Analysis Overview
SHA256
0fa8e2b1073b28e1941150d9ff1651b4dfce15cb1a0ccdcd33d5caca3af20db0
Threat Level: Known bad
The file Roblox exploit 2024.7z was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in Program Files directory
Enumerates physical storage devices
Browser Information Discovery
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 06:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 06:48
Reported
2024-11-04 06:50
Platform
win10ltsc2021-20241023-en
Max time kernel
85s
Max time network
83s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\ | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5032 wrote to memory of 2108 | N/A | C:\Users\Admin\Desktop\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 5032 wrote to memory of 2108 | N/A | C:\Users\Admin\Desktop\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 5032 wrote to memory of 4656 | N/A | C:\Users\Admin\Desktop\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 5032 wrote to memory of 4656 | N/A | C:\Users\Admin\Desktop\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 4656 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4656 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox exploit 2024.7z"
C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.244.186:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 186.244.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Inversin-43597.portmap.host | udp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\Client-built.exe
| MD5 | f5b93af3ee1b64dacd2bac9ba4af9b27 |
| SHA1 | 1f2a038199a71a2b917dca4dff2f5fac5e840978 |
| SHA256 | 48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01 |
| SHA512 | 83703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302 |
memory/5032-4-0x00007FFB2BE83000-0x00007FFB2BE85000-memory.dmp
memory/5032-5-0x0000000000B40000-0x0000000000E64000-memory.dmp
memory/5032-6-0x00007FFB2BE80000-0x00007FFB2C942000-memory.dmp
memory/5032-9-0x00007FFB2BE80000-0x00007FFB2C942000-memory.dmp
memory/4656-10-0x000000001C6E0000-0x000000001C730000-memory.dmp
memory/4656-11-0x000000001C7F0000-0x000000001C8A2000-memory.dmp
memory/4656-14-0x000000001C730000-0x000000001C742000-memory.dmp
memory/4656-15-0x000000001C790000-0x000000001C7CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
| MD5 | b08c36ce99a5ed11891ef6fc6d8647e9 |
| SHA1 | db95af417857221948eb1882e60f98ab2914bf1d |
| SHA256 | cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674 |
| SHA512 | 07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea |
memory/1380-18-0x000001CD73E40000-0x000001CD73E50000-memory.dmp
memory/1380-34-0x000001CD73F40000-0x000001CD73F50000-memory.dmp
memory/1380-53-0x000001CD7C140000-0x000001CD7C141000-memory.dmp
memory/1380-55-0x000001CD7C280000-0x000001CD7C281000-memory.dmp
memory/1380-58-0x000001CD7C290000-0x000001CD7C291000-memory.dmp
memory/1380-57-0x000001CD7C280000-0x000001CD7C281000-memory.dmp
memory/1380-59-0x000001CD7C290000-0x000001CD7C291000-memory.dmp
memory/1380-60-0x000001CD7C290000-0x000001CD7C291000-memory.dmp
memory/1380-61-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-62-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-63-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-64-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-65-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-66-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-67-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-70-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-73-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-71-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-74-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-72-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-69-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-68-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-75-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-77-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-76-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-78-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp
memory/1380-79-0x000001CD7C2C0000-0x000001CD7C2C1000-memory.dmp
memory/1380-81-0x000001CD7C3D0000-0x000001CD7C3D1000-memory.dmp
memory/1380-80-0x000001CD7C2C0000-0x000001CD7C2C1000-memory.dmp
memory/1380-83-0x000001CD7C320000-0x000001CD7C321000-memory.dmp
memory/1380-82-0x000001CD7C320000-0x000001CD7C321000-memory.dmp