Analysis
-
max time kernel
136s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 17:29
Static task
static1
Behavioral task
behavioral1
Sample
Unborn Loader.rar
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Unborn Loader.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Unborn Loader.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Unborn Loader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
d3dx9_39.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
d3dx9_39.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
msvcp140.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
msvcp140.dll
Resource
win10v2004-20241007-en
General
-
Target
Unborn Loader.exe
-
Size
932KB
-
MD5
b09fc8269f897d7f94bd58ef20f42545
-
SHA1
b10fb06fb53767676a83ea0f65678b4fbd90cd1b
-
SHA256
6ad82006952f9fc912bdd3a767492098cc2ab7ffa7f2cdbc7114bd77a50f4c4c
-
SHA512
c88db52dfbe8afcc0d79a77cb1cf71e03f4b1a432782c93ea21259bc62bea2018c5372da110eb9c1eae853fafcb714911b6d90b634565012236ce810c1cb308a
-
SSDEEP
24576:zI9Y4Mb7AL/JCd1Cnw7u36GMiyr745v/gY:zI9RMgL/senNJWr745vP
Malware Config
Extracted
quasar
1.4.1
fontdrvhost
vaxlet.duckdns.org:1852
afa818a3-1965-4b44-bd1c-c136b77dd6c2
-
encryption_key
72F1D1477892633326199B903D992BF6D42C80FC
-
install_name
fontdrvhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
fontdrvhost
-
subdirectory
Driver
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral4/files/0x000c000000023b97-142.dat family_quasar behavioral4/memory/1440-144-0x0000000000EC0000-0x00000000011E4000-memory.dmp family_quasar -
Blocklisted process makes network request 5 IoCs
flow pid Process 55 1728 powershell.exe 57 1728 powershell.exe 62 764 powershell.exe 67 1940 powershell.exe 70 1940 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Fivems.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DownloadedFile.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ExpIorer.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Unborn Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DownloadedFile.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ExpIorer.exe -
Executes dropped EXE 8 IoCs
pid Process 2848 DownloadedFile.exe 2812 ExpIorer.exe 4512 Steam.exe 3204 Fivems.exe 4828 DownloadedFile.exe 1440 fontdrvhost.exe 4368 ExpIorer.exe 1744 Steam.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
pid Process 1728 powershell.exe 764 powershell.exe 1940 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2072 schtasks.exe 2520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2848 DownloadedFile.exe 1728 powershell.exe 1728 powershell.exe 3204 Fivems.exe 764 powershell.exe 764 powershell.exe 4828 DownloadedFile.exe 1940 powershell.exe 1940 powershell.exe 1888 powershell.EXE 1888 powershell.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1064 Unborn Loader.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2848 DownloadedFile.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 3204 Fivems.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 4828 DownloadedFile.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1440 fontdrvhost.exe Token: SeDebugPrivilege 1888 powershell.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1440 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1064 wrote to memory of 2848 1064 Unborn Loader.exe 92 PID 1064 wrote to memory of 2848 1064 Unborn Loader.exe 92 PID 2848 wrote to memory of 1728 2848 DownloadedFile.exe 93 PID 2848 wrote to memory of 1728 2848 DownloadedFile.exe 93 PID 2848 wrote to memory of 2812 2848 DownloadedFile.exe 95 PID 2848 wrote to memory of 2812 2848 DownloadedFile.exe 95 PID 2812 wrote to memory of 4512 2812 ExpIorer.exe 96 PID 2812 wrote to memory of 4512 2812 ExpIorer.exe 96 PID 2812 wrote to memory of 3204 2812 ExpIorer.exe 97 PID 2812 wrote to memory of 3204 2812 ExpIorer.exe 97 PID 3204 wrote to memory of 764 3204 Fivems.exe 98 PID 3204 wrote to memory of 764 3204 Fivems.exe 98 PID 1064 wrote to memory of 4828 1064 Unborn Loader.exe 100 PID 1064 wrote to memory of 4828 1064 Unborn Loader.exe 100 PID 4828 wrote to memory of 1940 4828 DownloadedFile.exe 101 PID 4828 wrote to memory of 1940 4828 DownloadedFile.exe 101 PID 3204 wrote to memory of 1440 3204 Fivems.exe 103 PID 3204 wrote to memory of 1440 3204 Fivems.exe 103 PID 1440 wrote to memory of 2072 1440 fontdrvhost.exe 104 PID 1440 wrote to memory of 2072 1440 fontdrvhost.exe 104 PID 4828 wrote to memory of 4368 4828 DownloadedFile.exe 107 PID 4828 wrote to memory of 4368 4828 DownloadedFile.exe 107 PID 4368 wrote to memory of 1744 4368 ExpIorer.exe 110 PID 4368 wrote to memory of 1744 4368 ExpIorer.exe 110 PID 3204 wrote to memory of 2520 3204 Fivems.exe 112 PID 3204 wrote to memory of 2520 3204 Fivems.exe 112 PID 3204 wrote to memory of 4340 3204 Fivems.exe 115 PID 3204 wrote to memory of 4340 3204 Fivems.exe 115 PID 3204 wrote to memory of 2708 3204 Fivems.exe 117 PID 3204 wrote to memory of 2708 3204 Fivems.