Analysis Overview
SHA256
6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e
Threat Level: Known bad
The file ss.ps1 was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-19 17:09
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-19 17:09
Reported
2023-01-19 17:11
Platform
win10v2004-20221111-en
Max time kernel
117s
Max time network
145s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1300 set thread context of 364 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ss.ps1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ghcc.duckdns.org | udp |
| N/A | 95.216.102.32:4782 | ghcc.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | tools.keycdn.com | udp |
| N/A | 185.172.148.96:443 | tools.keycdn.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 64.185.227.155:443 | api.ipify.org | tcp |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/1300-132-0x000002C6E8BD0000-0x000002C6E8BF2000-memory.dmp
memory/1300-133-0x00007FF99F040000-0x00007FF99FB01000-memory.dmp
memory/364-135-0x000000000047E74E-mapping.dmp
memory/1300-136-0x00007FF99F040000-0x00007FF99FB01000-memory.dmp
memory/364-137-0x0000000000710000-0x0000000000794000-memory.dmp
memory/364-138-0x0000000005220000-0x00000000057C4000-memory.dmp
memory/364-139-0x0000000004C70000-0x0000000004D02000-memory.dmp
memory/364-140-0x0000000004C50000-0x0000000004C5A000-memory.dmp
memory/3384-141-0x0000000000000000-mapping.dmp
memory/364-142-0x00000000060F0000-0x0000000006708000-memory.dmp
memory/364-143-0x0000000005B20000-0x0000000005B70000-memory.dmp
memory/364-144-0x0000000005D90000-0x0000000005E42000-memory.dmp
memory/364-145-0x0000000007040000-0x00000000070A6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-19 17:09
Reported
2023-01-19 17:11
Platform
win7-20221111-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ss.ps1
Network
Files
memory/1936-54-0x000007FEFC461000-0x000007FEFC463000-memory.dmp
memory/1936-55-0x000007FEF4120000-0x000007FEF4B43000-memory.dmp
memory/1936-56-0x000007FEF35C0000-0x000007FEF411D000-memory.dmp
memory/1936-57-0x0000000002054000-0x0000000002057000-memory.dmp
memory/1936-58-0x000000001B6F0000-0x000000001B9EF000-memory.dmp
memory/1936-59-0x000000000205B000-0x000000000207A000-memory.dmp
memory/1936-60-0x0000000002054000-0x0000000002057000-memory.dmp
memory/1936-61-0x000000000205B000-0x000000000207A000-memory.dmp