Overview

overview

10

Static

static

10

Client-built.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    64s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-11-2024 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    cb71a47fda537f7593c9062363bd5492

  • SHA1

    ea96997da81ec7546e3c7da1601774f6a2aac3aa

  • SHA256

    decdc5bbdc75f4a698e444a98d3b75d67069e571f9fa47d7142f8370974a1445

  • SHA512

    e81198ceecb14a9380ac703404550b8d0b5b54f10e6ebac4dfe7405e39c71096a4598363a588f8d7eb4fa3aeb5bfa5b63c386a6c426f7d999a68daa902c69490

  • SSDEEP

    49152:nv+lL26AaNeWgPhlmVqvMQ7XSK8hRJ6ebR3LoGdOzyTHHB72eh2NT:nvuL26AaNeWgPhlmVqkQ7XSK8hRJ6Y

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Ingrid78-20703.portmap.host:20703

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1284
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:236
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2312
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cboFGmxlyFxN.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:728
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4488
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5012
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3144
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1364
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\89sWsxv88Z6H.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4288
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4492
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4404
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:64
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3696
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u44pbNRQGugZ.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2988
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2648
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:3660
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4712
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4948
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SVQMUopy3N3M.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3844
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4472
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2384
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4628
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:4984
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HpGITs0llIJP.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4556
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:3028
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:548
                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:3256
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3048
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l653DCS5JDBF.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2076
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:1412
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:1580

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
                Filesize

                2KB

                MD5

                7787ce173dfface746f5a9cf5477883d

                SHA1

                4587d870e914785b3a8fb017fec0c0f1c7ec0004

                SHA256

                c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

                SHA512

                3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\89sWsxv88Z6H.bat
                Filesize

                207B

                MD5

                1e36aea6707a8bcd8606d053e387689c

                SHA1

                35418b4a35ea513d94ab0c8d06dcefae30917f2d

                SHA256

                3103bf4892220bc7457348c23f1c279c1a0f20ee19881ac1d0f00369fbd4cd87

                SHA512

                dbe41f9bb55c983ec2dfef3a2fb68efc3f340f5da2ff76b7684966b31f7265c74c8cc028833194a251026d1e9d7357724b09a6d4b9021a384386969e43da831c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\HpGITs0llIJP.bat
                Filesize

                207B

                MD5

                c577804b7705c92def579d369baf7bd6

                SHA1

                fddce8bfef8a8437d32815a22cf2669af3708c36

                SHA256

                1ae40f5d077e40276fb5d5360cd4b23b798dde62f08258a17936bf6962807358

                SHA512

                5f7708ddbfb1ae758343fd9a0ce6b34b44ad452383684188f282278954cd8d799b4234c02c358765d139c6676249e29ab312ce6479f32a4f67de1752748e523d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\SVQMUopy3N3M.bat
                Filesize

                207B

                MD5

                8649d0bc3c08d2429e733ad93c656d69

                SHA1

                bc4a03eca54f2bcfd52deae630d366e2ad90b212

                SHA256

                2f7496bc6dda6c968e7b2a655788b58484efdb87200421b9861541481e181ef1

                SHA512

                50660a1c3697e3315d844a830db4440aa75d60a4554104219435309b36f42d2a8d88abaff4d3b54e7a2fefb7b6b4af2d85864c7255b2a1bc1ff6a8b07b7d4869

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\cboFGmxlyFxN.bat
                Filesize

                207B

                MD5

                8f7426e575e94404b0a0bf9908736dd0

                SHA1

                e3ece879d446a19312285db963ca5873a01de4e2

                SHA256

                c3e566b83d48d52c7cc747f3683a6b7dd057e46f204dc3f0f598ccc936ee47de

                SHA512

                e27ceeed8ff2b67f8df2dcdc4659b846be639f804e48867f88294bdbfee97572ab9318666cc2fcadf1547cc602dd9671d135c413ed13261b6a9c3430b7015642

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\l653DCS5JDBF.bat
                Filesize

                207B

                MD5

                d26736779790e4f0ff8b3285b300e4eb

                SHA1

                9ffbdff6b3ffef5adb1c84cf49b73a780fb523f8

                SHA256

                b9fa8ce7ae462ade90d5e686afe00d6b537e549fa2cfa530f88f63f26a1f1ec6

                SHA512

                59fc460f1e1ad0e1e5f432b178147afebfd77a92bbed516f9a05ae396b73c271241a18da6b663ef297b1232e80391057a589d7cc45fb72d50b166f6ae2342f30

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\u44pbNRQGugZ.bat
                Filesize

                207B

                MD5

                c26233232c11bbf73223c4c2cb8d20b3

                SHA1

                a2a439c747434f984775d660f6f64b47ed8d4b32

                SHA256

                5ea9eced618edeb8071e30312991b8020ec64a5fa267ef52d1397056c9edde43

                SHA512

                a09d1bd2aeaa4512bbe54df6eb1bc7517270bcdcc7def02d4255a832a6829ece2e42fd8edc7605970d82f91184ade1ab6e84cfc9ed73dd1018086f4048accd3b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                Filesize

                3.1MB

                MD5

                cb71a47fda537f7593c9062363bd5492

                SHA1

                ea96997da81ec7546e3c7da1601774f6a2aac3aa

                SHA256

                decdc5bbdc75f4a698e444a98d3b75d67069e571f9fa47d7142f8370974a1445

                SHA512

                e81198ceecb14a9380ac703404550b8d0b5b54f10e6ebac4dfe7405e39c71096a4598363a588f8d7eb4fa3aeb5bfa5b63c386a6c426f7d999a68daa902c69490

                Download Submit

              • memory/236-9-0x000000001CAF0000-0x000000001CBA2000-memory.dmp

                Filesize

                712KB

                Download

              • memory/236-17-0x00007FFA34270000-0x00007FFA34D32000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/236-8-0x000000001B820000-0x000000001B870000-memory.dmp

                Filesize

                320KB

                Download

              • memory/236-7-0x00007FFA34270000-0x00007FFA34D32000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/236-5-0x00007FFA34270000-0x00007FFA34D32000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4920-0-0x00007FFA34273000-0x00007FFA34275000-memory.dmp

                Filesize

                8KB

                Download

              • memory/4920-6-0x00007FFA34270000-0x00007FFA34D32000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4920-2-0x00007FFA34270000-0x00007FFA34D32000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4920-1-0x0000000000EE0000-0x0000000001204000-memory.dmp

                Filesize

                3.1MB

                Download