Analysis
-
max time kernel
163s -
max time network
178s -
platform
windows10-1703_x64 -
resource
win10-20240319-en -
resource tags
arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system -
submitted
12-04-2024 15:37
Static task
static1
Errors
General
-
Target
UzpnR6.exe
-
Size
1.2MB
-
MD5
75c50dbf2c70ea6ca170513f77168f58
-
SHA1
512cc32329eaa9fcd4c6e507ef2a26823a06f1ac
-
SHA256
ffcedb5228f316086a811d910fb0e423ef4d16878369b64808a44ccc8f23ae26
-
SHA512
63eb2eb4f531ba9a3f4ac857e3aabef5cea925a04dbaa7010c2418bcafd0948e77cce3426b8ffb30d860e5e17add310ea6189a23ab180b36147bec193254d457
-
SSDEEP
24576:7o/ynHkLXGxxGApcTVcIWcRf+r31bfd+v3A0IOhb:7atGxg+cZP32zJVkA0Isb
Malware Config
Extracted
quasar
1.4.1
Office04
us1.localto.net:38905
abf2fea6-bc08-449e-9ce0-142ecb0a54c5
-
encryption_key
93B883D530A44E5A4457CCB3F463B613FCE53505
-
install_name
Google.exe.exe
-
log_directory
Log
-
reconnect_delay
3000
-
startup_key
AntimaIware Core Service
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Client-built.exe family_quasar behavioral1/memory/4392-63-0x00000000004B0000-0x00000000007D4000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Client-built.exeGoogle.exe.exepid process 4392 Client-built.exe 4548 Google.exe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4716 schtasks.exe 4772 schtasks.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1916 powershell.exe 1916 powershell.exe 1916 powershell.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
UzpnR6.exepowershell.exeClient-built.exeGoogle.exe.exeshutdown.exedescription pid process Token: SeDebugPrivilege 4740 UzpnR6.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeIncreaseQuotaPrivilege 1916 powershell.exe Token: SeSecurityPrivilege 1916 powershell.exe Token: SeTakeOwnershipPrivilege 1916 powershell.exe Token: SeLoadDriverPrivilege 1916 powershell.exe Token: SeSystemProfilePrivilege 1916 powershell.exe Token: SeSystemtimePrivilege 1916 powershell.exe Token: SeProfSingleProcessPrivilege 1916 powershell.exe Token: SeIncBasePriorityPrivilege 1916 powershell.exe Token: SeCreatePagefilePrivilege 1916 powershell.exe Token: SeBackupPrivilege 1916 powershell.exe Token: SeRestorePrivilege 1916 powershell.exe Token: SeShutdownPrivilege 1916 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeSystemEnvironmentPrivilege 1916 powershell.exe Token: SeRemoteShutdownPrivilege 1916 powershell.exe Token: SeUndockPrivilege 1916 powershell.exe Token: SeManageVolumePrivilege 1916 powershell.exe Token: 33 1916 powershell.exe Token: 34 1916 powershell.exe Token: 35 1916 powershell.exe Token: 36 1916 powershell.exe Token: SeDebugPrivilege 4392 Client-built.exe Token: SeDebugPrivilege 4548 Google.exe.exe Token: SeShutdownPrivilege 3336 shutdown.exe Token: SeRemoteShutdownPrivilege 3336 shutdown.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Google.exe.exepid process 4548 Google.exe.exe 4548 Google.exe.exe 4548 Google.exe.exe 4548 Google.exe.exe 4548 Google.exe.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
Google.exe.exepid process 4548 Google.exe.exe 4548 Google.exe.exe 4548 Google.exe.exe 4548 Google.exe.exe 4548 Google.exe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Google.exe.exeLogonUI.exepid process 4548 Google.exe.exe 4400 LogonUI.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
UzpnR6.execmd.exeClient-built.exeGoogle.exe.exedescription pid process target process PID 4740 wrote to memory of 1916 4740 UzpnR6.exe powershell.exe PID 4740 wrote to memory of 1916 4740 UzpnR6.exe powershell.exe PID 4740 wrote to memory of 4392 4740 UzpnR6.exe Client-built.exe PID 4740 wrote to memory of 4392 4740 UzpnR6.exe Client-built.exe PID 4740 wrote to memory of 4416 4740 UzpnR6.exe cmd.exe PID 4740 wrote to memory of 4416 4740 UzpnR6.exe cmd.exe PID 4416 wrote to memory of 3392 4416 cmd.exe reg.exe PID 4416 wrote to memory of 3392 4416 cmd.exe reg.exe PID 4392 wrote to memory of 4716 4392 Client-built.exe schtasks.exe PID 4392 wrote to memory of 4716 4392 Client-built.exe schtasks.exe PID 4392 wrote to memory of 4548 4392 Client-built.exe Google.exe.exe PID 4392 wrote to memory of 4548 4392 Client-built.exe Google.exe.exe PID 4548 wrote to memory of 4772 4548 Google.exe.exe schtasks.exe PID 4548 wrote to memory of 4772 4548 Google.exe.exe schtasks.exe PID 4548 wrote to memory of 3336 4548 Google.exe.exe shutdown.exe PID 4548 wrote to memory of 3336 4548 Google.exe.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe"C:\Users\Admin\AppData\Local\Temp\UzpnR6.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client-built.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4716 -
C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe"C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:4772 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DisableAV.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f3⤵PID:3392
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ae9855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5383aa601a1a3e6722935b017a215f4b8
SHA13855b5d5ba3ba2f161bd6d60caac5415e93bd482
SHA2566d03d6c26940eb9f2f6eaaa1d0a49d3f24a2941ec85bc7f12d3fb72162d780c8
SHA512ceff9701a5cbc5bc6d61d5ebf0764b54aa056bdb311789f4dec7065a0910050932024498d0ee3a0a7f6b3cce2e5b77ff89d132120a4581536aa33822684f10eb
-
Filesize
119B
MD578645ad9e97d2b5f440e02959d9a1985
SHA163aae2a1e9a2a346a02faef58552449e25bfca0b
SHA25683a149d70fcae8ce1bc42082383d09c98141673df509351294f40bb1cb77177d
SHA5122b6141e0570fb1d44bf9fd5d7dff987ea97f46d58448d4549a5efb9876a9adb8c061c759fb9b0c6be68207df64633f5a7355949597aa5da2aac5a9b7d65de0bf
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a