Overview

overview

10

Static

static

1

kreo q zi.7z

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    101s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    05-11-2024 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kreo q zi.7z

  • Size

    922KB

  • MD5

    ec516db688f94e98d5141f4bade557e9

  • SHA1

    198ffbae5eed415ac673f5e371774759f1a53de1

  • SHA256

    282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

  • SHA512

    ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985

  • SSDEEP

    24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score
10/10
quasaroffice04credential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3896
  • C:\Users\Admin\Desktop\kreo q zi.exe
    "C:\Users\Admin\Desktop\kreo q zi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1312
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2620
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
    1⤵
      PID:3740
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3792
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
      1⤵
        PID:3976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\kreo q zi.exe.log
        Filesize

        1KB

        MD5

        b08c36ce99a5ed11891ef6fc6d8647e9

        SHA1

        db95af417857221948eb1882e60f98ab2914bf1d

        SHA256

        cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

        SHA512

        07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\6WDMJTTR\microsoft.windows[1].xml
        Filesize

        96B

        MD5

        510682a0e6687b6d54275f553d3c7fc7

        SHA1

        06b4273c0e0a1c93b9e4e6b6e482574428894012

        SHA256

        09c4bf5426c842bf5804e42d6d92e90cef0f3d31f91be88afc670da9ee258c9b

        SHA512

        68a1a607281bca86d174dde820ea4d7ed508984a26f52cf3ac2e739959c1b967e16d4e34f87c8a66eeced4590e97e16ab6ac7fdec5f7d5e2f450f7c4ac39dd06

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{880d1a64-e52c-4fdb-81ae-f227ae678942}\0.0.filtertrie.intermediate.txt
        Filesize

        1KB

        MD5

        8609241ac301971b563b8864447f5fbc

        SHA1

        81b1e9382f7012f2441efcec40a5aabf46f34397

        SHA256

        94d0c4ea1f705b557a8dd983931ecab83f4d19e691669f2723781d406d38a282

        SHA512

        e536d2ae24ee17df34e28bcd1220f20901ec9b19a6f69b0c87f82a6535c813737681496927d9bea0b90e33b7c8236c77790a55d9a8514f5084ed3ad16d71c554

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9967729c-d060-4841-bb54-1575af848f23}\Apps.ft
        Filesize

        1KB

        MD5

        6c78adbcc2f3ba7a2ad306983176414c

        SHA1

        484787d9aef671594b4d91b6c7d2d5c215f46260

        SHA256

        8f2abe81c4d834b96b5e39b504949cd04aef23e290309b413f501b396efd381a

        SHA512

        69bb126822ee7008d30135f7c216bf364e8e70ec5ca09cff58671d3c29081f467719bedb172cc14962aeeef22c34fb7e4c4a6aed26c26691a4cfef3816138c69

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9967729c-d060-4841-bb54-1575af848f23}\Apps.index
        Filesize

        879KB

        MD5

        5e4ec42046e35b20c1b8d97c17926572

        SHA1

        d0f371a97b676240bd90f9fa1a0b14f97f9b1016

        SHA256

        6a8c0c8cc58a866d0b874926f0ff1e2034a60bb18a2c584dd7f100be49c0febc

        SHA512

        d8bc115f3e0632aa6df6d1ca949e53a5724eff26c9d42d90686df0aea777a00b6c3d1738adf7807c7c752f5f702c4bce1bee158d1f9e765a0148c960ea0113af

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9f102956-34bd-4382-a24d-5d29a5559733}\apps.csg
        Filesize

        444B

        MD5

        5475132f1c603298967f332dc9ffb864

        SHA1

        4749174f29f34c7d75979c25f31d79774a49ea46

        SHA256

        0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

        SHA512

        54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9f102956-34bd-4382-a24d-5d29a5559733}\apps.schema
        Filesize

        150B

        MD5

        1659677c45c49a78f33551da43494005

        SHA1

        ae588ef3c9ea7839be032ab4323e04bc260d9387

        SHA256

        5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

        SHA512

        740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9f102956-34bd-4382-a24d-5d29a5559733}\appsconversions.txt
        Filesize

        1.4MB

        MD5

        2bef0e21ceb249ffb5f123c1e5bd0292

        SHA1

        86877a464a0739114e45242b9d427e368ebcc02c

        SHA256

        8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

        SHA512

        f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9f102956-34bd-4382-a24d-5d29a5559733}\appsglobals.txt
        Filesize

        343KB

        MD5

        931b27b3ec2c5e9f29439fba87ec0dc9

        SHA1

        dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

        SHA256

        541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

        SHA512

        4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9f102956-34bd-4382-a24d-5d29a5559733}\appssynonyms.txt
        Filesize

        237KB

        MD5

        06a69ad411292eca66697dc17898e653

        SHA1

        fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

        SHA256

        2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

        SHA512

        ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{bc51d102-b46e-490f-9269-8ae21b5afeb4}\0.1.filtertrie.intermediate.txt
        Filesize

