Overview

overview

10

Static

static

10

Uni.exe

windows7-x64

10

Uni.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uni.exe

  • Size

    409KB

  • MD5

    7544e8e688461810abd5387160692c95

  • SHA1

    bb41e11803d0da2fb7f6e2068220ddd3faf347c7

  • SHA256

    6da2005775980d44d0a6f9d8f12d7394e8d81abf96f444a6c4da54c2376430a0

  • SHA512

    09ffe73cc108762af47e68fb9f72ab37051cda10aec048cd9cb86c65c68696622bd7e24c12b0c07ebc2e8a0620865fc9a35b2ef34d48c3d8522d57cd672ec287

  • SSDEEP

    6144:MMfPp5S6M1Xy0gmfnF8V0dguFJSSvbaU01T/yUhAd5GbdQNJ:Bpg6M1i9mfnFUEgctoLILGbdQf

Score
10/10
quasarseroxenspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

panel-slave.gl.at.ply.gg:57059

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes
  • encryption_key

    p81Z0Zy4AcToBvsDk4Li

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SeroXen

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uni.exe
    "C:\Users\Admin\AppData\Local\Temp\Uni.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4584
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4636
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3236
    • C:\Windows\SysWOW64\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:3932
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3488
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      Filesize

      409KB

      MD5

      7544e8e688461810abd5387160692c95

      SHA1

      bb41e11803d0da2fb7f6e2068220ddd3faf347c7

      SHA256

      6da2005775980d44d0a6f9d8f12d7394e8d81abf96f444a6c4da54c2376430a0

      SHA512

      09ffe73cc108762af47e68fb9f72ab37051cda10aec048cd9cb86c65c68696622bd7e24c12b0c07ebc2e8a0620865fc9a35b2ef34d48c3d8522d57cd672ec287

      Download Submit
    • C:\Windows\System32\cwwwvr.exe
      Filesize

      7.2MB

      MD5

      f6d8913637f1d5d2dc846de70ce02dc5

      SHA1

      5fc9c6ab334db1f875fbc59a03f5506c478c6c3e

      SHA256

      4e72ca1baee2c7c0f50a42614d101159a9c653a8d6f7498f7bf9d7026c24c187

      SHA512

      21217a0a0eca58fc6058101aa69cf30d5dbe419c21fa7a160f44d8ebbcf5f4011203542c8f400a9bb8ee3826706417f2939c402f605817df597b7ff812b43036

      Download Submit
    • memory/1640-33-0x0000000074AF0000-0x00000000752A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1640-32-0x0000000074AF0000-0x00000000752A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1640-18-0x0000000006510000-0x000000000651A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1640-14-0x0000000074AF0000-0x00000000752A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1640-13-0x0000000074AF0000-0x00000000752A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3488-29-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-27-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-25-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-26-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-28-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-30-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-21-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-20-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-19-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3488-31-0x0000018C084D0000-0x0000018C084D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4584-4-0x0000000074AF0000-0x00000000752A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4584-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4584-16-0x0000000074AF0000-0x00000000752A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4584-7-0x0000000006290000-0x00000000062CC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4584-5-0x0000000005120000-0x0000000005186000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4584-6-0x00000000056A0000-0x00000000056B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4584-3-0x0000000005080000-0x0000000005112000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4584-2-0x0000000005760000-0x0000000005D04000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4584-1-0x00000000005D0000-0x000000000063C000-memory.dmp
      Filesize

      432KB

      Download