Analysis
-
max time kernel
56s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 09:47
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win7-20240221-en
General
-
Target
Uni.bat
-
Size
5.1MB
-
MD5
23437e2baad94ab4255396007b06b3eb
-
SHA1
ebd04f77aa36f67a48e855601e31424b4547228d
-
SHA256
376ecc6bbf3db6782f5548c1d58c5c1a72146f684f395fa6e40253db10834546
-
SHA512
5d888ba40f8c63a1e8e18f8c152d5ed6aca400455982ee615712dff80ba4fbe719c86c6b7a44227275548cbff75cc23326902b9b2c9c4fa8e9ccb26c89f83589
-
SSDEEP
24576:bQcksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8V:kSbESV0MFJnGRfrnQwsxZLHC
Malware Config
Extracted
quasar
1.4.1
Slave
140.238.91.110:34353
25ab9d56-6ef2-47d3-99aa-2142fbcd41fa
-
encryption_key
8E710985199C6BF86CCE90DA92448A36E2F45F51
-
install_name
XWormV5.6.exe
-
log_directory
WindowsUPDLogs
-
reconnect_delay
3000
-
startup_key
Windows BIOS Update Checker
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\x.exe family_quasar behavioral2/memory/1952-62208-0x00000000008F0000-0x0000000000C14000-memory.dmp family_quasar C:\Windows\System32\SubDir\XWormV5.6.exe family_quasar C:\Windows\System32\SubDir\XWormV5.6.exe family_quasar -
Executes dropped EXE 2 IoCs
Processes:
x.exeXWormV5.6.exepid process 1952 x.exe 812 XWormV5.6.exe -
Drops file in System32 directory 5 IoCs
Processes:
x.exeXWormV5.6.exedescription ioc process File created C:\Windows\system32\SubDir\XWormV5.6.exe x.exe File opened for modification C:\Windows\system32\SubDir\XWormV5.6.exe x.exe File opened for modification C:\Windows\system32\SubDir x.exe File opened for modification C:\Windows\system32\SubDir\XWormV5.6.exe XWormV5.6.exe File opened for modification C:\Windows\system32\SubDir XWormV5.6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2452 schtasks.exe 2712 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
x.exeXWormV5.6.exedescription pid process Token: SeDebugPrivilege 1952 x.exe Token: SeDebugPrivilege 812 XWormV5.6.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
XWormV5.6.exepid process 812 XWormV5.6.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
XWormV5.6.exepid process 812 XWormV5.6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XWormV5.6.exepid process 812 XWormV5.6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.exex.exeXWormV5.6.exedescription pid process target process PID 2140 wrote to memory of 232 2140 cmd.exe findstr.exe PID 2140 wrote to memory of 232 2140 cmd.exe findstr.exe PID 2140 wrote to memory of 3944 2140 cmd.exe cscript.exe PID 2140 wrote to memory of 3944 2140 cmd.exe cscript.exe PID 2140 wrote to memory of 1952 2140 cmd.exe x.exe PID 2140 wrote to memory of 1952 2140 cmd.exe x.exe PID 1952 wrote to memory of 2452 1952 x.exe schtasks.exe PID 1952 wrote to memory of 2452 1952 x.exe schtasks.exe PID 1952 wrote to memory of 812 1952 x.exe XWormV5.6.exe PID 1952 wrote to memory of 812 1952 x.exe XWormV5.6.exe PID 812 wrote to memory of 2712 812 XWormV5.6.exe schtasks.exe PID 812 wrote to memory of 2712 812 XWormV5.6.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
-
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs2⤵
