Overview

overview

10

Static

static

10

Powershell.exe

windows10-1703-x64

10

Powershell.exe

windows10-2004-x64

10

Powershell.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    194s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-05-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Powershell.exe

  • Size

    409KB

  • MD5

    4286aedc2a233ab74deb2670fa484866

  • SHA1

    860fdc6876a4948f5e352aa50910b9f13607c3fb

  • SHA256

    149ef8e77fbe162157f8462892235211b9f926a3454d615ad4c59e854e48ec82

  • SHA512

    fc3c7885a9f6af0a2d38375f1d256128a474a998c2359938955fff6e45d216dfa1942ccba2359b18f263219d95004b9e976524ef26c967c58cb29a7c6c93f097

  • SSDEEP

    12288:UpsD64e1MDEArEiVTqkllSmxmeN1AKXiLNk2+XRnS:ksG4kMsaGkllvxvuKyZ1N

Score
10/10
quasarseroxen | v3.1.5 |spywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

runderscore00-25501.portmap.host:25501

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes
  • encryption_key

    JCa22tR8WnO00adn2TuE

  • install_name

    $sxr-powershell.exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    Powershell

  • subdirectory

    $sxr-seroxen2

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Powershell.exe
    "C:\Users\Admin\AppData\Local\Temp\Powershell.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L1KUprPdALvB.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:1224
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:3872
      • C:\Windows\SysWOW64\SCHTASKS.exe
        "SCHTASKS.exe" /create /tn "$77Powershell.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Powershell.exe'" /sc onlogon /rl HIGHEST
        2⤵
        • Creates scheduled task(s)
        PID:2384

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\L1KUprPdALvB.bat
      Filesize

      267B

      MD5

      b3124f5b2d13f9d0fb0dca7b627a4886

      SHA1

      2362ef11bb5588ecc74abaf9e6c32428f5f7dfd1

      SHA256

      41a0af3d45dea4c152c599b650175692b591347a2e919d77b6d7e16cda7b617c

      SHA512

      824ae50b75f3b6d1b91cfaa92c10c6e6aede78f779d53c8e7282c4e9d9493b59392348d3bd3280017bfc14d4d47c93ee0f6b61097cf92b9c3ab07b383cd70d7b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-29-~1
      Filesize

      224B

      MD5

      cb9dc9c86d8e9d93e66515042be690ba

      SHA1

      fc5df9d77f18633a5c76883392c7f2dafb40d496

      SHA256

      2607ce9021f0c7cfe4e8714430a1a9fe37108f8d957702332813ea444ed856d5

      SHA512

      a4d343e44adea98af4f7097011837a9d58d4adf6a364708567e9fcc311dac14fc99b6e9790bca92959337f8eafcd2351db4dc90a4a47317c123a7b543a2fc401

      Download Submit
    • memory/2120-6-0x00000000066C0000-0x00000000066D2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2120-3-0x0000000005A30000-0x0000000005AC2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2120-4-0x0000000074EF0000-0x00000000756A1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2120-5-0x00000000059A0000-0x0000000005A06000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2120-0-0x0000000074EFE000-0x0000000074EFF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2120-7-0x0000000006C10000-0x0000000006C4C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2120-9-0x00000000070D0000-0x00000000070DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2120-10-0x0000000074EFE000-0x0000000074EFF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2120-11-0x0000000074EF0000-0x00000000756A1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2120-2-0x0000000005FE0000-0x0000000006586000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2120-17-0x0000000074EF0000-0x00000000756A1000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2120-1-0x0000000000E80000-0x0000000000EEC000-memory.dmp
      Filesize

      432KB

      Download