quasar | af454978c652f9acb95b7c2f45d41ee0ba7923d6e3b3f554af853ef9efff9440

Analysis

max time kernel
54s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celestial.exe
Size

3.1MB
MD5

12bdd4b4c107fc3ffec7f9b29d7d6a93
SHA1

04bb395848578e22cef0c90215463e4efe4965c3
SHA256

af454978c652f9acb95b7c2f45d41ee0ba7923d6e3b3f554af853ef9efff9440
SHA512

ff4a2c42ac1fed5421955a949cf28c9abb714484bb68259f160516d10a7a179cc6e6327ab2fc2f099ba51a98b25fa5f41ea2af4f3815159e1ce7f75a698b8251
SSDEEP

49152:nv6lL26AaNeWgPhlmVqvMQ7XSKZkxNESElk/iULoGdldTHHB72eh2NT:nviL26AaNeWgPhlmVqkQ7XSKGxsa

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

147.185.221.19:33365

Mutex

ba5220e2-c4e8-4381-aad8-a85115ef955e

Attributes

encryption_key
67C139F3E9A16FF8132A3DCF42197B8BA3C38609
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Miicrosoft Securiity
subdirectory
Miicrosoft Securiity

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/4856-1-0x0000000000070000-0x0000000000394000-memory.dmp family_quasar
C:\Program Files\Miicrosoft Securiity\Client.exe family_quasar
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2788 Client.exe

resource	yara_rule
behavioral1/memory/4856-1-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar
C:\Program Files\Miicrosoft Securiity\Client.exe	family_quasar

pid	process
2788	Client.exe

Drops file in Program Files directory 4 IoCs

Processes:

Celestial.exeClient.exe

description	ioc	process
File opened for modification	C:\Program Files\Miicrosoft Securiity\Client.exe	Celestial.exe
File opened for modification	C:\Program Files\Miicrosoft Securiity	Celestial.exe
File opened for modification	C:\Program Files\Miicrosoft Securiity	Client.exe
File created	C:\Program Files\Miicrosoft Securiity\Client.exe	Celestial.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msinfo32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msinfo32.exeEXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4620 schtasks.exe
732 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3224 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

EXCEL.EXE

pid process

4664 EXCEL.EXE
4664 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Celestial.exeClient.exe

description pid process

Token: SeDebugPrivilege 4856 Celestial.exe
Token: SeDebugPrivilege 2788 Client.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Client.exe

pid process

2788 Client.exe
2788 Client.exe
2788 Client.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Client.exe

pid process

2788 Client.exe
2788 Client.exe
2788 Client.exe
Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEEXCEL.EXEClient.exe

pid process

3224 EXCEL.EXE
3224 EXCEL.EXE
4664 EXCEL.EXE
3224 EXCEL.EXE
3224 EXCEL.EXE
3224 EXCEL.EXE
3224 EXCEL.EXE
3224 EXCEL.EXE
3224 EXCEL.EXE
3224 EXCEL.EXE
2788 Client.exe
3224 EXCEL.EXE

pid	process
4620	schtasks.exe
732	schtasks.exe

pid	process
3224	EXCEL.EXE

pid	process
4664	EXCEL.EXE
4664	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	4856	Celestial.exe
Token: SeDebugPrivilege	2788	Client.exe

pid	process
2788	Client.exe
2788	Client.exe
2788	Client.exe

pid	process
2788	Client.exe
2788	Client.exe
2788	Client.exe

pid	process
3224	EXCEL.EXE
3224	EXCEL.EXE
4664	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
2788	Client.exe
3224	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Celestial.exeClient.exe

description	pid	process	target process
PID 4856 wrote to memory of 4620	4856	Celestial.exe	schtasks.exe
PID 4856 wrote to memory of 4620	4856	Celestial.exe	schtasks.exe
PID 4856 wrote to memory of 2788	4856	Celestial.exe	Client.exe
PID 4856 wrote to memory of 2788	4856	Celestial.exe	Client.exe
PID 2788 wrote to memory of 732	2788	Client.exe	schtasks.exe
PID 2788 wrote to memory of 732	2788	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Celestial.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Miicrosoft Securiity" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Securiity\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Program Files\Miicrosoft Securiity\Client.exe
"C:\Program Files\Miicrosoft Securiity\Client.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Miicrosoft Securiity" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Securiity\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ExitWatch.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\WatchUninstall.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:32

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ExitWatch.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:220

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Miicrosoft Securiity\Client.exe
Filesize
3.1MB

MD5
12bdd4b4c107fc3ffec7f9b29d7d6a93

SHA1
04bb395848578e22cef0c90215463e4efe4965c3

SHA256
af454978c652f9acb95b7c2f45d41ee0ba7923d6e3b3f554af853ef9efff9440

SHA512
ff4a2c42ac1fed5421955a949cf28c9abb714484bb68259f160516d10a7a179cc6e6327ab2fc2f099ba51a98b25fa5f41ea2af4f3815159e1ce7f75a698b8251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
471B