-
C:\Users\Admin\AppData\Local\Temp\x.exeC:\Users\Admin\AppData\Local\Temp\x.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows BIOS Update Checker" /sc ONLOGON /tr "C:\Windows\system32\SubDir\XWormV5.6.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SubDir\XWormV5.6.exe"C:\Windows\system32\SubDir\XWormV5.6.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows BIOS Update Checker" /sc ONLOGON /tr "C:\Windows\system32\SubDir\XWormV5.6.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
4KB
MD5a16f11638f1aad5f339a5129c0f407cd
SHA1d8b6055ae08fd9fbdf6efdde25391c9164b88b15
SHA25663d54bc2b3958b6184f7d9e4d780e276183593a521d60d2f738e71e2d11bae7a
SHA512243129c71b8486d1279c6211ff8111d697499fbe652d93d4bca011293e2b577b04208e09a363b5b7536c95374a6b546e5a37eaab1f57eaf3209845952eaf3038
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
4.3MB
MD5848c6d6f65ac42b89055971976dfe98f
SHA1211d463ca045db51309314d4906e2a59ea147453
SHA2563020c206af299dbc458bc379a1a6d5d3ae8af43ce10a13a94c78d871dc1ce9ca
SHA512ad3e62693f18a3dcc0ced9bea820246544789f42296b1178b17eeb490e40311487f10fed590f48b6fc7ed0d6f6cc7c585b9a18d8bf4437240fd5310faefc6fb6
-
C:\Users\Admin\AppData\Local\Temp\x.exeFilesize
3.1MB
MD5a64821e6d15cdc5f778e2d75a843a988
SHA1653c50d75df7da8035bbbdb45a6744f007846f98
SHA256c89e271601f509d5ab240913749a9bf28523dce349f13c59e648877d7a80b1b3
SHA512b29df36bf61c5926bf7fb881e706400f4ac830287a6a1af5102497c474c4664dc9573aa2cc5a55a0a67bf8bc473b0924cc515ed605304e815d95437e6912ab60
-
C:\Users\Admin\AppData\Local\Temp\x.vbsFilesize
380B
MD5ec9a2fb69a379d913a4e0a953cd3b97c
SHA1a0303ed9f787c042071a1286bba43a5bbdd0679e
SHA256cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b
SHA512fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6
-
C:\Windows\System32\SubDir\XWormV5.6.exeFilesize
2.1MB
MD56dff7fd4f566748222ef14412a2d94cd
SHA17aa691ad4f15c20501a4368121b50ad15353e050
SHA2569a46acae8bb041ccf05bbecf79a1ecd3ea24edd769c797109661b68f21a955fd
SHA512ba91de2ed04ae518ab082d580594e5b7751aabc045ce71dac254079bda041bbbd357db9a1bd8eb7e5845d3c7c580e0fe9e9ea5700c0ca8bf60ad6308cd5ad3b1
-
C:\Windows\System32\SubDir\XWormV5.6.exeFilesize
2.2MB
MD5c37a0d1d5cb81a37db5630ef7eaf0f60
SHA1f94dead70b982f57c0d221dd645388eacb964693
SHA25676db7d6b3b9865186e7ff599f43cb723985629b7146b62baee0426c297a1d9e7
SHA512f62ccb50e603894f8f81e7a87e7f62d8293e163cd1209d0d864aec33e3bf5ed4ef6f5cdabfd3b14280685ab6ae07416989f537a1f0d1007f41ad0059e23cb3de
-
memory/812-62218-0x00007FFF25540000-0x00007FFF26001000-memory.dmpFilesize
10.8MB
-
memory/812-62221-0x000000001BDF0000-0x000000001BEA2000-memory.dmpFilesize
712KB
-
memory/812-62220-0x000000001BCE0000-0x000000001BD30000-memory.dmpFilesize
320KB
-
memory/812-62219-0x00000000026C0000-0x00000000026D0000-memory.dmpFilesize
64KB
-
memory/1952-62210-0x0000000002C10000-0x0000000002C20000-memory.dmpFilesize
64KB
-
memory/1952-62217-0x00007FFF25540000-0x00007FFF26001000-memory.dmpFilesize
10.8MB
-
memory/1952-62209-0x00007FFF25540000-0x00007FFF26001000-memory.dmpFilesize
10.8MB
-
memory/1952-62208-0x00000000008F0000-0x0000000000C14000-memory.dmpFilesize
3.1MB