dcf948a4a2700210b35bc020000000466f64bada32008598837b52ecdf281a24e7fb3a69d8a6d1ed479cfab7d695354000000049d9638b5b961d60f6e3cbb7b39da693ada2975b14965a11b2db7020e28de1372e85972d1b445bdd885e74b44eeb32d864678a930c12e61f2b0219b1f1ec9b65	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf00000000020000000000106600000001000020000000a59151770abfa070c67c4e9633e26914fe6ea76966a0f9f1f05fdf4cb4039a5e000000000e80000000020000200000007a73a5e69999ba53f13038cd6033f37796b08a2ee147408a939718149dbb9e9f900000002c7e773385998d518e93f74761a20f56172740057f77829b175d530bf3843a6dc2a6e5108b12f41b6425f0a0a98dc32b6e15936b23c24815a8eab63a81e1c7f8b13b2fbbe7d67525b15921cd3f72b6f1c40cda7aa6d1580e7a0acb0a8508e013a8416e31bed6142cb5bd0ab675a3c1cc2b6746b921e23fff03ed57626dbb9cfe441646d70388793453d84a405db364544000000028af6232ef1d043671e5620531c82ddf12006c221a219cf243b66fdc8808e66600f68b1cd60fdd42493a9e5dad5150de4f908485a9cfe5298a4645dc0ce3898c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b076000d1c2ddb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2744	schtasks.exe
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
2400	chrome.exe
2400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	308	Client-built.exe
Token: SeDebugPrivilege	2848	Client.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

IEXPLORE.EXEchrome.exe

pid	Process
2980	IEXPLORE.EXE
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Client.exeIEXPLORE.EXEIEXPLORE.EXE

pid	Process
2848	Client.exe
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exeMSOXMLED.EXEiexplore.exeIEXPLORE.EXEchrome.exe

description	pid	Process	procid_target
PID 308 wrote to memory of 2744	308	Client-built.exe	30
PID 308 wrote to memory of 2744	308	Client-built.exe	30
PID 308 wrote to memory of 2744	308	Client-built.exe	30
PID 308 wrote to memory of 2848	308	Client-built.exe	32
PID 308 wrote to memory of 2848	308	Client-built.exe	32
PID 308 wrote to memory of 2848	308	Client-built.exe	32
PID 2848 wrote to memory of 2752	2848	Client.exe	33
PID 2848 wrote to memory of 2752	2848	Client.exe	33
PID 2848 wrote to memory of 2752	2848	Client.exe	33
PID 1796 wrote to memory of 1908	1796	MSOXMLED.EXE	38
PID 1796 wrote to memory of 1908	1796	MSOXMLED.EXE	38
PID 1796 wrote to memory of 1908	1796	MSOXMLED.EXE	38
PID 1796 wrote to memory of 1908	1796	MSOXMLED.EXE	38
PID 1908 wrote to memory of 2980	1908	iexplore.exe	39
PID 1908 wrote to memory of 2980	1908	iexplore.exe	39
PID 1908 wrote to memory of 2980	1908	iexplore.exe	39
PID 1908 wrote to memory of 2980	1908	iexplore.exe	39
PID 2980 wrote to memory of 1844	2980	IEXPLORE.EXE	40
PID 2980 wrote to memory of 1844	2980	IEXPLORE.EXE	40
PID 2980 wrote to memory of 1844	2980	IEXPLORE.EXE	40
PID 2980 wrote to memory of 1844	2980	IEXPLORE.EXE	40
PID 2400 wrote to memory of 996	2400	chrome.exe	44
PID 2400 wrote to memory of 996	2400	chrome.exe	44
PID 2400 wrote to memory of 996	2400	chrome.exe	44
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2220	2400	chrome.exe	46
PID 2400 wrote to memory of 2868	2400	chrome.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2744
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2752

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1004

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\FindMount.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2169758,0x7fef2169768,0x7fef2169778
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:2
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1420 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2240 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1488 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:2
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1348 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3416 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 --field-trial-handle=980,i,1853075445447588839,6242674206022391684,131072 /prefetch:8
  2⤵
  PID:2204

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7faa074ede5f5b955a857e27918de185

SHA1
698ad703f7801009b0db4a64657c3aaf772df767

SHA256
0b2a95119792cd451fd517e43759803142e16840fa0b49e915e2a7c161cbd3b7

SHA512
8c3491daa0688ffea640072592a4c85164ae9687e204494aae4de58d3e1dd535697d5f22a23d0f684620fc31f007a72a3f7b15af02ee07cc4695e17c58183452

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e497d018e3251a7df19f33822e1f964e

SHA1
d3f9941384360d3b596c58485c3075dd8ac32560

SHA256
b15a481ce6bf638dddf0a37d9072340cc0270d991c3ad004d7f54c009dc87fe3

SHA512
8f550712d51e0c4f14bdff6b53c6ca22ff33ec4c75d625c2a1dc786f62406d3eff1d69905f38aa1dcd0486e2231bc8530735b07bd09bf69d5c12f85d32c58feb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44d04e0933786c1250d6a4aa3fc6d3f0

