Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Resubmissions

22-12-2024 02:36

241222-c3x8xsznby 10

22-12-2024 02:36

241222-c3ndqazna1 10

22-12-2024 02:34

241222-c2nyvszpek 10

Analysis

  • max time kernel
    66s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    455889b66765b1638dd978a0280f1c7e

  • SHA1

    774c78b88528e366cb46ba6723f7bbc7dbb192c1

  • SHA256

    4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

  • SHA512

    df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e

  • SSDEEP

    49152:avBt62XlaSFNWPjljiFa2RoUYIWXhymzg8oGd5ZTHHB72eh2NT:avr62XlaSFNWPjljiFXRoUYIWXhnp

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

JJ:4782

192.168.10.1:4782
Mutex

9a10c5be-59aa-4915-9bd2-d92256f2c938

Attributes
  • encryption_key

    83ADBC9532F819159CF9138DCD18B9BF646C2117

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Discord

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2744
    • C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3296
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GK86YZPLtaDG.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2212
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4664
          • C:\Windows\system32\SubDir\Client.exe
            "C:\Windows\system32\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:936
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1168
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4rGqS8eZTrI8.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4304
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1788
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:412
                • C:\Windows\system32\SubDir\Client.exe
                  "C:\Windows\system32\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:400
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:964
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LabAo0MVrQ1e.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3296
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:3000
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2388
                      • C:\Windows\system32\SubDir\Client.exe
                        "C:\Windows\system32\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:976
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:3560
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0m4rW3IdtUEj.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3544
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:3928
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:3036
                            • C:\Windows\system32\SubDir\Client.exe
                              "C:\Windows\system32\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:2984
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:3956
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h1eRwrS9tjtz.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4416
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1272
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:544
                                  • C:\Windows\system32\SubDir\Client.exe
                                    "C:\Windows\system32\SubDir\Client.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    • Suspicious use of WriteProcessMemory
                                    PID:640
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2024
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2180

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
              Filesize

              2KB

              MD5

              8f0271a63446aef01cf2bfc7b7c7976b

              SHA1

              b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

              SHA256

              da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

              SHA512

              78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\0m4rW3IdtUEj.bat
              Filesize

              196B

              MD5

              5c2363eec3442f709c937c1bb6245bf5

              SHA1

              9a5ce03c157a58897058e61ac80b685b3797e84d

              SHA256

              31b2598af52bac8b8e45c246e27b0ade47d4ee33ba152d25fd5fb27df10fce81

              SHA512

              301e8fbbd4544b03253537c9c9d28f9bfca877ffed984775fe43dcb5c73f858416918308bf5f5a97dd3769f4e1cac507f9093eea6b34373f52dae1d97bb14ad0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\4rGqS8eZTrI8.bat
              Filesize

              196B

              MD5

              2b1826e4b7e333807ef55e21b4b1f44f

              SHA1

              c25fecb860c5546cc95363211e9a78c36c3f04a8

              SHA256

              2d24a615ccac627ac39dc8e85351da4e2dcf0842989721fde9f723f267eb176a

              SHA512

              3fdadfc9047d301caef8d79744c5f402cffd983b4ddcf538ce4bab4eca97f8813f85a442f7be4ca65a74e4cf87eea3e2a3af463909d1d42fc801986d0efe06df

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\GK86YZPLtaDG.bat
              Filesize

              196B

              MD5

              d1ae536c10ee5f0c0b96f0d6772aa6bc

              SHA1

              260ededa1bf4cfa2bb1589612983f8f31adf82d4

              SHA256

              0d53ba0d2204e6e439cd9b4c187bf71bde05d8952f3912f00ab212e541cf479e

              SHA512

              c2f10a0ec35722dd72b8aa0e6fa940fd9e4150b3a10f601c22953d6659e63cd929ffee3d3f8de24e51a5fb2141191fd2e1912257aebf00c4f1100bddbbd141cd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\LabAo0MVrQ1e.bat
              Filesize

              196B

              MD5

              f0aaec0c4da0c4c4f10d9003bd3d4845

              SHA1

              56d1acffb8a5f48c3adf3b171c4c273901c3650b

              SHA256

              093ca41e4016f9baa700eba54a8de88bdf51efbb836cfdda4f2fa6c66b54c1e3

              SHA512

              f283d5197cbf838ce5992d721a8754bdf939ced58498c9f9f3894a50bff03285e1a01ad487db5c50e912525b7275f78a3e0884a7adec8d1712eedd5a0786eb69

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\h1eRwrS9tjtz.bat
              Filesize

              196B

              MD5

              94c322a62066a8e3d3f4d03aca5869ce

              SHA1

              909e53b96cb09dd0f04f99236e7f56795b44145e

              SHA256

              5cc986cbf83425c34a72905f4d6271803cb1c0f1a088396ce64842cb41500293

              SHA512

              7ca561f3c7a64a1c8445719eb653088526c2e0fe715ea6c91553962a3c7a1fa53ed9ad22e04755fe4367b7d719af31b0273d85a2629d6ae64dc45fbad897f974

              Download Submit

            • C:\Windows\System32\SubDir\Client.exe
              Filesize

              3.1MB

              MD5

              455889b66765b1638dd978a0280f1c7e

              SHA1

              774c78b88528e366cb46ba6723f7bbc7dbb192c1

              SHA256

              4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

              SHA512

              df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e

              Download Submit

            • memory/2036-1-0x0000000000640000-0x0000000000964000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/2036-2-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2036-10-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2036-0-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2180-36-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-33-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-26-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-28-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-27-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-38-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-37-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-32-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-35-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-34-0x000001F8BA330000-0x000001F8BA331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3328-18-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3328-13-0x000000001BC80000-0x000000001BD32000-memory.dmp

              Filesize

              712KB

              Download

            • memory/3328-12-0x000000001B460000-0x000000001B4B0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/3328-11-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3328-9-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

              Filesize

              10.8MB

              Download