MD5
07a022d0d988a4de2d93cb500e575cd9

SHA1
5a29f718e3227666fb2b1593931ce3e358d52158

SHA256
14bcdc52382a7ecea59cfd8bc4a551e45dfc2caf7ce041629b7813c660d30178

SHA512
36447bcdaab6f58da71d574e1a69ab9ca38fe466790dea0e120c725d655e11cb6f7f6c206a6257e1e29125ef07b02dae18b55ce7cf751ac72647d55192c4d15d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
412B

MD5
4320182bfe360a3c56f562e1a1eb2b50

SHA1
f361f02ec0fc4a88c4e4a07cddda69b1a5b05443

SHA256
0bd9964053fdb1667fd355ad43f3102f61d878dc835d80ac375d00a5d2b59620

SHA512
7d99b46d54df8b5d5e1e5d83fa35e2e2e494be99d90ad4cdbd1e6993f863fb131d55a430ba0265fb305626458b9fc4e2a56bd64f55b5e7eb7bfc36bb7b2e8a5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3E2A1BC5-913F-4F1C-BDC7-AE0BB181060E
Filesize
168KB

MD5
adc019ae12fbd32973bba1f1f7e50660

SHA1
0fca4598f9007cf1d3d37adf438050795cce6e0f

SHA256
fd54f6a42361bd39ca315ffdb8aba38c34fb85b72c512ef30001f1cf8f11b0c7

SHA512
dae0391a83305dbfe4f714b1b66da3118a1bb7da718280e81a1153a25f045894796af5097e8116426262a51b21ebe5a54a651d93ae7028f2ffe26db70740a3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
Filesize
52KB

MD5
b156afe165019882e2d2353e9c9cc26b

SHA1
b401bad106e23d57a18e365fe49981ae6530ad7c

SHA256
92740d4859d9e88c2172087b1d95969e879e4bf961d2716fd2e9cd37ae2119d8

SHA512
d2749fbb0b9b083edd05e5bb7b9b17da887daab65a82b2682d54a44da00b19945334df040fce8d31b55f212c3a039a6c56d48e195077b391ce731701a9af5fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
8ac661a6ab5acec04916a8786b2714ec

SHA1
5578359c164a9640d9d561b9e662edfd38aad97c

SHA256
fabfba4f1ecd60f78ff0705011ffbae146675d5a494c4462344e201a9a75e8d8

SHA512
5bac46a45bfd658a441683b5c2397c5380369430ba679ce435498af0fbfb33bf74e6c0840bcc1b104adbd9f312b6318ec01e976b2e15e1de2ad2f19afedc3a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
09824c723b0874b7423a7b7b640e79cc

SHA1
02abf009278939f16ee351b5e2e5e78ea53172c3

SHA256
b571ef83fa5f3cbee66c67678930f306d320fbe0f44d3ac718a31b9536c7cd2d

SHA512
1c248b07489508a15e683453b43317f8de2da7154f98bf9fadbf3f8afb109d62e184bd2516b6d25ac683becb50eb6a64ea9778d57523bd5da2c37142ee2786f1

Download Submit
memory/2788-67-0x000000001C570000-0x000000001C5AC000-memory.dmp

Filesize
240KB

Download
memory/2788-66-0x000000001C510000-0x000000001C522000-memory.dmp

Filesize
72KB

Download
memory/2788-63-0x000000001C5D0000-0x000000001C682000-memory.dmp

Filesize
712KB

Download
memory/2788-62-0x000000001C4C0000-0x000000001C510000-memory.dmp

Filesize
320KB

Download
memory/3224-13-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-9-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/3224-14-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-15-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-16-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-17-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-20-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

Filesize
64KB

Download
memory/3224-19-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-21-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-22-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-18-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-69-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-28-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

Filesize
64KB

Download
memory/3224-68-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-2-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/3224-12-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-10-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-11-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-8-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/3224-6-0x00007FFEF610D000-0x00007FFEF610E000-memory.dmp

Filesize
4KB

Download
memory/3224-7-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/3224-5-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/3224-4-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/4664-58-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/4664-57-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/4664-59-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/4664-56-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/4664-31-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

Filesize
64KB

Download
memory/4664-29-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

Filesize
64KB

Download
memory/4856-50-0x00007FFED7870000-0x00007FFED8331000-memory.dmp

Filesize
10.8MB

Download
memory/4856-3-0x00007FFED7870000-0x00007FFED8331000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download
memory/4856-0-0x00007FFED7873000-0x00007FFED7875000-memory.dmp

Filesize
8KB

Download