Analysis

  • max time kernel
    136s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 17:29

General

  • Target

    Unborn Loader.exe

  • Size

    932KB

  • MD5

    b09fc8269f897d7f94bd58ef20f42545

  • SHA1

    b10fb06fb53767676a83ea0f65678b4fbd90cd1b

  • SHA256

    6ad82006952f9fc912bdd3a767492098cc2ab7ffa7f2cdbc7114bd77a50f4c4c

  • SHA512

    c88db52dfbe8afcc0d79a77cb1cf71e03f4b1a432782c93ea21259bc62bea2018c5372da110eb9c1eae853fafcb714911b6d90b634565012236ce810c1cb308a

  • SSDEEP

    24576:zI9Y4Mb7AL/JCd1Cnw7u36GMiyr745v/gY:zI9RMgL/senNJWr745vP

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

fontdrvhost

C2

vaxlet.duckdns.org:1852

Mutex

afa818a3-1965-4b44-bd1c-c136b77dd6c2

Attributes
  • encryption_key

    72F1D1477892633326199B903D992BF6D42C80FC

  • install_name

    fontdrvhost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    fontdrvhost

  • subdirectory

    Driver

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 41 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Unborn Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Unborn Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe
      "C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1728
      • C:\Users\Admin\AppData\Local\Temp\ExpIorer.exe
        "C:\Users\Admin\AppData\Local\Temp\ExpIorer.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Users\Admin\AppData\Local\Temp\Steam.exe
          "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
          4⤵
          • Executes dropped EXE
          PID:4512
        • C:\Users\Admin\AppData\Local\Temp\Fivems.exe
          "C:\Users\Admin\AppData\Local\Temp\Fivems.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:764
          • C:\Users\Admin\AppData\Roaming\Driver\fontdrvhost.exe
            "C:\Users\Admin\AppData\Roaming\Driver\fontdrvhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1440
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Driver\fontdrvhost.exe" /rl HIGHEST /f
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2072
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /tn DeleteSelf /tr "powershell -Command Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\Fivems.exe' -Force" /sc once /st 17:32 /ru System
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2520
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /run /tn DeleteSelf
            5⤵
              PID:4340
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /delete /tn DeleteSelf /f
              5⤵
                PID:2708
        • C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe
          "C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            3⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Users\Admin\AppData\Local\Temp\ExpIorer.exe
            "C:\Users\Admin\AppData\Local\Temp\ExpIorer.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4368
            • C:\Users\Admin\AppData\Local\Temp\Steam.exe
              "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
              4⤵
              • Executes dropped EXE
              PID:1744
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1864
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -Command Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\Fivems.exe" -Force
          1⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DownloadedFile.exe.log

          Filesize

          5KB

          MD5

          aedddd49af3fb03b8d86c403471b8543

          SHA1

          38f2f393c257b368b2f0f3307a08cdee28b4ec54

          SHA256

          bf0273fc0b9a074e69611d1d6290b20a6f27797e8bf7973ffb221696be6ff4f1

          SHA512

          ed3afd3aa2c1a84a4d09878252fa409607f10ab5e0de46f8e79c7e4223e9a2501579aba330bb2322bad05c3e28e8b4b799ac4209ee395ccd1c93ddb5f6309b74

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ExpIorer.exe.log

          Filesize

          425B

          MD5

          fff5cbccb6b31b40f834b8f4778a779a

          SHA1

          899ed0377e89f1ed434cfeecc5bc0163ebdf0454

          SHA256

          b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

          SHA512

          1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

        • C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe

          Filesize

          34KB

          MD5

          3b05d5a33d47a7ffd17bca844d60027c

          SHA1

          84d3504a4ae9c62e29ca189e82938e7655e02f95

          SHA256

          c683f590fecf2e8572b5aeb1ac4d2bd6a493bb98a32eba12adb78b2be1f248a4

          SHA512

          fc18904f7837005996f8491bf9711e372ae724630f04d01054d740bf97e3bac86eaaf362d4bb9a1c973b1de45896beea6d75eedb31ce41fedc7cb36b7fb39664

