quasar | c976e871fc4a85df9b709fde9715ac426fb6796e1a4e097230799a1381f9247c

Reason

Machine shutdown

General

Target

Client-built.exe
Size

502KB
MD5

4b84ba6fb64643df80a50b4351368a7c
SHA1

0c45bb4d28399f09e5a92c341f544e7141e371e0
SHA256

c976e871fc4a85df9b709fde9715ac426fb6796e1a4e097230799a1381f9247c
SHA512

6b1207eb35f55b903f59f966ebda8e1a0dfbd552a24a9d999bdfe520f1d40a48ba74574274d1ab526708708635a20f0babadc2f1c9006772be4e947d1703f197
SSDEEP

6144:VTEgdc0YmX7IxUpGREW7dBdTED8KdDkQfocEBOb8F9r8Hc1ecTR32:VTEgdfYnxUJJDkRpBPecd2

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

147.185.221.19:6401

Mutex

0623266f-d360-4056-9f63-ed81b7a11fdf

Attributes

encryption_key
CAC47E124130EBD3A11EBA5B8DAA79439482A0B5
install_name
Roblox.exe
log_directory
Logs
reconnect_delay
3000
startup_key
123
subdirectory
Roblox

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2920-1-0x0000000000F90000-0x0000000001014000-memory.dmp	family_quasar
behavioral1/files/0x0007000000023ca0-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4240	Roblox.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org
19	api.ipify.org

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5084	schtasks.exe
1240	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	Client-built.exe
Token: SeDebugPrivilege	4240	Roblox.exe
Token: SeShutdownPrivilege	4464	shutdown.exe
Token: SeRemoteShutdownPrivilege	4464	shutdown.exe
Token: SeShutdownPrivilege	1884	shutdown.exe
Token: SeRemoteShutdownPrivilege	1884	shutdown.exe
Token: SeShutdownPrivilege	440	shutdown.exe
Token: SeRemoteShutdownPrivilege	440	shutdown.exe
Token: SeShutdownPrivilege	1656	shutdown.exe
Token: SeRemoteShutdownPrivilege	1656	shutdown.exe
Token: SeShutdownPrivilege	4376	shutdown.exe
Token: SeRemoteShutdownPrivilege	4376	shutdown.exe
Token: SeShutdownPrivilege	5008	shutdown.exe
Token: SeRemoteShutdownPrivilege	5008	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4240	Roblox.exe
3724	LogonUI.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 5084	2920	Client-built.exe	86
PID 2920 wrote to memory of 5084	2920	Client-built.exe	86
PID 2920 wrote to memory of 4240	2920	Client-built.exe	88
PID 2920 wrote to memory of 4240	2920	Client-built.exe	88
PID 4240 wrote to memory of 1240	4240	Roblox.exe	89
PID 4240 wrote to memory of 1240	4240	Roblox.exe	89
PID 4240 wrote to memory of 2468	4240	Roblox.exe	111
PID 4240 wrote to memory of 2468	4240	Roblox.exe	111
PID 2468 wrote to memory of 2888	2468	cmd.exe	113
PID 2468 wrote to memory of 2888	2468	cmd.exe	113
PID 2468 wrote to memory of 4464	2468	cmd.exe	114
PID 2468 wrote to memory of 4464	2468	cmd.exe	114
PID 2468 wrote to memory of 1884	2468	cmd.exe	116
PID 2468 wrote to memory of 1884	2468	cmd.exe	116
PID 2468 wrote to memory of 440	2468	cmd.exe	117
PID 2468 wrote to memory of 440	2468	cmd.exe	117
PID 2468 wrote to memory of 1656	2468	cmd.exe	118
PID 2468 wrote to memory of 1656	2468	cmd.exe	118
PID 2468 wrote to memory of 4376	2468	cmd.exe	119
PID 2468 wrote to memory of 4376	2468	cmd.exe	119
PID 2468 wrote to memory of 5008	2468	cmd.exe	120
PID 2468 wrote to memory of 5008	2468	cmd.exe	120
PID 2468 wrote to memory of 1608	2468	cmd.exe	121
PID 2468 wrote to memory of 1608	2468	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "123" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5084
- C:\Users\Admin\AppData\Roaming\Roblox\Roblox.exe
  "C:\Users\Admin\AppData\Roaming\Roblox\Roblox.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "123" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Roblox\Roblox.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1240
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /K CHCP 437
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\system32\chcp.com
      CHCP 437
      4⤵
      PID:2888
  - - C:\Windows\system32\shutdown.exe
      shutdown /s
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4464
  - - C:\Windows\system32\shutdown.exe
      shutdown /s
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1884
  - - C:\Windows\system32\shutdown.exe
      shutdown /s
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:440
  - - C:\Windows\system32\shutdown.exe
      shutdown /s
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\system32\shutdown.exe
      shutdown /s
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4376
  - - C:\Windows\system32\shutdown.exe
      shutdown /s
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5008
  - - C:\Windows\system32\shutdown.exe
      shutdown /s 1
      4⤵
      PID:1608

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\WaitRepair.vbs"
1⤵
PID:1888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\WaitRepair.vbs"
1⤵
PID:2304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38f4855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Roblox\Roblox.exe

Filesize
502KB

MD5
4b84ba6fb64643df80a50b4351368a7c

SHA1
0c45bb4d28399f09e5a92c341f544e7141e371e0

SHA256
c976e871fc4a85df9b709fde9715ac426fb6796e1a4e097230799a1381f9247c

SHA512
6b1207eb35f55b903f59f966ebda8e1a0dfbd552a24a9d999bdfe520f1d40a48ba74574274d1ab526708708635a20f0babadc2f1c9006772be4e947d1703f197

Download Submit
memory/2920-0-0x00007FFE767C3000-0x00007FFE767C5000-memory.dmp

Filesize
8KB

Download
memory/2920-1-0x0000000000F90000-0x0000000001014000-memory.dmp

Filesize
528KB

Download
memory/2920-2-0x00007FFE767C0000-0x00007FFE77281000-memory.dmp

Filesize
10.8MB

Download
memory/2920-9-0x00007FFE767C0000-0x00007FFE77281000-memory.dmp

Filesize
10.8MB

Download
memory/4240-10-0x00007FFE767C0000-0x00007FFE77281000-memory.dmp

Filesize
10.8MB

Download
memory/4240-8-0x00007FFE767C0000-0x00007FFE77281000-memory.dmp

Filesize
10.8MB

Download
memory/4240-11-0x000000001AC90000-0x000000001ACE0000-memory.dmp

Filesize
320KB

Download
memory/4240-12-0x000000001B430000-0x000000001B4E2000-memory.dmp

Filesize
712KB

Download
memory/4240-15-0x00007FFE767C0000-0x00007FFE77281000-memory.dmp

Filesize
10.8MB

Download
memory/4240-17-0x00007FFE767C0000-0x00007FFE77281000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads