Analysis Overview
SHA256
c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a
Threat Level: Known bad
The file nvz0g1.ps1 was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-01-17 02:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-17 02:18
Reported
2023-01-17 02:21
Platform
win7-20220812-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nvz0g1.ps1
Network
Files
memory/1172-54-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp
memory/1172-55-0x000007FEF43B0000-0x000007FEF4DD3000-memory.dmp
memory/1172-56-0x000007FEF3850000-0x000007FEF43AD000-memory.dmp
memory/1172-57-0x0000000002574000-0x0000000002577000-memory.dmp
memory/1172-58-0x000000001B730000-0x000000001BA2F000-memory.dmp
memory/1172-59-0x0000000002574000-0x0000000002577000-memory.dmp
memory/1172-60-0x000000000257B000-0x000000000259A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-17 02:18
Reported
2023-01-17 02:21
Platform
win10v2004-20220901-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1652 set thread context of 1332 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nvz0g1.ps1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ghcc.duckdns.org | udp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 8.238.110.126:80 | tcp | |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 13.89.179.10:443 | tcp | |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 8.238.110.126:80 | tcp | |
| N/A | 8.238.110.126:80 | tcp | |
| N/A | 8.238.110.126:80 | tcp | |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | ghcc.duckdns.org | udp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | ghcc.duckdns.org | udp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
Files
memory/1652-132-0x000002565F710000-0x000002565F732000-memory.dmp
memory/1652-133-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp
memory/1332-134-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1332-135-0x000000000047E7AE-mapping.dmp
memory/1652-136-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp
memory/1332-137-0x00000000058D0000-0x0000000005E74000-memory.dmp
memory/1332-138-0x0000000005320000-0x00000000053B2000-memory.dmp
memory/1332-139-0x0000000005250000-0x000000000525A000-memory.dmp
memory/1332-140-0x00000000064A0000-0x0000000006AB8000-memory.dmp
memory/1332-141-0x00000000057A0000-0x00000000057F0000-memory.dmp
memory/1332-142-0x0000000005FC0000-0x0000000006072000-memory.dmp