Malware Analysis Report

2025-01-18 04:08

Sample ID 241104-fagx1swqbr
Target Roblox exploit 2024.7z
SHA256 0fa8e2b1073b28e1941150d9ff1651b4dfce15cb1a0ccdcd33d5caca3af20db0
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fa8e2b1073b28e1941150d9ff1651b4dfce15cb1a0ccdcd33d5caca3af20db0

Threat Level: Known bad

The file Roblox exploit 2024.7z was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar RAT

Quasar payload

Quasar family

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Opens file in notepad (likely ransom note)

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 04:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 04:39

Reported

2024-11-04 04:43

Platform

win10ltsc2021-20241023-en

Max time kernel

76s

Max time network

168s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox exploit 2024.7z"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox exploit 2024.7z"

C:\Users\Admin\Desktop\Client-built.exe

"C:\Users\Admin\Desktop\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\AddTest.rm"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:17410 /prefetch:2

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\CheckpointEdit.inf

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:148482 /prefetch:2

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\ConfirmRevoke.xsl

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\ConfirmTrace.dotm"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ConvertFromExit.css

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:17410 /prefetch:2

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\EditSend.wmf"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\ExitUnblock.rm"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\AppData\Roaming\ImportDisable.xltm"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\InstallMount.mhtml

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffc43f746f8,0x7ffc43f74708,0x7ffc43f74718

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,9908901234595581444,4367690020873171540,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,9908901234595581444,4367690020873171540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,9908901234595581444,4367690020873171540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 Inversin-43597.portmap.host udp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 246.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\Client-built.exe

MD5 f5b93af3ee1b64dacd2bac9ba4af9b27
SHA1 1f2a038199a71a2b917dca4dff2f5fac5e840978
SHA256 48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
SHA512 83703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302

