Overview

overview

10

Static

static

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    25s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.3MB

  • MD5

    d5228d8272c425d9aa1af3a1ab93d9fd

  • SHA1

    f88b9a56ed8377a277a8a6b7b09d01779824fae8

  • SHA256

    f1512bfeff65f189db2ba206fe9b51764b67e60526c3d1c0482feff63a4fa95b

  • SHA512

    d92d45cc8ac140e7581d743a365e2a943a983e83195f5e363ebf72ab7ba98a772099103bdb2909728cd65e4262d5505e55e795b1a00bdfb9c8d9df9c852e8741

  • SSDEEP

    49152:0v8go2QSaNpzyPllgamb0CZof/JZXxNESEuk/iWLoGdqITHHB72eh2NT:0vNo2QSaNpzyPllgamYCZof/JBxdY6

Score
10/10
quasarspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Miicrosoft Security" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Security\NewCheats.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2800
    • C:\Program Files\Miicrosoft Security\NewCheats.exe
      "C:\Program Files\Miicrosoft Security\NewCheats.exe"
      2⤵
        PID:2888
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Miicrosoft Security" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Security\NewCheats.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5032

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Miicrosoft Security\NewCheats.exe
      Filesize

      2.2MB

      MD5

      206ab1e2f22509d064439afe0ed30aee

      SHA1

      4d02aef9c6d978b24bc93b43e66b61491944d9fd

      SHA256

      ce8d4a18e9154f6fff40a109fc885ddd03f5457e2086f743793758a654b55f68

      SHA512

      8165d467f505ebbcde733a84d8dbed02b59709d7167d21714c01342af90049a8542fa17a3f2e1527c2364a81b6d45055800d6fcb3d84fad508d9c50fd118418b

      Download Submit
    • C:\Program Files\Miicrosoft Security\NewCheats.exe
      Filesize

      2.3MB

      MD5

      4831ee06e795a47aff7f78e4595ddfed

      SHA1

      bad4669d3eb9db5588c4110734cf232031b84c7f

      SHA256

      9b1a89c2ccad74b28c30cd8f3324b61140d79a377a7007c7fdb16c64d87de391

      SHA512

      311a91cd83e7a2bf7afd15bcfed983908bd3def234ac0effee088e96742148c1d38aad38016da8b30b49128fa79c68ed8e62c71b8bd03ff08abf643a16a24926

      Download Submit
    • memory/1040-0-0x00007FFB98E13000-0x00007FFB98E15000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1040-1-0x0000000000890000-0x0000000000BDE000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1040-2-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1040-9-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2888-10-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2888-11-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2888-12-0x0000000002890000-0x00000000028E0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2888-13-0x000000001D260000-0x000000001D312000-memory.dmp
      Filesize

      712KB

      Download