Overview

overview

10

Static

static

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...2).exe

windows7-x64

10

uni/Uni - ...2).exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    290s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uni/Uni - Copy (10) - Copy.exe

  • Size

    409KB

  • MD5

    b70fdac25a99501e3cae11f1b775249e

  • SHA1

    3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

  • SHA256

    51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

  • SHA512

    43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

  • SSDEEP

    12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score
10/10
quasarseroxenspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892
Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes
  • encryption_key

    Lme7VBS3l58VwLM69PNM

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SeroXen

  • subdirectory

    SubDir

Signatures

  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
      2⤵
      • Quasar RAT
      • Creates scheduled task(s)
      PID:4160
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4172
      • C:\Users\Admin\AppData\Local\Temp\6c4RKKGEF7P4.exe
        "C:\Users\Admin\AppData\Local\Temp\6c4RKKGEF7P4.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3944
      • C:\Windows\SysWOW64\SCHTASKS.exe
        "SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:216
    • C:\Windows\SysWOW64\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:5020
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4a8 0x414
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4940
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:596
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
    1⤵
      PID:2396
    • C:\Program Files\Mozilla Firefox\private_browsing.exe
      "C:\Program Files\Mozilla Firefox\private_browsing.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4184
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
          3⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.0.743247754\2063179527" -parentBuildID 20230214051806 -prefsHandle 1680 -prefMapHandle 1676 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d577ea9-33b4-4a15-b2ad-3554cb4b5666} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 1868 2263050ec58 gpu
            4⤵
              PID:2004
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.1.1242925681\371722669" -parentBuildID 20230214051806 -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0e77ab6-c130-40ec-b418-0349ea4469f1} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 2484 22623686558 socket
              4⤵
                PID:2540
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.2.978100840\1069942235" -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2948 -prefsLen 22927 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aa31bbf-4424-4408-8ee4-ac87867326d9} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 3188 22632c45558 tab
                4⤵
                  PID:2172
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.3.1362306748\13794294" -childID 2 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 27578 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7766d7c-de0a-44bc-9c9c-00adfcf6245a} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 3876 2263498ce58 tab
                  4⤵
                    PID:4232
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.4.330511102\1139169905" -childID 3 -isForBrowser -prefsHandle 4992 -prefMapHandle 5004 -prefsLen 27715 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0e79395-dd34-4123-9588-bdb6891aa15c} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 5124 22636317258 tab
                    4⤵
                      PID:5600
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.5.1594302934\1597582374" -childID 4 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 27715 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f3752a6-764f-49a2-9991-3ed1e9aed1b2} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 5256 226365eb858 tab
                      4⤵
                        PID:5608
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.6.2054328669\2028634819" -childID 5 -isForBrowser -prefsHandle 5460 -prefMapHandle 5464 -prefsLen 27715 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99a95959-6207-4388-bba2-8117ef5f6998} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 5448 2263697b258 tab
                        4⤵
                          PID:5620
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                    1⤵
                      PID:5452

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Initial Access

                    Execution

                    Scheduled Task/Job

                    1
                    T1053

                    Persistence

                    Scheduled Task/Job

                    1
                    T1053

                    Privilege Escalation

                    Scheduled Task/Job

                    1
                    T1053

                    Defense Evasion

                    Credential Access

                    Discovery

                    Query Registry

                    2
                    T1012

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Resource Development

                    Reconnaissance

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      27KB

                      MD5

                      81d993f5bbc80a0585d74e29beccc523

                      SHA1

                      0e2dd7c98d85c1da6f4723284ab977429b793893

                      SHA256

                      62df362c310632b268566c17fa7e377d7d88337777cbceeb78c9a9bdb76f9df0

                      SHA512

                      705e312676d94a82b3d9e74e676f2534f3fa5113633c8195a7c226f2e2bec39fce0bccee74bf2cd9567dd5a2b0bc99a5d4f2bed4c8bc56db359f7702bca0077c

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\6c4RKKGEF7P4.exe
                      Filesize

                      277KB

                      MD5

                      dac0c5b2380cbdd93b46763427c9f8df

                      SHA1

                      038089e1a0ac8375be797fc3ce7ae719abc72834

                      SHA256

                      d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

                      SHA512

                      05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      8d2f413e295d475bf9ccd5e0cbd309dd

