Overview

overview

10

Static

static

10

Uni.exe

windows11-21h2-x64

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-05-2024 10:08

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Uni.exe

  • Size

    409KB

  • MD5

    4c2bb0618a6eda615c8001d5a7ccd6c0

  • SHA1

    c88d2c8bfc5906a5cfef78893d1132edcffd71f0

  • SHA256

    abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

  • SHA512

    6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027

  • SSDEEP

    12288:rpg6M1i1v6q1ak/e7xlX7nnvGAwhJLJO:lxqiii6xlLvGjhO

Score
10/10
quasarseroxenevasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

tue-jake.gl.at.ply.gg:29058

Mutex

$Sxr-xPAuDxLNyBmZ7S2WLJ

Attributes
  • encryption_key

    Pw78RUs175dFrKD7lMwH

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SeroXen

  • subdirectory

    SubDir

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 3 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uni.exe
    "C:\Users\Admin\AppData\Local\Temp\Uni.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:3788
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2596
      • C:\Users\Admin\AppData\Local\Temp\g0KrMbdTGQpD.exe
        "C:\Users\Admin\AppData\Local\Temp\g0KrMbdTGQpD.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Modifies WinLogon
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • System policy modification
        PID:1376
    • C:\Windows\SysWOW64\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:4464
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffea7b13cb8,0x7ffea7b13cc8,0x7ffea7b13cd8
      2⤵
        PID:4060
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,4077836128147832941,15937492244154143175,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
        2⤵
          PID:1628
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,4077836128147832941,15937492244154143175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1468
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,4077836128147832941,15937492244154143175,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
          2⤵
            PID:3272
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4077836128147832941,15937492244154143175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
            2⤵
              PID:3884
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4077836128147832941,15937492244154143175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
              2⤵
                PID:1544
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:5104
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:1552
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x4 /state0:0xa3a12055 /state1:0x41c64e6d
                  1⤵
                  • Modifies data under HKEY_USERS
                  • Suspicious use of SetWindowsHookEx
                  PID:2828

                Network

                MITRE ATT&CK Matrix ATT&CK v13

                Initial Access

                Execution

                Scheduled Task/Job

                1
                T1053

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Winlogon Helper DLL

                2
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Privilege Escalation

                Boot or Logon Autostart Execution

                2
                T1547

                Winlogon Helper DLL

                2
                T1547.004

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Scheduled Task/Job

                1
                T1053

                Defense Evasion

                Modify Registry

                5
                T1112

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Impair Defenses

                1
                T1562

                Disable or Modify Tools

                1
                T1562.001

                Credential Access

                Discovery

                System Information Discovery

                2
                T1082

                Query Registry

                1
                T1012

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Defacement

                1
                T1491

                Resource Development

                Reconnaissance

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                  Filesize

                  152B

                  MD5

                  0c705388d79c00418e5c1751159353e3

                  SHA1

                  aaeafebce5483626ef82813d286511c1f353f861

                  SHA256

                  697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

                  SHA512

                  c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                  Filesize

                  152B

                  MD5

                  0d84d1490aa9f725b68407eab8f0030e

                  SHA1

                  83964574467b7422e160af34ef024d1821d6d1c3

                  SHA256

                  40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

                  SHA512

                  f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3824b58b-4250-462b-b693-073d2432e4c6.tmp
                  Filesize

                  5KB

                  MD5

                  4db93097cc39704a29a75ff8b4f3f2e7

                  SHA1

                  5d1501aeff4c590039d96373c4cb1f414c057506

                  SHA256

                  b6702fdd98ad6179c8b79aabdf268e7f9dfef9a930aeb64944d7b43d048c4fdf

                  SHA512

                  c197ad1fbf393adf170b7d44a536ae20a1b5a4c093f9572e7571ab1897c2bf13ce095098e66f65357b3ad06f45d67f39553f8f1b45822e2fde92fe6cfbd7eb23

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                  Filesize

                  5KB

                  MD5

                  cc91bc2d4bb68c068308c31bf03ac4f5

                  SHA1

                  2a18115b1d168e58308ba6feae6b0422b55f9e81

                  SHA256

                  92895dcba333b7ce2afe32b2880935195c85faee70e8566f63cac827b3f8fd0e

                  SHA512

                  123f09515cdad9aa47561c360ad9da1e64d33ba08d57f92ee44e8933d7a7b990cc4c1ff4c16d28798f1d6559e818c038334b47b5b8a32bcfdd8ce36b979adf52

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                  Filesize

                  11KB

                  MD5

                  91e9b7b192b42407b80951509ead33b7

                  SHA1

                  5067bbe5c8eac5e61977366608172f07deb3d20c

                  SHA256

                  093874ce67f8945bdf26381856502fe494107bc4b38c38d7defd01bbb36c2014

                  SHA512

                  099b66876a0149be2792f8304cfa79d64fa448a196be0e8707ff284dbfb64833bed67f25c310e708bac6eddf6e4a5e824fa6c15081b9709a36aaeb20fd7621c4

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                  Filesize

                  264KB

                  MD5

                  f50f89a0a91564d0b8a211f8921aa7de

                  SHA1

                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                  SHA256

                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                  SHA512

                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\g0KrMbdTGQpD.exe
                  Filesize

                  319KB

                  MD5

                  7a1f2b993b091d9ed52fd2e94d41fe3b

                  SHA1

                  c040206b382522cb45fab7d08fad6106733e6635

                  SHA256

                  961238fafa291a25f551ff81737c0144ad647bd83ef1abfe60b1ce8150c8cadb

                  SHA512

                  e9b2b618bc71dcdb90e99992e198aeb6c626fe331028e4fcd4843257ec9a33ebce98bb7878c3ea79dc596eee92b4e17545505ab24ef25cb9c7df6053b4682309

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\g0KrMbdTGQpD.exe
                  Filesize

                  666KB

                  MD5

                  989ae3d195203b323aa2b3adf04e9833

                  SHA1

                  31a45521bc672abcf64e50284ca5d4e6b3687dc8

                  SHA256

                  d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

                  SHA512

                  e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  Filesize

                  409KB

                  MD5

                  4c2bb0618a6eda615c8001d5a7ccd6c0

                  SHA1

                  c88d2c8bfc5906a5cfef78893d1132edcffd71f0

                  SHA256

                  abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

                  SHA512

                  6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027

                  Download Submit
                • C:\Users\Public\Desktop\ᄽ⦬ⷉṔ⿑⤅⧪⎘⤸ໞك₂᜾┡➄ਁᐎᘾހḣಹ
                  Filesize

                  666B

                  MD5

                  e49f0a8effa6380b4518a8064f6d240b

                  SHA1

                  ba62ffe370e186b7f980922067ac68613521bd51

                  SHA256

                  8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

                  SHA512

                  de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

                  Download Submit
                • \??\pipe\LOCAL\crashpad_1348_AGMUKPCNJOGBSSZY
                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  Download Submit
                • memory/1376-122-0x0000000000400000-0x00000000005CC000-memory.dmp
                  Filesize

                  1.8MB

                  Download
                • memory/1376-299-0x0000000000400000-0x00000000005CC000-memory.dmp
                  Filesize

                  1.8MB

                  Download
                • memory/1836-7-0x00000000063A0000-0x00000000063DC000-memory.dmp
                  Filesize

                  240KB

                  Download
                • memory/1836-0-0x000000007480E000-0x000000007480F000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1836-1-0x0000000000620000-0x000000000068C000-memory.dmp
                  Filesize

                  432KB

                  Download
                • memory/1836-2-0x0000000005720000-0x0000000005CC6000-memory.dmp
                  Filesize

                  5.6MB

                  Download
                • memory/1836-16-0x0000000074800000-0x0000000074FB1000-memory.dmp
                  Filesize

                  7.7MB

                  Download
                • memory/1836-3-0x0000000005170000-0x0000000005202000-memory.dmp
                  Filesize

                  584KB

                  Download
                • memory/1836-4-0x0000000074800000-0x0000000074FB1000-memory.dmp
                  Filesize

                  7.7MB

                  Download
                • memory/1836-5-0x0000000005210000-0x0000000005276000-memory.dmp
                  Filesize

                  408KB

                  Download
                • memory/1836-6-0x00000000056C0000-0x00000000056D2000-memory.dmp
                  Filesize

                  72KB

                  Download
                • memory/3168-20-0x0000000074800000-0x0000000074FB1000-memory.dmp
                  Filesize

                  7.7MB

                  Download
                • memory/3168-13-0x0000000074800000-0x0000000074FB1000-memory.dmp
                  Filesize

                  7.7MB

                  Download
                • memory/3168-14-0x0000000074800000-0x0000000074FB1000-memory.dmp
                  Filesize

                  7.7MB

                  Download
                • memory/3168-18-0x0000000006700000-0x000000000670A000-memory.dmp
                  Filesize

                  40KB

                  Download
                • memory/3168-19-0x0000000074800000-0x0000000074FB1000-memory.dmp
                  Filesize

                  7.7MB

                  Download
                • memory/3168-300-0x0000000074800000-0x0000000074FB1000-memory.dmp
                  Filesize

                  7.7MB

                  Download