        • C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe

          Filesize

          16KB

          MD5

          2508569f4b9ca6681dbd5911f72d671c

          SHA1

          29e84b85c1e7ba6949f58a01c6aabb05739fa83e

          SHA256

          f5186ffb6d9adcb056b918d5189a597f386ad0aa872b34eb876884919b12bcc2

          SHA512

          32e59e29cb8fe7bcd9de73a89dd11a291468ec851cec45524cfbb9dab409ba897205d44cfe6bef6010fbc8f40fb03e0f31d1f0147dd81c286ccc8842fb142eac

        • C:\Users\Admin\AppData\Local\Temp\ExpIorer.exe

          Filesize

          2.7MB

          MD5

          d6ec11efe6c2ea3abb8ea2ec16278080

          SHA1

          0c8ac7e78db53fdbd5d6679c0ea2ce5c904b6933

          SHA256

          5614f35f15a4835ce0b71610fe5a4925ee5d8bc24e933684875b235a4cd96df3

          SHA512

          c5ef410b614c6d502ff4a5b0dcb6e2c0049798ed4c30ed4d0a352d14940bc164fc0ef7554ddefb04ffabe8dd6a0f0dc528ae2654e7b5f7bd1e52d62e6ec36cd5

        • C:\Users\Admin\AppData\Local\Temp\Fivems.exe

          Filesize

          34KB

          MD5

          c84473ec89fd5591d4f20386f7d57b4e

          SHA1

          3c51661db87ac4f8d92920ff74efb6227fab519a

          SHA256

          ac2fcc3b460471b5e97d232775e9ee336bc3716bf651476ec0ee387a884c50c5

          SHA512

          a4f49696a5e85af10bf5ff496a2800b03e0052b39dcb273b5488a9afea302060b031541ffcd3c84daebf82f3ca4079e9d50e6d75948e2ab97e1263639610b778

        • C:\Users\Admin\AppData\Local\Temp\Steam.exe

          Filesize

          2.6MB

          MD5

          5d232904d446ad7d9b7ce60958bf2e5a

          SHA1

          a88447d879a981dce86f7d89341ee424d7a37943

          SHA256

          0576d16680b3856d34493a591e73021a68508d2233dd5050bcaf24292b35575f

          SHA512

          3e65c7596692519491be67d4c28352109cdb6f116f6ec5c12661f9b953d51de7e0cdb02031adf2cf90b86f6b80cd428e1a380e84aad0bd3b55a4a8f4a3036271

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0a5vivl3.1ph.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\Driver\fontdrvhost.exe

          Filesize

          3.1MB

          MD5

          c018cc9a74e23e4f79442e0e9be3bbfb

          SHA1

          2a0521e66103d4a9bddf9273d5d4d5a8db9d591d

          SHA256

          ec4e14a984d5ee26dbc53b393b84c61987a5a3bda71a31c74bd5c5d4cd76a829

          SHA512

          eddb51dc3a4f318c1e065b9517ab47e5234af92726feea86886fba3b5625ae62b48f649330d8877a1054c9acf29dba1b9d2804b649319010ec01643731d3293d

        • memory/1440-147-0x000000001C7A0000-0x000000001C852000-memory.dmp

          Filesize

          712KB

        • memory/1440-146-0x0000000003370000-0x00000000033C0000-memory.dmp

          Filesize

          320KB

        • memory/1440-144-0x0000000000EC0000-0x00000000011E4000-memory.dmp

          Filesize

          3.1MB

        • memory/2812-53-0x0000000000120000-0x00000000003D2000-memory.dmp

          Filesize

          2.7MB

        • memory/2848-35-0x00007FFBF9A90000-0x00007FFBFA551000-memory.dmp

          Filesize

          10.8MB

        • memory/2848-85-0x00007FFBF9A90000-0x00007FFBFA551000-memory.dmp

          Filesize

          10.8MB

        • memory/2848-24-0x0000000000C60000-0x0000000000C6E000-memory.dmp

          Filesize

          56KB

        • memory/2848-34-0x0000000002DD0000-0x0000000002DF2000-memory.dmp

          Filesize

          136KB

        • memory/2848-37-0x000000001D4A0000-0x000000001D6AA000-memory.dmp

          Filesize

          2.0MB

        • memory/2848-36-0x000000001D110000-0x000000001D286000-memory.dmp

          Filesize

          1.5MB

        • memory/2848-23-0x00007FFBF9A93000-0x00007FFBF9A95000-memory.dmp

          Filesize

          8KB

        • memory/3204-74-0x0000000000FD0000-0x0000000000FDE000-memory.dmp

          Filesize

          56KB