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Unborn Loader.exe"C:\Users\Admin\AppData\Local\Temp\Unborn Loader.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe"C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\ExpIorer.exe"C:\Users\Admin\AppData\Local\Temp\ExpIorer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe"4⤵
- Executes dropped EXE
PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\Fivems.exe"C:\Users\Admin\AppData\Local\Temp\Fivems.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Users\Admin\AppData\Roaming\Driver\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\Driver\fontdrvhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Driver\fontdrvhost.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2072
-
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn DeleteSelf /tr "powershell -Command Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\Fivems.exe' -Force" /sc once /st 17:32 /ru System5⤵
- Scheduled Task/Job: Scheduled Task
PID:2520
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn DeleteSelf5⤵PID:4340
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn DeleteSelf /f5⤵PID:2708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe"C:\Users\Admin\AppData\Local\Temp\DownloadedFile.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\ExpIorer.exe"C:\Users\Admin\AppData\Local\Temp\ExpIorer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe"4⤵
- Executes dropped EXE
PID:1744
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1864
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -Command Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\Fivems.exe" -Force1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5aedddd49af3fb03b8d86c403471b8543
SHA138f2f393c257b368b2f0f3307a08cdee28b4ec54
SHA256bf0273fc0b9a074e69611d1d6290b20a6f27797e8bf7973ffb221696be6ff4f1
SHA512ed3afd3aa2c1a84a4d09878252fa409607f10ab5e0de46f8e79c7e4223e9a2501579aba330bb2322bad05c3e28e8b4b799ac4209ee395ccd1c93ddb5f6309b74
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
Filesize
34KB
MD53b05d5a33d47a7ffd17bca844d60027c
SHA184d3504a4ae9c62e29ca189e82938e7655e02f95
SHA256c683f590fecf2e8572b5aeb1ac4d2bd6a493bb98a32eba12adb78b2be1f248a4
SHA512fc18904f7837005996f8491bf9711e372ae724630f04d01054d740bf97e3bac86eaaf362d4bb9a1c973b1de45896beea6d75eedb31ce41fedc7cb36b7fb39664
-
Filesize
16KB
MD52508569f4b9ca6681dbd5911f72d671c
SHA129e84b85c1e7ba6949f58a01c6aabb05739fa83e
SHA256f5186ffb6d9adcb056b918d5189a597f386ad0aa872b34eb876884919b12bcc2
SHA51232e59e29cb8fe7bcd9de73a89dd11a291468ec851cec45524cfbb9dab409ba897205d44cfe6bef6010fbc8f40fb03e0f31d1f0147dd81c286ccc8842fb142eac
-
Filesize
2.7MB
MD5d6ec11efe6c2ea3abb8ea2ec16278080
SHA10c8ac7e78db53fdbd5d6679c0ea2ce5c904b6933
SHA2565614f35f15a4835ce0b71610fe5a4925ee5d8bc24e933684875b235a4cd96df3
SHA512c5ef410b614c6d502ff4a5b0dcb6e2c0049798ed4c30ed4d0a352d14940bc164fc0ef7554ddefb04ffabe8dd6a0f0dc528ae2654e7b5f7bd1e52d62e6ec36cd5
-
Filesize
34KB
MD5c84473ec89fd5591d4f20386f7d57b4e
SHA13c51661db87ac4f8d92920ff74efb6227fab519a
SHA256ac2fcc3b460471b5e97d232775e9ee336bc3716bf651476ec0ee387a884c50c5
SHA512a4f49696a5e85af10bf5ff496a2800b03e0052b39dcb273b5488a9afea302060b031541ffcd3c84daebf82f3ca4079e9d50e6d75948e2ab97e1263639610b778
-
Filesize
2.6MB
MD55d232904d446ad7d9b7ce60958bf2e5a
SHA1a88447d879a981dce86f7d89341ee424d7a37943
SHA2560576d16680b3856d34493a591e73021a68508d2233dd5050bcaf24292b35575f
SHA5123e65c7596692519491be67d4c28352109cdb6f116f6ec5c12661f9b953d51de7e0cdb02031adf2cf90b86f6b80cd428e1a380e84aad0bd3b55a4a8f4a3036271
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD5c018cc9a74e23e4f79442e0e9be3bbfb
SHA12a0521e66103d4a9bddf9273d5d4d5a8db9d591d
SHA256ec4e14a984d5ee26dbc53b393b84c61987a5a3bda71a31c74bd5c5d4cd76a829
SHA512eddb51dc3a4f318c1e065b9517ab47e5234af92726feea86886fba3b5625ae62b48f649330d8877a1054c9acf29dba1b9d2804b649319010ec01643731d3293d