Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:33
Behavioral task
behavioral1
Sample
kys.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
kys.exe
Resource
win10v2004-20241007-en
General
-
Target
kys.exe
-
Size
3.2MB
-
MD5
0515143005b3e92fe50594bc1e30af7b
-
SHA1
1f565728bcc13bf1e49760c98bd96e15dacb42fc
-
SHA256
676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
-
SHA512
e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
SSDEEP
49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ
Malware Config
Extracted
quasar
1.4.1
victim-hacked
192.168.100.2:4444
16229cd1-6d24-490c-9eb9-35319229cc03
-
encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
-
install_name
victim.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Service
-
subdirectory
SubDir
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000015d19-6.dat family_quasar behavioral1/memory/2356-11-0x0000000000950000-0x0000000000C74000-memory.dmp family_quasar behavioral1/files/0x0007000000015d48-41.dat family_quasar -
Executes dropped EXE 8 IoCs
pid Process 2356 kys.exe 2520 icsys.icn.exe 2708 explorer.exe 2824 victim.exe 2836 spoolsv.exe 488 explorer.exe 2640 svchost.exe 2820 spoolsv.exe -
Loads dropped DLL 7 IoCs
pid Process 1628 kys.exe 1628 kys.exe 2520 icsys.icn.exe 2708 explorer.exe 2824 victim.exe 2836 spoolsv.exe 2640 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir kys.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File created C:\Windows\system32\SubDir\victim.exe kys.exe File opened for modification C:\Windows\system32\SubDir\victim.exe kys.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe kys.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language victim.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2460 schtasks.exe 2272 schtasks.exe 2052 schtasks.exe 1048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 1628 kys.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe 2824 victim.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2708 explorer.exe 2640 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2356 kys.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1628 kys.exe 1628 kys.exe 2520 icsys.icn.exe 2520 icsys.icn.exe 2708 explorer.exe 2708 explorer.exe 2824 victim.exe 2836 spoolsv.exe 2824 victim.exe 488 explorer.exe 2836 spoolsv.exe 488 explorer.exe 2640 svchost.exe 2640 svchost.exe 2820 spoolsv.exe 2820 spoolsv.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2356 1628 kys.exe 30 PID 1628 wrote to memory of 2356 1628 kys.exe 30 PID 1628 wrote to memory of 2356 1628 kys.exe 30 PID 1628 wrote to memory of 2356 1628 kys.exe 30 PID 2356 wrote to memory of 2460 2356 kys.exe 31 PID 2356 wrote to memory of 2460 2356 kys.exe 31 PID 2356 wrote to memory of 2460 2356 kys.exe 31 PID 1628 wrote to memory of 2520 1628 kys.exe 33 PID 1628 wrote to memory of 2520 1628 kys.exe 33 PID 1628 wrote to memory of 2520 1628 kys.exe 33 PID 1628 wrote to memory of 2520 1628 kys.exe 33 PID 2520 wrote to memory of 2708 2520 icsys.icn.exe 34 PID 2520 wrote to memory of 2708 2520 icsys.icn.exe 34 PID 2520 wrote to memory of 2708 2520 icsys.icn.exe 34 PID 2520 wrote to memory of 2708 2520 icsys.icn.exe 34 PID 2356 wrote to memory of 2824 2356 kys.exe 35 PID 2356 wrote to memory of 2824 2356 kys.exe 35 PID 2356 wrote to memory of 2824 2356 kys.exe 35 PID 2356 wrote to memory of 2824 2356 kys.exe 35 PID 2708 wrote to memory of 2836 2708 explorer.exe 36 PID 2708 wrote to memory of 2836 2708 explorer.exe 36 PID 2708 wrote to memory of 2836 2708 explorer.exe 36 PID 2708 wrote to memory of 2836 2708 explorer.exe 36 PID 2824 wrote to memory of 488 2824 victim.exe 37 PID 2824 wrote to memory of 488 2824 victim.exe 37 PID 2824 wrote to memory of 488 2824 victim.exe 37 PID 2824 wrote to memory of 488 2824 victim.exe 37 PID 2836 wrote to memory of 2640 2836 spoolsv.exe 38 PID 2836 wrote