Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2023, 02:18
Static task
static1
Behavioral task
behavioral1
Sample
nvz0g1.ps1
Resource
win7-20220812-en
2 signatures
150 seconds
General
-
Target
nvz0g1.ps1
-
Size
5.1MB
-
MD5
7aad8bcb11ff3deab23cc311222fe265
-
SHA1
3d9a69c71e00aff947af949441220f18bad9e0d8
-
SHA256
c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a
-
SHA512
f6bb4fd8ffab5b08ed8c0991e8c57d91702cbfc6034e7157c720c5b94b55f88788a4273c9ec46e63ac0c286f24ff4ad17e925074f6766a5fab53eb4959728fe9
-
SSDEEP
49152:YY1wOeTfeinwRg0Yd0YtWdR2++BqkPiblNmBZOqsHtL3rdyW6JKHINYMpnkq/3+g:i
Malware Config
Extracted
Family
quasar
Version
1.4.0
Botnet
Office04
C2
ghcc.duckdns.org:4782
Mutex
a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b
Attributes
-
encryption_key
B0326395AC2D48856CAE22978A087DF5DCF5816D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1332-134-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar behavioral2/memory/1332-135-0x000000000047E7AE-mapping.dmp family_quasar -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1652 set thread context of 1332 1652 powershell.exe 81 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1652 powershell.exe 1652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1332 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1332 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1332 1652 powershell.exe 81 PID 1652 wrote to memory of 1332 1652 powershell.exe 81 PID 1652 wrote to memory of 1332 1652 powershell.exe 81 PID 1652 wrote to memory of 1332 1652 powershell.exe 81 PID 1652 wrote to memory of 1332 1652 powershell.exe 81 PID 1652 wrote to memory of 1332 1652 powershell.exe 81 PID 1652 wrote to memory of 1332 1652 powershell.exe 81 PID 1652 wrote to memory of 1332 1652 powershell.exe 81
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nvz0g1.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1332
-