SHA1
0c0136cdd2d779ece6e3a929ac244c2600ade171

SHA256
6fbeb79b6b937fe44afd4e11edb992e4bf994d2f411da42aec3f0d9f7c76f5a5

SHA512
69c4b461a70766e1b3d46d477cc44ef1827a5d7be10c1d32d762681e80af1f9ed15dfedd8674afaf29d97eb4ea7b0369a0dc762c0d33302b6a69c3e39dbbfcf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04852419566866a93266e3265dbb3de4

SHA1
586bb13e5d4fa33d2be215fe7c1ff6040cf1e9df

SHA256
610d5662556f2c25a9fe6d77a2c707511b9cdd9e2949b4513c2cacab48daea0d

SHA512
df47ba5444cf74aa542935cc5f7fc7c08bc79e8fceb25099e0ca471b737e1c0b32525cf9b4d4e54cc278587f0c146dc12ee72721de5abffa1de8125e62868e01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0011042da35ade58a74522e6577ba9c

SHA1
ed4ff0e323eedcd3685838a66862877080031b03

SHA256
474814b6be22141cd8501d28a6d4ced5fba56d9401b40f8aedd42203576894ed

SHA512
7a1fd0cd9c893d9cb5df2937bd9e147960083e23a099fc0253cc070bab880474fb18f7e97e7aab21c92940929e3a55f69f6d7b615893efe699bc1022ba6194ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed31690454528cee7df1b341e54c58af

SHA1
f515e8158ec9cea9e44604bb6e7e22b903e99321

SHA256
6ec9db8c054df8c9fd892923f355a023946f8c3761ff92e8f84471b067113e4e

SHA512
0d23b8356febe79c66160869fd598d2905807fb47e0e1bb574a1de412ad12c3139a6060053bde0572a7140da35b75febea8fd334adb1931cd51f9099c1ccc445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efea8f96ca33ae12772a520adfdf8012

SHA1
697d7c3d02f505d87b7b4d66ecf7cd4c4a22e484

SHA256
c1fc5f4bf5a896a087ca2ec4300c78eae17f472efb313435e5f2c28a6bb3aca8

SHA512
cb9c0a50b341fdc109a2fcfb05858ebfdba7e468e392474a1c0cd7cc03157ff502919636a18624bf38a0404f81fa4899af82414b7049508abd3ee5de3f9a14be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed773bf6d9db053c8fa97610a8823e56

SHA1
b34b63717398127778ceea522f9f07284dc749dd

SHA256
3633e77065c773926c5be95eb4cfb06ee5445b1e9b791f34ecee72a93745018c

SHA512
3207bb9f69560822cb308c746537d47ea5383617a86cbe671dec1dd3d8fb608ad20b1e92b159c90be1cec0420da3bc1197bbcd47ecbf3a0d5fda2115d9c75254

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1593920031a58bf280bd33c8e00a0ac

SHA1
fc335261284142a749594b7bbf4ef36a12cfc4b0

SHA256
4641e91085119be455e1f383902c511e0a28642b7675f66db285547d9afcecd0

SHA512
bdf9e6ac6891b9589454d8b4690386a4d3b694ce2b14bc1dea4f0f121315e8d2032d3581b3ecdc46c76a8ff66ceeb162246c45d9153dd1bd0f4d5c7badf7f96d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
694716aaf4009064a0e6390736e3ce6c

SHA1
1cee26a814538debc60d496cd9c186283e320c93

SHA256
49ecae61596bceb1b877f1b4c3f06c99d8166c7348e32a3cb1fe1392ba60a3a1

SHA512
44ac6316efe50f365442c82ceac478f5eac74c8463e4fd5bc9bc45223834e5ebf31f6bce079661f64a80ab7911ddabfaf859c8c7ab8579088d8f0b1f9c3293ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d4ebed79c83a0e9abdacb41db36c8dbf

SHA1
85600a3ec8c5116577b7be450b991335a2cc3a68

SHA256
7cc829be89d1d59f301ae5a89d2ab36b9a45547f1da064b373c172490480ba0a

SHA512
37b4f36a08786a83d15f4a4cbf5075721a77a15d9adbddba719f3b621d4005fe41598e71918d5927bd76a893410b5d44de30ac19ed2a561b8b2de5312f3b7ea9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
055a5d819d530849d09f57c71505876f

SHA1
0d48bccf3260233dfb057210fab5291ade08dcf9

SHA256
bb87086635494f758dbaef6de248b0788d232b13c9501466969924b3157b6bab

SHA512
7b486142a9901c561b74304120db5b6e29ccd1f567b8931ffc0270d0945f3054a1a9988e67556d4ca8c59f84f353f5843d34f103bd35ccc83f8eff23dbc54f60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA2B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDADB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
96dbf079644fad007ddee4a898bdb096

SHA1
3eec62ed768ce4a1181f00a0dd6cca3564e1f9f1

SHA256
3b3900adf2232fb5a995c9f6884feededfbe4a862a076ac3af936e4b5a858887

SHA512
356a13c7ab5bb02ee79a2ff9525f0f8ca832302fba37cf140af8264d31933a00745b59d7f742a42ef0576964f6e112580430996ac068f63c4112907c69471385

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/308-8-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/308-2-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/308-1-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/308-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/2848-10-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-9-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download
memory/2848-11-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-12-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download