Overview

overview

10

Static

static

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    193s
  • max time network
    254s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    cafaa2094366a156294df6341237e491

  • SHA1

    49868d99bb2252ce9911f8b6c94015cd87f24b01

  • SHA256

    9d7cd0429734cb72bc0205287461e459c51cee40f34e5e54513da2315bf8e84a

  • SHA512

    be176c9d7080b522c8a5dc9d219d47ee71ef507473348825073928142b9e9175287140fce137a5fc16d4d5ec0eb96bcc26bbeacf86dd328f9b5492f66b6af675

  • SSDEEP

    49152:zvbI22SsaNYfdPBldt698dBcjHKVE7uo+vJgBoGdBTHHB72eh2NT:zvk22SsaNYfdPBldt6+dBcjHqoj

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Waix-40247.portmap.host:40247

Mutex

9d84e220-c4b7-4f5c-b179-163c03154a8f

Attributes
  • encryption_key

    B963B2000CDCB4E83B2966F1E1C703720463EE18

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R5lgPTvEjPBk.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3752
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4368
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2708
    • C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TestPing.bat
      1⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Opens file in notepad (likely ransom note)
      PID:2760
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
      Filesize

      64KB

      MD5

      d2fb266b97caff2086bf0fa74eddb6b2

      SHA1

      2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

      SHA256

      b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

      SHA512

      c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
      Filesize

      4B

      MD5

      f49655f856acb8884cc0ace29216f511

      SHA1

      cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

      SHA256

      7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

      SHA512

      599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
      Filesize

      944B

      MD5

      6bd369f7c74a28194c991ed1404da30f

      SHA1

      0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

      SHA256

      878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

      SHA512

      8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\R5lgPTvEjPBk.bat
      Filesize

      213B

      MD5

      15651fd2c48831fa6fe43d58c28d453c

      SHA1

      60a75652f41149b0569078586e1d6baabd4ec428

      SHA256

      881adbe1f1943acc3196aaa78a2467be33ea4b00b19873fe44aa36da5aeb92ec

      SHA512

      376300d9b6304983a2dbaf1a8f6f46cabecfb7cbfe2960a32a9d25ddd993c447fdf7bc7a1659dc9a265ebff3e6e5e9451d3a33ef5cd9accc4c1ecfb3f7d1281a

      Download Submit

    • memory/2708-20-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-23-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-18-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-17-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-21-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-11-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-13-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-12-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-19-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2708-22-0x0000019A55A70000-0x0000019A55A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3472-2-0x00007FFEAFD00000-0x00007FFEB07C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3472-10-0x00007FFEAFD00000-0x00007FFEB07C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3472-0-0x00007FFEAFD03000-0x00007FFEAFD05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3472-9-0x00007FFEAFD03000-0x00007FFEAFD05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3472-8-0x000000001C2C0000-0x000000001C2FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3472-7-0x000000001C260000-0x000000001C272000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3472-1-0x00000000007F0000-0x0000000000B14000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3472-42-0x00007FFEAFD00000-0x00007FFEB07C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3472-4-0x000000001C320000-0x000000001C3D2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/3472-3-0x000000001C210000-0x000000001C260000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4652-25-0x000001C716720000-0x000001C716721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4652-31-0x000001C716720000-0x000001C716721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4652-36-0x000001C716720000-0x000001C716721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4652-35-0x000001C716720000-0x000001C716721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4652-34-0x000001C716720000-0x000001C716721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4652-33-0x000001C716720000-0x000001C716721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4652-32-0x000001C716720000-0x000001C716721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4652-24-0x000001C716720000-0x000001C716721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4652-26-0x000001C716720000-0x000001C716721000-memory.dmp

      Filesize

      4KB

      Download