Overview

overview

10

Static

static

10

Unify.exe

windows7-x64

10

Unify.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1198s
  • max time network
    1199s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-05-2024 00:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Unify.exe

  • Size

    409KB

  • MD5

    54db32b9d5cab2c1dea1907cf4712b1d

  • SHA1

    812f28828735a92effd2187e155d9ed3f0e915b3

  • SHA256

    e7d8e1b13c833d49fcc46a03d34ff18b7c93bd86bd0764828fa68d3d9eed2bbe

  • SHA512

    6a13febe964f3f639e7d017f58c2f6631c18bea5a1ac716efa49a1c5306ecd2708cf92f133a9fcd8dc22850e661522a98f23c0fb7cb09752bb96a6d50bb69163

  • SSDEEP

    6144:0MP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:fpiREGJ2ji9QyAhK/N6gBqJBj7yMTj

Score
10/10
quasarslavespywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

192.168.1.20:4782

localhost:4782
Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes
  • encryption_key

    hwZQsCIcvotNKosjYueb

  • install_name

    $srr-powershell.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    $srr-mstha

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Unify.exe
    "C:\Users\Admin\AppData\Local\Temp\Unify.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Unify.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2488
    • C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe
      "C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2448
    • C:\Windows\SysWOW64\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Unify.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Unify.exe'" /sc onlogon /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe
    Filesize

    409KB

    MD5

    54db32b9d5cab2c1dea1907cf4712b1d

    SHA1

    812f28828735a92effd2187e155d9ed3f0e915b3

    SHA256

    e7d8e1b13c833d49fcc46a03d34ff18b7c93bd86bd0764828fa68d3d9eed2bbe

    SHA512

    6a13febe964f3f639e7d017f58c2f6631c18bea5a1ac716efa49a1c5306ecd2708cf92f133a9fcd8dc22850e661522a98f23c0fb7cb09752bb96a6d50bb69163

    Download Submit
  • memory/2460-10-0x00000000000C0000-0x000000000012C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/2460-11-0x0000000074DF0000-0x00000000754DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2460-12-0x0000000074DF0000-0x00000000754DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2460-14-0x0000000074DF0000-0x00000000754DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2664-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2664-1-0x0000000000C80000-0x0000000000CEC000-memory.dmp
    Filesize

    432KB

    Download
  • memory/2664-2-0x0000000074DF0000-0x00000000754DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2664-13-0x0000000074DF0000-0x00000000754DE000-memory.dmp
    Filesize

    6.9MB

    Download