Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 06:33

General

  • Target

    kys.exe

  • Size

    3.2MB

  • MD5

    0515143005b3e92fe50594bc1e30af7b

  • SHA1

    1f565728bcc13bf1e49760c98bd96e15dacb42fc

  • SHA256

    676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53

  • SHA512

    e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c

  • SSDEEP

    49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

victim-hacked

C2

192.168.100.2:4444

Mutex

16229cd1-6d24-490c-9eb9-35319229cc03

Attributes
  • encryption_key

    6B74F0C858B7E90573D4E97997F2A082B9781250

  • install_name

    victim.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Service

  • subdirectory

    SubDir

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\kys.exe
    "C:\Users\Admin\AppData\Local\Temp\kys.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1628
    • \??\c:\users\admin\appdata\local\temp\kys.exe 
      c:\users\admin\appdata\local\temp\kys.exe 
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\victim.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2460
      • C:\Windows\system32\SubDir\victim.exe
        "C:\Windows\system32\SubDir\victim.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2824
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:488
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2520
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2708
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2836
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2640
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2820
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:35 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2272
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:36 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2052
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:37 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1048
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      337ad28f4cc8b582707a658214da9af0

      SHA1

      8250564943680095f0fc361f2bdf1676ad6cc220

      SHA256

      882b2f59bd67d2c743713ce4dc7096a59b4076b7aff345a90a3692f64aa1eab7

      SHA512

      b8970d107ca39a81c20c031942dbcb1f0bea9d834630a1f35e421da0cf01dcf346906d3d71ef287d62b79fc612286b9fa0d2473ecdf533a4a30653ca68a5e47c

    • C:\Windows\Resources\Themes\icsys.icn.exe

      Filesize

      135KB

      MD5

      20c2fe9a730ef6e2ee732d4b854f125b

      SHA1

      69236089a1291f96a66cc0d007944aff1697afdc

      SHA256

      95060d4832274d9f65af5111acb2602a2458c085a51b2ad585aa274cfe6cec27

      SHA512

      0123843886af98dcfbfb7563ba840efa53d4c565c4c11b62716d8c1a23d4678a1089d54f058e16790b73549761f3e0209845dc88cf8aa18dc73f44b2d37a78cc

    • C:\Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      8bdb867fa8eac60ce25a9760af4e7e52

      SHA1

      d04733692a6e4171c5c0099b90a6fd4ef34d409f

      SHA256

      fbe49e623686dbc7e6a5fb50878cce2984f667d8dc4ec23baf8bcf91e6807dc1

      SHA512

      d619e522323581a4d69608cd950732c19b5ecfe7fa87643567cbdda1f5fc67c5c687f276d6c1546e927071fce8b1a8c70448b4fc8fab985cdea5d13127f00c11

    • C:\Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      04f8bb746124dab37a588be44b689d23

      SHA1

      c1a14718a4c8e8dbf0ffd464a4cfb04b47e93d4d

      SHA256

      a48a3fef3f56ee49e123075a8d3aac106f28b33bf7405d855c2976f8f38e9fa7

      SHA512

      9d7fff7ba9b1eb6d9b642f437da2e776571e9c4c40101b308976c35548c3e2a989943d5a40155760dc77be1f90c065e844f38c4faf971695d408dd9424d78512

    • C:\Windows\System32\SubDir\victim.exe

      Filesize

      3.2MB

      MD5

      0515143005b3e92fe50594bc1e30af7b

      SHA1

      1f565728bcc13bf1e49760c98bd96e15dacb42fc

      SHA256

      676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53

      SHA512

      e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c

    • \Users\Admin\AppData\Local\Temp\kys.exe 

      Filesize

      3.1MB

      MD5

      5def20bc149e979f4c18e238edb01874

      SHA1

      813b5f3403652337ebf51b36f7c35c17a567786f

      SHA256

      6a98d500eab158f232d41cc190cb13f96749f818995d3bc01477f4231d7c7254

      SHA512

      fb51725d4367db8de825893235c34f6b1533f0a4cf25feac66efefa0c1d33a60d3723692cc9e00b4e0e032972e83e6b1f84d858284f1f1b0160e4e6c7e08bcfd

    • memory/488-56-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/488-60-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1628-16-0x00000000003E0000-0x00000000003FF000-memory.dmp

      Filesize

      124KB

    • memory/1628-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1628-82-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2356-66-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

      Filesize

      9.9MB

    • memory/2356-12-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

      Filesize

      9.9MB

    • memory/2356-11-0x0000000000950000-0x0000000000C74000-memory.dmp

      Filesize

      3.1MB

    • memory/2356-10-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

      Filesize

      4KB

    • memory/2520-81-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2520-28-0x0000000000440000-0x000000000045F000-memory.dmp

      Filesize

      124KB

    • memory/2640-85-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2708-84-0x0000000000520000-0x000000000053F000-memory.dmp

      Filesize

      124KB

    • memory/2708-83-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2820-79-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2824-59-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2824-52-0x00000000002B0000-0x00000000002CF000-memory.dmp

      Filesize

      124KB

    • memory/2824-50-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2836-80-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2836-69-0x0000000000330000-0x000000000034F000-memory.dmp

      Filesize

      124KB

    • memory/2836-51-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB