Analysis
-
max time kernel
301s -
max time network
306s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2024 22:10
Static task
static1
Behavioral task
behavioral1
Sample
TEST.bat
Resource
win7-20240221-en
General
-
Target
TEST.bat
-
Size
5.1MB
-
MD5
b86f4f6866f58f646d089796996d129c
-
SHA1
a95b2a3ad0457286ef23353b9592755fe276671d
-
SHA256
f4ac97b8dd5a438a715a43b6c2e7d3431f1a2c3e17cf8bc8858027b0f544e354
-
SHA512
7e5cb1bea9974bfc6da599514aa549cf5fffcf82a37bac15259d5f0b4d8f99dd2b2703db9cbb773b861e2c68fc5a0cf31e6a685fa0b4a9d979b6661aa69cb1ae
-
SSDEEP
24576:gccksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8x:9SbESV0MFJnhVFHVwseHFIR4l1t
Malware Config
Extracted
quasar
1.4.1
Slave
140.238.91.110:36305
f4720af1-0ef3-414f-b170-e837e2727049
-
encryption_key
52EF528D690A6F47ED9D8BD4A80E69CBE28EDC0A
-
install_name
Windows.exe
-
log_directory
Windows Error Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\x.exe family_quasar C:\Users\Admin\AppData\Local\Temp\x.exe family_quasar behavioral2/memory/224-62218-0x00000000001A0000-0x00000000004C4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe family_quasar -
Executes dropped EXE 2 IoCs
Processes:
x.exeWindows.exepid process 224 x.exe 3948 Windows.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2052 schtasks.exe 4008 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
x.exeWindows.exedescription pid process Token: SeDebugPrivilege 224 x.exe Token: SeDebugPrivilege 3948 Windows.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows.exepid process 3948 Windows.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.exex.exeWindows.exedescription pid process target process PID 3088 wrote to memory of 940 3088 cmd.exe findstr.exe PID 3088 wrote to memory of 940 3088 cmd.exe findstr.exe PID 3088 wrote to memory of 3928 3088 cmd.exe cscript.exe PID 3088 wrote to memory of 3928 3088 cmd.exe cscript.exe PID 3088 wrote to memory of 224 3088 cmd.exe x.exe PID 3088 wrote to memory of 224 3088 cmd.exe x.exe PID 224 wrote to memory of 2052 224 x.exe schtasks.exe PID 224 wrote to memory of 2052 224 x.exe schtasks.exe PID 224 wrote to memory of 3948 224 x.exe Windows.exe PID 224 wrote to memory of 3948 224 x.exe Windows.exe PID 3948 wrote to memory of 4008 3948 Windows.exe schtasks.exe PID 3948 wrote to memory of 4008 3948 Windows.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TEST.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\TEST.bat"2⤵
-
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs2⤵
-
C:\Users\Admin\AppData\Local\Temp\x.exeC:\Users\Admin\AppData\Local\Temp\x.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2284,i,2771196087253062161,8107167670425198948,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
4KB
MD55e7433944b930a5d455e8105cfc50e5b
SHA1613c4b5cd7c00a48057d0c26ecbc4546257f9369
SHA2563c37be69c66a6eaa998e84d839ec909d7c063e33bf0f37a148dfb8026c641803
SHA51208f3a7b8ff5b75aff5dee4cc97d37bff6dc4128a926b90106f788cfeb639ff52f7ab584b0ccd8039d9c164754f8d26e7053ef5d3ec49b0f6f30f86be327a7309
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
4.3MB
MD586d323e5f0c8cc803bce65d0ba99864e
SHA131ac2d2b336faf9aa911c0371c668923169679ee
SHA2567c7981c2284f87649282657837c62e812b4a156e88ac2922479e2a24fa223afa
SHA51224fd1b30b2a7b2e251b6b3283c1becd5a1e2e69b22c780fc034551d5ceb42a88b138237efa565977e265d101eef756bc69972d52552cd1530e34612dee6fc8d1
-
C:\Users\Admin\AppData\Local\Temp\x.exeFilesize
2.2MB
MD5498eb84dc8499352f8712961bf15a94f
SHA10399d95f8cc8b837c6f6ae6619824d63e699c7b9
SHA25643307680a4253b0ed332826b2f992596a6c044e376469fc3dd4343228a51be57
SHA512f37390e5b4a92fc5873ee71a24b45460cff173a14a5abb66b8df24330e3b8c529df14857da51192ae95eedf0d9f4619ce634082d42053ca2a572d53fc00ecf1d
-
C:\Users\Admin\AppData\Local\Temp\x.exeFilesize
1.4MB
MD567de5a5b24807dec57dd0cd79ded623c
SHA1a62167f108d6796998ba6f03aab4101be212cdc0
SHA256d3958f7f5d11977f28e50c7607b9de8f7f43303f01fb0f4accee6a6fc9387b0c
SHA512834090f7a3c85590325f9a55d4328e9548ec2ebdf69972caa083aa37ad85deba948a3f9c5f83b76d1bf29a8864ec776f2d6a7f506b62a6274b43a6e2e10b03f7
-
C:\Users\Admin\AppData\Local\Temp\x.vbsFilesize
380B
MD5ec9a2fb69a379d913a4e0a953cd3b97c
SHA1a0303ed9f787c042071a1286bba43a5bbdd0679e
SHA256cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b
SHA512fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exeFilesize
3.1MB
MD5e9a5c47b799b740cb8bf2db11b85ad91
SHA1301612438c71f38418f874bd8c58bdc0ff93e5df
SHA25659ac2857047d0c8778e5658757fd17b39ecfe0ee34fd50aad70a8a1acde9a4ff
SHA512c6781f1196171cb79d9cdd6f104f39bb63bef5c8113770c714fb8b78c33785c695f0b8d407b86a237048c2d8ad90de9f2e3845224c624fdb96b00e86704cddd8
-
memory/224-62219-0x00007FF8E9CC0000-0x00007FF8EA781000-memory.dmpFilesize
10.8MB
-
memory/224-62220-0x000000001B280000-0x000000001B290000-memory.dmpFilesize
64KB
-
memory/224-62218-0x00000000001A0000-0x00000000004C4000-memory.dmpFilesize
3.1MB
-
memory/224-62228-0x00007FF8E9CC0000-0x00007FF8EA781000-memory.dmpFilesize
10.8MB
-
memory/3948-62227-0x00007FF8E9CC0000-0x00007FF8EA781000-memory.dmpFilesize
10.8MB
-
memory/3948-62229-0x000000001BC00000-0x000000001BC10000-memory.dmpFilesize
64KB
-
memory/3948-62230-0x000000001BB60000-0x000000001BBB0000-memory.dmpFilesize
320KB
-
memory/3948-62231-0x000000001C3D0000-0x000000001C482000-memory.dmpFilesize
712KB
-
memory/3948-62232-0x00007FF8E9CC0000-0x00007FF8EA781000-memory.dmpFilesize
10.8MB
-
memory/3948-62233-0x000000001BC00000-0x000000001BC10000-memory.dmpFilesize
64KB