Analysis
-
max time kernel
298s -
max time network
305s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-03-2024 22:10
Static task
static1
Behavioral task
behavioral1
Sample
TEST.bat
Resource
win7-20240221-en
General
-
Target
TEST.bat
-
Size
5.1MB
-
MD5
b86f4f6866f58f646d089796996d129c
-
SHA1
a95b2a3ad0457286ef23353b9592755fe276671d
-
SHA256
f4ac97b8dd5a438a715a43b6c2e7d3431f1a2c3e17cf8bc8858027b0f544e354
-
SHA512
7e5cb1bea9974bfc6da599514aa549cf5fffcf82a37bac15259d5f0b4d8f99dd2b2703db9cbb773b861e2c68fc5a0cf31e6a685fa0b4a9d979b6661aa69cb1ae
-
SSDEEP
24576:gccksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8x:9SbESV0MFJnhVFHVwseHFIR4l1t
Malware Config
Extracted
quasar
1.4.1
Slave
140.238.91.110:36305
f4720af1-0ef3-414f-b170-e837e2727049
-
encryption_key
52EF528D690A6F47ED9D8BD4A80E69CBE28EDC0A
-
install_name
Windows.exe
-
log_directory
Windows Error Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\x.exe family_quasar behavioral1/memory/2808-62218-0x00000000008D0000-0x0000000000BF4000-memory.dmp family_quasar behavioral1/memory/2972-62227-0x0000000000980000-0x0000000000CA4000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
x.exeWindows.exepid process 2808 x.exe 2972 Windows.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2836 schtasks.exe 2752 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
x.exeWindows.exedescription pid process Token: SeDebugPrivilege 2808 x.exe Token: SeDebugPrivilege 2972 Windows.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows.exepid process 2972 Windows.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cmd.exex.exeWindows.exedescription pid process target process PID 2172 wrote to memory of 604 2172 cmd.exe findstr.exe PID 2172 wrote to memory of 604 2172 cmd.exe findstr.exe PID 2172 wrote to memory of 604 2172 cmd.exe findstr.exe PID 2172 wrote to memory of 952 2172 cmd.exe cscript.exe PID 2172 wrote to memory of 952 2172 cmd.exe cscript.exe PID 2172 wrote to memory of 952 2172 cmd.exe cscript.exe PID 2172 wrote to memory of 2808 2172 cmd.exe x.exe PID 2172 wrote to memory of 2808 2172 cmd.exe x.exe PID 2172 wrote to memory of 2808 2172 cmd.exe x.exe PID 2808 wrote to memory of 2836 2808 x.exe schtasks.exe PID 2808 wrote to memory of 2836 2808 x.exe schtasks.exe PID 2808 wrote to memory of 2836 2808 x.exe schtasks.exe PID 2808 wrote to memory of 2972 2808 x.exe Windows.exe PID 2808 wrote to memory of 2972 2808 x.exe Windows.exe PID 2808 wrote to memory of 2972 2808 x.exe Windows.exe PID 2972 wrote to memory of 2752 2972 Windows.exe schtasks.exe PID 2972 wrote to memory of 2752 2972 Windows.exe schtasks.exe PID 2972 wrote to memory of 2752 2972 Windows.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\TEST.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\TEST.bat"2⤵
-
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs2⤵
-
C:\Users\Admin\AppData\Local\Temp\x.exeC:\Users\Admin\AppData\Local\Temp\x.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
2KB
MD5317be49b0cc0c61180aec69e7d0cd240
SHA1b2d6e3e5cc0aa7897e1ffadfaf89406251cae07f
SHA2564b9990a547c0fd97188916dc6cab1c7a7043ae1f3a992b63821319fd560938c9
SHA51241fab92b6fa736d63935766dc72b1b047c900f2c23dfd421f9da344944d66094abc1370b189cad2ef5f49833e6bdfe99402f14d6caadedd24a83d97c5c4e7b96
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
4KB
MD55e7433944b930a5d455e8105cfc50e5b
SHA1613c4b5cd7c00a48057d0c26ecbc4546257f9369
SHA2563c37be69c66a6eaa998e84d839ec909d7c063e33bf0f37a148dfb8026c641803
SHA51208f3a7b8ff5b75aff5dee4cc97d37bff6dc4128a926b90106f788cfeb639ff52f7ab584b0ccd8039d9c164754f8d26e7053ef5d3ec49b0f6f30f86be327a7309
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
4.3MB
MD586d323e5f0c8cc803bce65d0ba99864e
SHA131ac2d2b336faf9aa911c0371c668923169679ee
SHA2567c7981c2284f87649282657837c62e812b4a156e88ac2922479e2a24fa223afa
SHA51224fd1b30b2a7b2e251b6b3283c1becd5a1e2e69b22c780fc034551d5ceb42a88b138237efa565977e265d101eef756bc69972d52552cd1530e34612dee6fc8d1
-
C:\Users\Admin\AppData\Local\Temp\x.exeFilesize
3.1MB
MD5e9a5c47b799b740cb8bf2db11b85ad91
SHA1301612438c71f38418f874bd8c58bdc0ff93e5df
SHA25659ac2857047d0c8778e5658757fd17b39ecfe0ee34fd50aad70a8a1acde9a4ff
SHA512c6781f1196171cb79d9cdd6f104f39bb63bef5c8113770c714fb8b78c33785c695f0b8d407b86a237048c2d8ad90de9f2e3845224c624fdb96b00e86704cddd8
-
C:\Users\Admin\AppData\Local\Temp\x.vbsFilesize
380B
MD5ec9a2fb69a379d913a4e0a953cd3b97c
SHA1a0303ed9f787c042071a1286bba43a5bbdd0679e
SHA256cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b
SHA512fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6
-
memory/2808-62219-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmpFilesize
9.9MB
-
memory/2808-62218-0x00000000008D0000-0x0000000000BF4000-memory.dmpFilesize
3.1MB
-
memory/2808-62220-0x000000001B350000-0x000000001B3D0000-memory.dmpFilesize
512KB
-
memory/2808-62228-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmpFilesize
9.9MB
-
memory/2972-62226-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmpFilesize
9.9MB
-
memory/2972-62227-0x0000000000980000-0x0000000000CA4000-memory.dmpFilesize
3.1MB
-
memory/2972-62229-0x000000001AA20000-0x000000001AAA0000-memory.dmpFilesize
512KB
-
memory/2972-62230-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmpFilesize
9.9MB
-
memory/2972-62231-0x000000001AA20000-0x000000001AAA0000-memory.dmpFilesize
512KB