memory/4328-4-0x00007FFC49553000-0x00007FFC49555000-memory.dmp

memory/4328-5-0x0000000000410000-0x0000000000734000-memory.dmp

memory/4328-6-0x00007FFC49550000-0x00007FFC4A012000-memory.dmp

memory/4328-9-0x00007FFC49550000-0x00007FFC4A012000-memory.dmp

memory/3644-10-0x000000001D110000-0x000000001D160000-memory.dmp

memory/3644-11-0x000000001D220000-0x000000001D2D2000-memory.dmp

memory/3644-14-0x000000001D160000-0x000000001D172000-memory.dmp

memory/3644-15-0x000000001D1C0000-0x000000001D1FC000-memory.dmp

memory/4920-22-0x00007FFC4A740000-0x00007FFC4A774000-memory.dmp

memory/4920-21-0x00007FF69C970000-0x00007FF69CA68000-memory.dmp

memory/4920-29-0x00007FFC43AA0000-0x00007FFC43ABD000-memory.dmp

memory/4920-31-0x00007FFC43810000-0x00007FFC43A1B000-memory.dmp

memory/4920-30-0x00007FFC43A80000-0x00007FFC43A91000-memory.dmp

memory/4920-28-0x00007FFC43AC0000-0x00007FFC43AD1000-memory.dmp

memory/4920-27-0x00007FFC43AE0000-0x00007FFC43AF7000-memory.dmp

memory/4920-26-0x00007FFC43B00000-0x00007FFC43B11000-memory.dmp

memory/4920-25-0x00007FFC50060000-0x00007FFC50077000-memory.dmp

memory/4920-24-0x00007FFC51310000-0x00007FFC51328000-memory.dmp

memory/4920-23-0x00007FFC43B70000-0x00007FFC43E26000-memory.dmp

memory/4920-38-0x00007FFC417C0000-0x00007FFC417D1000-memory.dmp

memory/4920-36-0x00007FFC42D90000-0x00007FFC42DA1000-memory.dmp

memory/4920-35-0x00007FFC42E30000-0x00007FFC42E48000-memory.dmp

memory/4920-34-0x00007FFC42E50000-0x00007FFC42E71000-memory.dmp

memory/4920-37-0x00007FFC42D70000-0x00007FFC42D81000-memory.dmp

memory/4920-33-0x00007FFC42EF0000-0x00007FFC42F31000-memory.dmp

memory/4920-32-0x00007FFC3AA30000-0x00007FFC3BAE0000-memory.dmp

memory/4920-41-0x00007FFC43B70000-0x00007FFC43E26000-memory.dmp

memory/4920-50-0x00007FFC3AA30000-0x00007FFC3BAE0000-memory.dmp

memory/3452-58-0x00007FFC27E90000-0x00007FFC27EA0000-memory.dmp

memory/3452-59-0x00007FFC27E90000-0x00007FFC27EA0000-memory.dmp

memory/3452-60-0x00007FFC27E90000-0x00007FFC27EA0000-memory.dmp

memory/3452-57-0x00007FFC27E90000-0x00007FFC27EA0000-memory.dmp

memory/3452-61-0x00007FFC27E90000-0x00007FFC27EA0000-memory.dmp

memory/3452-62-0x00007FFC25BA0000-0x00007FFC25BB0000-memory.dmp

memory/3452-63-0x00007FFC25BA0000-0x00007FFC25BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30F75644-9A67-11EF-8CBB-C6C8B2E6F645}.dat

MD5 d04164fee9cabcfada8e2dd0f0f638ed
SHA1 f0c2ddd394dfb2b79922d923a27a4eed32f50e17
SHA256 63da2f0ff20ad058afa4c7045b5b5998d59e8a0b2315c548b374d16851398010
SHA512 2a96cc1c1bcfaa610fa9b9efd0563c9c47863bfafd760dd9354bb34368543679d762568839096b850281069920576f5acaec2436057613b45518e92d19833475

memory/4920-79-0x00007FFC3AA30000-0x00007FFC3BAE0000-memory.dmp

memory/2804-90-0x00007FF69C970000-0x00007FF69CA68000-memory.dmp

memory/2804-93-0x00007FFC51310000-0x00007FFC51328000-memory.dmp

memory/2804-91-0x00007FFC4A740000-0x00007FFC4A774000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BEC75E29-4FE1-495B-B32C-81B0A1FC367A

MD5 f8db7f09426ecc00ce324eaeecb2dff3
SHA1 bd6b1a22699861d429c051cef88afc614470d604
SHA256 d7610320553579e0e6674873feb1aa37fc0108037ae48dc22a1e408915c5647f
SHA512 b42349aea2965dccb3ba427fa3bdb9c080029e3123d6d0d9a9492ff6ee580bb731021d9ef1bbc224a63d7992bd0da516d0077a01fc6d6ec81b0959d2a75ca1c8

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 557df060b24d910f788843324c70707a
SHA1 e5d15be40f23484b3d9b77c19658adcb6e1da45c
SHA256 83cb7d7b4f4a9b084202fef8723df5c5b78f2af1a60e5a4c25a8ed407b5bf53b
SHA512 78df1a48eed7d2d297aa87b41540d64a94f5aa356b9fc5c97b32ab4d58a8bc3ba02ce829aed27d693f7ab01d31d5f2052c3ebf0129f27dd164416ea65edc911c

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 946f3d332664c951e4220b6529c08cf4
SHA1 8cef2495aeb0b14c503c53fe51282e7bdfa487a1
SHA256 def03bbc743e3f1f8e1e7c235e05180fd3501857547d59eac77034bb17f54d16
SHA512 a6ed17d51b299c250d9b50385e5a0c7c35dc388062d3d448fd2d55a001928518fb18f84a38a692af85d8f4b40b5e3a767724a0060702c842ac0bf8f83f9a67bc

\??\pipe\LOCAL\crashpad_1104_RDRYUXZXVAVZBWUT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e