                      SHA1

                      d9784486ef90d2118d0ec294ce114eda0cd86c64

                      SHA256

                      e2fd66d95a830d04a78c3360b8411c74b0c724bb6c3bba5a4f8363af92845557

                      SHA512

                      ae665c5f1f4c8fc3ea4ad4dd10a2497acc7da10ccb384b1dc77d055a659b3e4ed373fa01b69191303d5a4b0b70b291ddc13adecd591fc6a267e48e8d486873c9

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      b94f4f1c46c458edf62cd955268c8151

                      SHA1

                      5486c9adcb37098319a913b961e89b9de69eb5cf

                      SHA256

                      49b9cec9323fb0feadc3c305e3ed360355321f38fdfdfc5823dea2a4544aaa8b

                      SHA512

                      9e719a1a17dc06e46a759ae88d3236f5ed59ad9c2815366bcf3a5490ed9bfb7c8f2cc9fc929b13dd2dde8032f5f52b020b39d6d7050c9edaca826e90fad40890

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      75ae4670d46b02b6675bbf29b26300ae

                      SHA1

                      d72832bdde569fa8f73e7311eefb9ad46e834964

                      SHA256

                      db743237d63a05d923ac4ec63278a725a0093e4e43a74ed50502ce41de1ade44

                      SHA512

                      af167fb835fcedd2c91222eb94bba126b3d5cd9d49585149d0a78abdf85d5f5812d7a5184ddca153e11514a7932c318cdb64c6709288c6ed34561b410369296f

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      987B

                      MD5

                      1df7ceddf3c71f528f9b6745bf3fc7aa

                      SHA1

                      c49c0de9bf4ad2232d9fee90053213adb6b1e93a

                      SHA256

                      6a6d991946d62724e28c63a1a7d86da10c545309f366dd4e63243b315e1ebe7a

                      SHA512

                      96336b21d6504a57126595ca316778a0ce691f6a79a4bb4ed23b32ade4b893d0d6b92ec1d47ece0f826b9280050fdf0265c42258abef4b3987f3c9a19ad80b31

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                      Filesize

                      409KB

                      MD5

                      b70fdac25a99501e3cae11f1b775249e

                      SHA1

                      3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

                      SHA256

                      51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

                      SHA512

                      43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

                      Download Submit
                    • memory/2888-5-0x00000000058D0000-0x0000000005936000-memory.dmp
                      Filesize

                      408KB

                      Download
                    • memory/2888-6-0x00000000065E0000-0x00000000065F2000-memory.dmp
                      Filesize

                      72KB

                      Download
                    • memory/2888-1-0x0000000000E90000-0x0000000000EFC000-memory.dmp
                      Filesize

                      432KB

                      Download
                    • memory/2888-15-0x0000000074A60000-0x0000000075210000-memory.dmp
                      Filesize

                      7.7MB

                      Download
                    • memory/2888-2-0x0000000005F10000-0x00000000064B4000-memory.dmp
                      Filesize

                      5.6MB

                      Download
                    • memory/2888-3-0x0000000005960000-0x00000000059F2000-memory.dmp
                      Filesize

                      584KB

                      Download
                    • memory/2888-4-0x0000000074A60000-0x0000000075210000-memory.dmp
                      Filesize

                      7.7MB

                      Download
                    • memory/2888-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/4736-17-0x0000000006FB0000-0x0000000006FBA000-memory.dmp
                      Filesize

                      40KB

                      Download
                    • memory/4736-30-0x0000000074A60000-0x0000000075210000-memory.dmp
                      Filesize

                      7.7MB

                      Download
                    • memory/4736-20-0x0000000074A60000-0x0000000075210000-memory.dmp
                      Filesize

                      7.7MB

                      Download
                    • memory/4736-19-0x0000000074A60000-0x0000000075210000-memory.dmp
                      Filesize

                      7.7MB

                      Download
                    • memory/4736-18-0x0000000006950000-0x000000000698C000-memory.dmp
                      Filesize

                      240KB

                      Download
                    • memory/4736-12-0x0000000074A60000-0x0000000075210000-memory.dmp
                      Filesize

                      7.7MB

                      Download
                    • memory/4736-13-0x0000000074A60000-0x0000000075210000-memory.dmp
                      Filesize

                      7.7MB

                      Download