        5B

        MD5

        34bd1dfb9f72cf4f86e6df6da0a9e49a

        SHA1

        5f96d66f33c81c0b10df2128d3860e3cb7e89563

        SHA256

        8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

        SHA512

        e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{bc51d102-b46e-490f-9269-8ae21b5afeb4}\0.2.filtertrie.intermediate.txt
        Filesize

        5B

        MD5

        c204e9faaf8565ad333828beff2d786e

        SHA1

        7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

        SHA256

        d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

        SHA512

        e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133752394532520695.txt
        Filesize

        3KB

        MD5

        6c7c5879f1c75b60ca6fe7048fdf88b6

        SHA1

        e3faf0e19132003dfc8617a40933f760ec6b64c4

        SHA256

        5391afca6e19b795f4790c36b762d967859b8dcab7f34f40cd3e9d02fb8ab74c

        SHA512

        23a865f4b8d9b04b85d85c7e81a24ca6e28b12ad74acc9256ac564b437adeb0c64cb5fdfc723dde91f38a6c9363e63350791eba9d9217d67b9b387ea8ec209bb

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt
        Filesize

        689KB

        MD5

        2dee0ab82c5db228dee2de2fe0d82eb3

        SHA1

        c6231ad00bd775537fb422a86bfe2b5754e9b91d

        SHA256

        0e01a47917642eac553b6d0feb6e97b398f7af84c5ffc74ba35ca66d7a341d39

        SHA512

        c46ae09aab1f240ba384044ef46240a4cb02b6144b0403d690ff7ddcf79acc67da345c98254ef5436a4008fb419c889af43489fedf86e8ba822128365f30763f

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
        Filesize

        2KB

        MD5

        0f69621520866a4f046a8ed41f3264d5

        SHA1

        3b79ea902932267e0afe0675a39c8624b2443b9f

        SHA256

        c1e5abd32fbe69bf9ba6040e3b8b2a35d880b081e9a4379ad9a17b2593bb2235

        SHA512

        c2a0fe7913ec108d91e6aec59a653a98cfa0f278bef40cdde01d07d10f4f3932014353a73aa7d1691631c0279057124b93adae94eaa6023ac3c40da6c1b1acf5

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
        Filesize

        2KB

        MD5

        830269b9352f3e006f3c147cfe40363b

        SHA1

        51dacacd6708e6f3d57d0a4d8708700e872a5586

        SHA256

        9f1aeda8a2ded2bacbcca409c6e74b05838be13ce092fb4adbc8c3e2f8e17f9a

        SHA512

        a80fadf472222dff3d4d52cc74826280cc878c22d4e79fe988ad02670a60525a3bc3e6629bff5c73c0dc1856591a785e4e65bcb5ec7216b886c799bb165904e0

        Download Submit

      • C:\Users\Admin\Desktop\kreo q zi.exe
        Filesize

        3.1MB

        MD5

        28ac02fc40c8f1c2a8989ee3c09a1372

        SHA1

        b182758b62a1482142c0fce4be78c786e08b7025

        SHA256

        0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

        SHA512

        2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

        Download Submit

      • memory/760-9-0x00007FFA53190000-0x00007FFA53C52000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/760-6-0x00007FFA53190000-0x00007FFA53C52000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/760-5-0x0000000000E90000-0x00000000011B4000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/760-4-0x00007FFA53193000-0x00007FFA53195000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1020-76-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-61-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-66-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-70-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-71-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-73-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-72-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-69-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-75-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-74-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-77-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-79-0x000001A7EA450000-0x000001A7EA451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-78-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-81-0x000001A7EA560000-0x000001A7EA561000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-80-0x000001A7EA450000-0x000001A7EA451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-83-0x000001A7EA4C0000-0x000001A7EA4C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-82-0x000001A7EA4C0000-0x000001A7EA4C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-34-0x000001A7E2140000-0x000001A7E2150000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1020-18-0x000001A7E2040000-0x000001A7E2050000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1020-53-0x000001A7E19E0000-0x000001A7E19E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-55-0x000001A7EA410000-0x000001A7EA411000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-58-0x000001A7EA420000-0x000001A7EA421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-57-0x000001A7EA410000-0x000001A7EA411000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-67-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-65-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-62-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-63-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-64-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-68-0x000001A7EA440000-0x000001A7EA441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-60-0x000001A7EA420000-0x000001A7EA421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1020-59-0x000001A7EA420000-0x000001A7EA421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3356-15-0x000000001CD20000-0x000000001CD5C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3356-14-0x000000001C1C0000-0x000000001C1D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3356-11-0x000000001C220000-0x000000001C2D2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/3356-10-0x000000001AFD0000-0x000000001B020000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3792-123-0x0000024716740000-0x0000024716760000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3792-101-0x0000024716720000-0x0000024716740000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3792-122-0x00000247169E0000-0x0000024716A00000-memory.dmp

        Filesize

        128KB

        Download