to memory of 2640 2836 spoolsv.exe 38 PID 2836 wrote to memory of 2640 2836 spoolsv.exe 38 PID 2836 wrote to memory of 2640 2836 spoolsv.exe 38 PID 2640 wrote to memory of 2820 2640 svchost.exe 39 PID 2640 wrote to memory of 2820 2640 svchost.exe 39 PID 2640 wrote to memory of 2820 2640 svchost.exe 39 PID 2640 wrote to memory of 2820 2640 svchost.exe 39 PID 2708 wrote to memory of 2784 2708 explorer.exe 40 PID 2708 wrote to memory of 2784 2708 explorer.exe 40 PID 2708 wrote to memory of 2784 2708 explorer.exe 40 PID 2708 wrote to memory of 2784 2708 explorer.exe 40 PID 2640 wrote to memory of 2272 2640 svchost.exe 41 PID 2640 wrote to memory of 2272 2640 svchost.exe 41 PID 2640 wrote to memory of 2272 2640 svchost.exe 41 PID 2640 wrote to memory of 2272 2640 svchost.exe 41 PID 2640 wrote to memory of 2052 2640 svchost.exe 45 PID 2640 wrote to memory of 2052 2640 svchost.exe 45 PID 2640 wrote to memory of 2052 2640 svchost.exe 45 PID 2640 wrote to memory of 2052 2640 svchost.exe 45 PID 2640 wrote to memory of 1048 2640 svchost.exe 47 PID 2640 wrote to memory of 1048 2640 svchost.exe 47 PID 2640 wrote to memory of 1048 2640 svchost.exe 47 PID 2640 wrote to memory of 1048 2640 svchost.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\kys.exe"C:\Users\Admin\AppData\Local\Temp\kys.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\users\admin\appdata\local\temp\kys.exec:\users\admin\appdata\local\temp\kys.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\victim.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2460
-
-
C:\Windows\system32\SubDir\victim.exe"C:\Windows\system32\SubDir\victim.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:488
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:35 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2272
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:36 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2052
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:37 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1048
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2784
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5337ad28f4cc8b582707a658214da9af0
SHA18250564943680095f0fc361f2bdf1676ad6cc220
SHA256882b2f59bd67d2c743713ce4dc7096a59b4076b7aff345a90a3692f64aa1eab7
SHA512b8970d107ca39a81c20c031942dbcb1f0bea9d834630a1f35e421da0cf01dcf346906d3d71ef287d62b79fc612286b9fa0d2473ecdf533a4a30653ca68a5e47c
-
Filesize
135KB
MD520c2fe9a730ef6e2ee732d4b854f125b
SHA169236089a1291f96a66cc0d007944aff1697afdc
SHA25695060d4832274d9f65af5111acb2602a2458c085a51b2ad585aa274cfe6cec27
SHA5120123843886af98dcfbfb7563ba840efa53d4c565c4c11b62716d8c1a23d4678a1089d54f058e16790b73549761f3e0209845dc88cf8aa18dc73f44b2d37a78cc
-
Filesize
135KB
MD58bdb867fa8eac60ce25a9760af4e7e52
SHA1d04733692a6e4171c5c0099b90a6fd4ef34d409f
SHA256fbe49e623686dbc7e6a5fb50878cce2984f667d8dc4ec23baf8bcf91e6807dc1
SHA512d619e522323581a4d69608cd950732c19b5ecfe7fa87643567cbdda1f5fc67c5c687f276d6c1546e927071fce8b1a8c70448b4fc8fab985cdea5d13127f00c11
-
Filesize
135KB
MD504f8bb746124dab37a588be44b689d23
SHA1c1a14718a4c8e8dbf0ffd464a4cfb04b47e93d4d
SHA256a48a3fef3f56ee49e123075a8d3aac106f28b33bf7405d855c2976f8f38e9fa7
SHA5129d7fff7ba9b1eb6d9b642f437da2e776571e9c4c40101b308976c35548c3e2a989943d5a40155760dc77be1f90c065e844f38c4faf971695d408dd9424d78512
-
Filesize
3.2MB
MD50515143005b3e92fe50594bc1e30af7b
SHA11f565728bcc13bf1e49760c98bd96e15dacb42fc
SHA256676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
SHA512e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
Filesize
3.1MB
MD55def20bc149e979f4c18e238edb01874
SHA1813b5f3403652337ebf51b36f7c35c17a567786f
SHA2566a98d500eab158f232d41cc190cb13f96749f818995d3bc01477f4231d7c7254
SHA512fb51725d4367db8de825893235c34f6b1533f0a4cf25feac66efefa0c1d33a60d3723692cc9e00b4e0e032972e83e6b1f84d858284f1f1b0160e4e6c7e08bcfd