Analysis
-
max time kernel
157s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-05-2024 10:02
Errors
General
-
Target
Uni.exe
-
Size
409KB
-
MD5
4c2bb0618a6eda615c8001d5a7ccd6c0
-
SHA1
c88d2c8bfc5906a5cfef78893d1132edcffd71f0
-
SHA256
abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
-
SHA512
6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
-
SSDEEP
12288:rpg6M1i1v6q1ak/e7xlX7nnvGAwhJLJO:lxqiii6xlLvGjhO
Malware Config
Extracted
quasar
3.1.5
SeroXen
tue-jake.gl.at.ply.gg:29058
$Sxr-xPAuDxLNyBmZ7S2WLJ
-
encryption_key
Pw78RUs175dFrKD7lMwH
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SeroXen
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2860-1-0x00000000006C0000-0x000000000072C000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 3 IoCs
Processes:
Client.exeXEwSIyWfdT7m.exedYOI9WYmiFsV.exepid process 2132 Client.exe 1424 XEwSIyWfdT7m.exe 864 dYOI9WYmiFsV.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
dYOI9WYmiFsV.exedescription ioc process File opened for modification \??\PhysicalDrive0 dYOI9WYmiFsV.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 1892 schtasks.exe 1420 SCHTASKS.exe 2188 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Uni.exeClient.exeAUDIODG.EXEdYOI9WYmiFsV.exedescription pid process Token: SeDebugPrivilege 2860 Uni.exe Token: SeDebugPrivilege 2132 Client.exe Token: 33 4632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4632 AUDIODG.EXE Token: SeShutdownPrivilege 864 dYOI9WYmiFsV.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Client.exeXEwSIyWfdT7m.exepid process 2132 Client.exe 1424 XEwSIyWfdT7m.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Uni.exeClient.exedescription pid process target process PID 2860 wrote to memory of 1892 2860 Uni.exe schtasks.exe PID 2860 wrote to memory of 1892 2860 Uni.exe schtasks.exe PID 2860 wrote to memory of 1892 2860 Uni.exe schtasks.exe PID 2860 wrote to memory of 2132 2860 Uni.exe Client.exe PID 2860 wrote to memory of 2132 2860 Uni.exe Client.exe PID 2860 wrote to memory of 2132 2860 Uni.exe Client.exe PID 2860 wrote to memory of 1420 2860 Uni.exe SCHTASKS.exe PID 2860 wrote to memory of 1420 2860 Uni.exe SCHTASKS.exe PID 2860 wrote to memory of 1420 2860 Uni.exe SCHTASKS.exe PID 2132 wrote to memory of 2188 2132 Client.exe schtasks.exe PID 2132 wrote to memory of 2188 2132 Client.exe schtasks.exe PID 2132 wrote to memory of 2188 2132 Client.exe schtasks.exe PID 2132 wrote to memory of 1424 2132 Client.exe XEwSIyWfdT7m.exe PID 2132 wrote to memory of 1424 2132 Client.exe XEwSIyWfdT7m.exe PID 2132 wrote to memory of 1424 2132 Client.exe XEwSIyWfdT7m.exe PID 2132 wrote to memory of 864 2132 Client.exe dYOI9WYmiFsV.exe PID 2132 wrote to memory of 864 2132 Client.exe dYOI9WYmiFsV.exe PID 2132 wrote to memory of 864 2132 Client.exe dYOI9WYmiFsV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uni.exe"C:\Users\Admin\AppData\Local\Temp\Uni.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1892 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\XEwSIyWfdT7m.exe"C:\Users\Admin\AppData\Local\Temp\XEwSIyWfdT7m.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\dYOI9WYmiFsV.exe"C:\Users\Admin\AppData\Local\Temp\dYOI9WYmiFsV.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:1420
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XEwSIyWfdT7m.exeFilesize
276KB
MD5120f3a38b2f4eb0f800ebe47ffa5e76b
SHA1bed5148cc6a53e12a86ed635bb79135a568edd78
SHA2563a195d762fd1e2f7f93eb4cbcef8fa9b600a6f94fc43b1c1c157b2c5e069154f
SHA51260e66274203624afa422578d9807b21cbcc99de855dd665aa54753c957886677e358a2579ade098970c7ea3f9c3f2476c9e028fdabaac6ee991f09093fa52aff
-
C:\Users\Admin\AppData\Local\Temp\dYOI9WYmiFsV.exeFilesize
225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
409KB
MD54c2bb0618a6eda615c8001d5a7ccd6c0
SHA1c88d2c8bfc5906a5cfef78893d1132edcffd71f0
SHA256abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
SHA5126abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
-
memory/2132-18-0x0000000006A90000-0x0000000006A9A000-memory.dmpFilesize
40KB
-
memory/2132-19-0x0000000074B80000-0x0000000075331000-memory.dmpFilesize
7.7MB
-
memory/2132-20-0x0000000074B80000-0x0000000075331000-memory.dmpFilesize
7.7MB
-
memory/2132-14-0x0000000074B80000-0x0000000075331000-memory.dmpFilesize
7.7MB
-
memory/2132-13-0x0000000074B80000-0x0000000075331000-memory.dmpFilesize
7.7MB
-
memory/2860-3-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/2860-7-0x0000000006440000-0x000000000647C000-memory.dmpFilesize
240KB
-
memory/2860-6-0x0000000005F10000-0x0000000005F22000-memory.dmpFilesize
72KB
-
memory/2860-16-0x0000000074B80000-0x0000000075331000-memory.dmpFilesize
7.7MB
-
memory/2860-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmpFilesize
4KB
-
memory/2860-4-0x0000000074B80000-0x0000000075331000-memory.dmpFilesize
7.7MB
-
memory/2860-5-0x00000000052F0000-0x0000000005356000-memory.dmpFilesize
408KB
-
memory/2860-2-0x0000000005800000-0x0000000005DA6000-memory.dmpFilesize
5.6MB
-
memory/2860-1-0x00000000006C0000-0x000000000072C000-memory.dmpFilesize
432KB