Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:33
Behavioral task
behavioral1
Sample
kys.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
kys.exe
Resource
win10v2004-20241007-en
General
-
Target
kys.exe
-
Size
3.2MB
-
MD5
0515143005b3e92fe50594bc1e30af7b
-
SHA1
1f565728bcc13bf1e49760c98bd96e15dacb42fc
-
SHA256
676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
-
SHA512
e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
SSDEEP
49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ
Malware Config
Extracted
quasar
1.4.1
victim-hacked
192.168.100.2:4444
16229cd1-6d24-490c-9eb9-35319229cc03
-
encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
-
install_name
victim.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Service
-
subdirectory
SubDir
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/files/0x0008000000023be3-7.dat family_quasar behavioral2/memory/1856-10-0x0000000000A90000-0x0000000000DB4000-memory.dmp family_quasar behavioral2/files/0x0008000000023be5-21.dat family_quasar -
Executes dropped EXE 8 IoCs
pid Process 1856 kys.exe 920 icsys.icn.exe 5044 victim.exe 3608 explorer.exe 2544 explorer.exe 2364 spoolsv.exe 4460 svchost.exe 1316 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\SubDir\victim.exe kys.exe File opened for modification C:\Windows\system32\SubDir\victim.exe kys.exe File opened for modification C:\Windows\system32\SubDir kys.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe kys.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language victim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 772 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 2556 kys.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe 920 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3608 explorer.exe 4460 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1856 kys.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2556 kys.exe 2556 kys.exe 920 icsys.icn.exe 920 icsys.icn.exe 5044 victim.exe 5044 victim.exe 3608 explorer.exe 3608 explorer.exe 2544 explorer.exe 2544 explorer.exe 2364 spoolsv.exe 2364 spoolsv.exe 4460 svchost.exe 4460 svchost.exe 1316 spoolsv.exe 1316 spoolsv.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2556 wrote to memory of 1856 2556 kys.exe 83 PID 2556 wrote to memory of 1856 2556 kys.exe 83 PID 1856 wrote to memory of 772 1856 kys.exe 84 PID 1856 wrote to memory of 772 1856 kys.exe 84 PID 2556 wrote to memory of 920 2556 kys.exe 86 PID 2556 wrote to memory of 920 2556 kys.exe 86 PID 2556 wrote to memory of 920 2556 kys.exe 86 PID 1856 wrote to memory of 5044 1856 kys.exe 87 PID 1856 wrote to memory of 5044 1856 kys.exe 87 PID 1856 wrote to memory of 5044 1856 kys.exe 87 PID 920 wrote to memory of 3608 920 icsys.icn.exe 88 PID 920 wrote to memory of 3608 920 icsys.icn.exe 88 PID 920 wrote to memory of 3608 920 icsys.icn.exe 88 PID 5044 wrote to memory of 2544 5044 victim.exe 89 PID 5044 wrote to memory of 2544 5044 victim.exe 89 PID 5044 wrote to memory of 2544 5044 victim.exe 89 PID 3608 wrote to memory of 2364 3608 explorer.exe 90 PID 3608 wrote to memory of 2364 3608 explorer.exe 90 PID 3608 wrote to memory of 2364 3608 explorer.exe 90 PID 2364 wrote to memory of 4460 2364 spoolsv.exe 91 PID 2364 wrote to memory of 4460 2364 spoolsv.exe 91 PID 2364 wrote to memory of 4460 2364 spoolsv.exe 91 PID 4460 wrote to memory of 1316 4460 svchost.exe 92 PID 4460 wrote to memory of 1316 4460 svchost.exe 92 PID 4460 wrote to memory of 1316 4460 svchost.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\kys.exe"C:\Users\Admin\AppData\Local\Temp\kys.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\users\admin\appdata\local\temp\kys.exec:\users\admin\appdata\local\temp\kys.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\victim.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:772
-
-
C:\Windows\system32\SubDir\victim.exe"C:\Windows\system32\SubDir\victim.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1316
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55def20bc149e979f4c18e238edb01874
SHA1813b5f3403652337ebf51b36f7c35c17a567786f
SHA2566a98d500eab158f232d41cc190cb13f96749f818995d3bc01477f4231d7c7254
SHA512fb51725d4367db8de825893235c34f6b1533f0a4cf25feac66efefa0c1d33a60d3723692cc9e00b4e0e032972e83e6b1f84d858284f1f1b0160e4e6c7e08bcfd
-
Filesize
135KB
MD520c2fe9a730ef6e2ee732d4b854f125b
SHA169236089a1291f96a66cc0d007944aff1697afdc
SHA25695060d4832274d9f65af5111acb2602a2458c085a51b2ad585aa274cfe6cec27
SHA5120123843886af98dcfbfb7563ba840efa53d4c565c4c11b62716d8c1a23d4678a1089d54f058e16790b73549761f3e0209845dc88cf8aa18dc73f44b2d37a78cc
-
Filesize
135KB
MD582d9d8d2e5e9d0ab3c86caab4ecfec19
SHA1bd9875dfe5c07229f178bd1c9ecfb7f6cd213a13
SHA2565139d87f72cf9faa5ff69416e799265bcda2d36068d35232e88ca4ee8d3777f6
SHA5125e15cfc9604faaf12fcb971c7b265635f113f1211d3a3f47499d4cda422e3f863c6a8cd21d4970e50e128f391e56a046b1a29301fbcaa8ac2d0b8954844a9740
-
Filesize
135KB
MD55a4e0482b4bd377ec85c8fdf3d65732f
SHA10cb47f140fa5e258b31b45cf04ee4d9f9895424f
SHA256b448a7da0cde84dbd0dc2ced34bdd016aef437a89fbf64a21861948146b54184
SHA512bff891ae8195073c43e04583cbdb4346ebb6d6f44c63b81e7880545f300b27357df31eb3fbf33b7b8198f2e8eed6fc1ecc0e98b796ab92360f716082c098d1a7
-
Filesize
3.2MB
MD50515143005b3e92fe50594bc1e30af7b
SHA11f565728bcc13bf1e49760c98bd96e15dacb42fc
SHA256676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
SHA512e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
Filesize
135KB
MD5e55d621762f1ef6069637ac780aac7b5
SHA11d2ed6d16f63ecb3f60c8a219a8a84882d2af7d7
SHA256c7ea517f90685ed9978d776edffc25c8cde9e4deb75adaac2eb489cd718f3cf1
SHA5124d302a9c0cec37ce1b5976285d88d0e155cf12a3a4e52290a4f8505c6319a5a7338757fdbc3d3c253a1edd2506ccb298d5d246424e77af286801bfc0f906b9d9