Overview

overview

10

Static

static

10

Client-built.exe

windows10-2004-x64

10

Client-built.exe

windows10-ltsc 2021-x64

10

Client-built.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-11-2024 03:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    c17ff0333852bb47c256d3a448910271

  • SHA1

    be09b580de7608f2f1e9013bd16ad5499faf2ce3

  • SHA256

    e5963a8de3d81aff5bd3193d5137baa1b9022d6106dc3141f4d99c14e2fbad7e

  • SHA512

    1bf1840de9a7547fef877e0986c4a71c0360ea9005a3f85b98836596acc713e6d9764fd9c0a0d7356b0621cb278ec403bf7ac71f8155decb046d14ec4ecd13f5

  • SSDEEP

    49152:rvClL26AaNeWgPhlmVqvMQ7XSK7pDGjHmzMVoGdBHTHHB72eh2NT:rv6L26AaNeWgPhlmVqkQ7XSKdDGjN

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

answer-patients.gl.at.ply.gg:4538

Mutex

bd9cc66c-344e-4ad2-b846-b59ac86aa18e

Attributes
  • encryption_key

    9672EF6F385B517A0E912363D30D7BF6BDEA77A6

  • install_name

    siema.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    svhost.gg

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 52 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5232
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\svhost.gg\siema.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2092
    • C:\Windows\system32\svhost.gg\siema.exe
      "C:\Windows\system32\svhost.gg\siema.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\svhost.gg\siema.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1320
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:3480
  • C:\Windows\system32\werfault.exe
    werfault.exe /hc /shared Global\aede9d5486004182a7d7771e1885549f /t 3884 /p 3816
    1⤵
      PID:1796
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      PID:3596
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2128
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:2756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NTU84VM\www.bing[1].xml
        Filesize

        3KB

        MD5

        98f6811313534675f1d63ace4e274499

        SHA1

        f3878f3f53ff8b9918dc4312b8a082f4aa50d2d7

        SHA256

        2c6c45456820e040471e260b4669505e406ff164d9b7b09e799a503093bfe33d

        SHA512

        88699ef8aa39048d000ab7ada520af0145f9f5b39ea5056af5bc3a436d4333a3f809a68e77ae747c84b09e16379ac40b7c2f0d8ef24dd8f083a118e7273c5c3e

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NTU84VM\www.bing[1].xml
        Filesize

        15KB

        MD5

        633d2a55891a65b0de6970762562bcf4

        SHA1

        37e30c8db20374e3ef9df13320bf0e049e868357

        SHA256

        876007c4443d2860b46be232221066ce3770f300f32e6748dc5678338834ef5f

        SHA512

        776ddd0757534ec064900acd1e2e75e5d26f42589962f1da828fd8d45d19d5074061ffef892b39c6fecc0ce2e1828ab8f60c7e777cb12cc370766e6e304098b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NTU84VM\www.bing[1].xml
        Filesize

        10KB

        MD5

        01f034680c6dcae151a4522e33c6d31b

        SHA1

        a86e4a75ff027241d39059882c8ff0f021f23597

        SHA256

        f2e069f1210cd01622d5abfb444274036377bbbdf0d2d284ea4bb93aa8b62940

        SHA512

        572312eccec79dc297da18588fe067733d4a485dda3fe8a7efd9f7dd5ac63330a702dac4c55752ba8d2404c4f3957b7dda7618a7fca90f7a76413bfbee83bd90

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NTU84VM\www.bing[1].xml
        Filesize

        7KB

        MD5

        5ef6729795cfb366a47d4b589b6556f9

        SHA1

        76caacf053723a9ee4fd53d435b12a33d154b8c2

        SHA256

        10b438e94505ed81ea0e13e7da9cd64c02721ffc73f060d8221006ad32d9a4df

        SHA512

        89f55ff242094b6376ea3052ef71910a7f3177d27d106366c3cf7fed24d1ecea613ad89d23ba7bdd94f7303ed85964d2534ae1115fb6c2ba4fc89fbec108e755

        Download Submit

      • C:\Windows\System32\svhost.gg\siema.exe
        Filesize

        3.1MB

        MD5

        c17ff0333852bb47c256d3a448910271

        SHA1

        be09b580de7608f2f1e9013bd16ad5499faf2ce3

        SHA256

        e5963a8de3d81aff5bd3193d5137baa1b9022d6106dc3141f4d99c14e2fbad7e

        SHA512

        1bf1840de9a7547fef877e0986c4a71c0360ea9005a3f85b98836596acc713e6d9764fd9c0a0d7356b0621cb278ec403bf7ac71f8155decb046d14ec4ecd13f5

        Download Submit

      • memory/2128-29-0x0000024F03000000-0x0000024F03100000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2128-242-0x0000024F3ACC0000-0x0000024F3ADC0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2128-154-0x0000024F37250000-0x0000024F37270000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2128-153-0x0000024F37560000-0x0000024F37660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2128-152-0x0000024F24DE0000-0x0000024F24E00000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2128-109-0x0000024F36000000-0x0000024F36100000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2376-16-0x000000001CA00000-0x000000001CA12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2376-18-0x000000001DCF0000-0x000000001E218000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2376-17-0x000000001D580000-0x000000001D5BC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2376-13-0x00007FF9D8FF0000-0x00007FF9D9AB2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2376-12-0x000000001CA70000-0x000000001CB22000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2376-11-0x000000001C960000-0x000000001C9B0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2376-10-0x00007FF9D8FF0000-0x00007FF9D9AB2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2376-9-0x00007FF9D8FF0000-0x00007FF9D9AB2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5232-0-0x00007FF9D8FF3000-0x00007FF9D8FF5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5232-8-0x00007FF9D8FF0000-0x00007FF9D9AB2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5232-2-0x00007FF9D8FF0000-0x00007FF9D9AB2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5232-1-0x00000000009B0000-0x0000000000CD4000-memory.dmp

        Filesize

        3.1MB

        Download