Overview

overview

10

Static

static

10

Powershell.exe

windows10-1703-x64

10

Powershell.exe

windows10-2004-x64

10

Powershell.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Powershell.exe

  • Size

    409KB

  • MD5

    4286aedc2a233ab74deb2670fa484866

  • SHA1

    860fdc6876a4948f5e352aa50910b9f13607c3fb

  • SHA256

    149ef8e77fbe162157f8462892235211b9f926a3454d615ad4c59e854e48ec82

  • SHA512

    fc3c7885a9f6af0a2d38375f1d256128a474a998c2359938955fff6e45d216dfa1942ccba2359b18f263219d95004b9e976524ef26c967c58cb29a7c6c93f097

  • SSDEEP

    12288:UpsD64e1MDEArEiVTqkllSmxmeN1AKXiLNk2+XRnS:ksG4kMsaGkllvxvuKyZ1N

Score
10/10
quasarseroxen | v3.1.5 |spywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

runderscore00-25501.portmap.host:25501

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes
  • encryption_key

    JCa22tR8WnO00adn2TuE

  • install_name

    $sxr-powershell.exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    Powershell

  • subdirectory

    $sxr-seroxen2

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Powershell.exe
    "C:\Users\Admin\AppData\Local\Temp\Powershell.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jDfjo2BkqDba.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:920
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:3740
      • C:\Windows\SysWOW64\SCHTASKS.exe
        "SCHTASKS.exe" /create /tn "$77Powershell.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Powershell.exe'" /sc onlogon /rl HIGHEST
        2⤵
        • Creates scheduled task(s)
        PID:1600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\jDfjo2BkqDba.bat
      Filesize

      267B

      MD5

      cece0cc4e9a10c2e1ab1a67ce28d8d82

      SHA1

      2004b13b3de7b563a566c1c219ff46afa3c8f4f0

      SHA256

      10e102d8bacaa39cf098c8839963301cbffd313b97b6806a56a7402783dcb62f

      SHA512

      cf44e05e7e7bafc56647c0060f313324336e72a56f880dfbadfd840d3c47b5dbb6461cfe1177f044f364b43af3e1659e2c54a2269ae8cf33c741f629f95b36aa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-29-~1
      Filesize

      224B

      MD5

      a0cacadd5e423f5acf56ee70f0f263c8

      SHA1

      df239975f219f20eaecec351998eccf344c359de

      SHA256

      edc59c584deca039ef33efcf09d561889692fd7da142c267605c182fca4264d3

      SHA512

      a3beb5f704ecd828b64fb75d4028a589c48bd81214f574161730f6376e182bf8edae18a6dfafbf13ba68ddb1c575d0cb166935a8ca6f26c36d1c10a86360cc10

      Download Submit

    • memory/2368-6-0x00000000051E0000-0x00000000051F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2368-3-0x0000000004B80000-0x0000000004C12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2368-4-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2368-5-0x0000000004C70000-0x0000000004CD6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2368-0-0x000000007508E000-0x000000007508F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2368-7-0x0000000005ED0000-0x0000000005F0C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2368-9-0x00000000063A0000-0x00000000063AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2368-10-0x000000007508E000-0x000000007508F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2368-11-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2368-2-0x0000000005220000-0x00000000057C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2368-17-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2368-1-0x00000000000D0000-0x000000000013C000-memory.dmp

      Filesize

      432KB

      Download