Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 06:45

General

  • Target

    kys.exe

  • Size

    3.2MB

  • MD5

    0515143005b3e92fe50594bc1e30af7b

  • SHA1

    1f565728bcc13bf1e49760c98bd96e15dacb42fc

  • SHA256

    676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53

  • SHA512

    e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c

  • SSDEEP

    49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

victim-hacked

C2

192.168.100.2:4444

Mutex

16229cd1-6d24-490c-9eb9-35319229cc03

Attributes
  • encryption_key

    6B74F0C858B7E90573D4E97997F2A082B9781250

  • install_name

    victim.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Service

  • subdirectory

    SubDir

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\kys.exe
    "C:\Users\Admin\AppData\Local\Temp\kys.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2196
    • \??\c:\users\admin\appdata\local\temp\kys.exe 
      c:\users\admin\appdata\local\temp\kys.exe 
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\victim.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2568
      • C:\Windows\system32\SubDir\victim.exe
        "C:\Windows\system32\SubDir\victim.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2744
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2664
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1812
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2580
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2904
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2804
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1396
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:47 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2672
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:48 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1940
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:49 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1552
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\kys.exe 

      Filesize

      3.1MB

      MD5

      5def20bc149e979f4c18e238edb01874

      SHA1

      813b5f3403652337ebf51b36f7c35c17a567786f

      SHA256

      6a98d500eab158f232d41cc190cb13f96749f818995d3bc01477f4231d7c7254

      SHA512

      fb51725d4367db8de825893235c34f6b1533f0a4cf25feac66efefa0c1d33a60d3723692cc9e00b4e0e032972e83e6b1f84d858284f1f1b0160e4e6c7e08bcfd

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      795ae8f64b75bcfc220839aa846b8eb6

      SHA1

      3b44d6ecddc74ef9dfeeed4ff5c07aa1ab6e672c

      SHA256

      aa3741f7c2e9aea34972ea8494ec949ec105014624552d50dfdc5cdbba06b1b1

      SHA512

      32e1a0dd920c199ef245f1f199d084bf5633df0476331f4aaece72a957f96bb99d6e21bdde8f0370afaf9e5af7c2cf35abfc5687adb0416e3c8545df9de682d6

    • C:\Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      92abe5e2ed00ab4f9d2a3d5c4f1fd44c

      SHA1

      738b210f04c423d86d021890cbb3b66dc5bdd695

      SHA256

      45bbb5ff77d8bb78061d0e75d25e70d4d8fbc5f1bd63ef6aa8b6a4abef7c6bed

      SHA512

      1f43a9752dbbef4b470a3e29ad289bc2869b61ceef8f5a892e24d9d50aa4fea3c9b183527c87da8f9315227db54db15c135099de44b000b02feec2579151b18f

    • C:\Windows\System32\SubDir\victim.exe

      Filesize

      3.2MB

      MD5

      0515143005b3e92fe50594bc1e30af7b

      SHA1

      1f565728bcc13bf1e49760c98bd96e15dacb42fc

      SHA256

      676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53

      SHA512

      e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c

    • \Windows\Resources\Themes\icsys.icn.exe

      Filesize

      135KB

      MD5

      20c2fe9a730ef6e2ee732d4b854f125b

      SHA1

      69236089a1291f96a66cc0d007944aff1697afdc

      SHA256

      95060d4832274d9f65af5111acb2602a2458c085a51b2ad585aa274cfe6cec27

      SHA512

      0123843886af98dcfbfb7563ba840efa53d4c565c4c11b62716d8c1a23d4678a1089d54f058e16790b73549761f3e0209845dc88cf8aa18dc73f44b2d37a78cc

    • \Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      899ba353f7c2680709dea8c6f2061c35

      SHA1

      072ea43691a46b22c89b031aae28df5f7b1551f6

      SHA256

      5844a506446e36200299cc7120977272b0d9a848bfd2e5b45eea7ea38adb76c6

      SHA512

      3b0d6c02d7484c58455ba7aa76fab0da507c1c6f9f1610c4c1d4462d6e170ecb82133b00e5c59a818b31e2b64d9775aeb07adffc74c3611691f787c992f3a433

    • memory/1396-74-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1812-79-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1812-27-0x00000000003D0000-0x00000000003EF000-memory.dmp

      Filesize

      124KB

    • memory/2164-12-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

      Filesize

      9.9MB

    • memory/2164-11-0x0000000000D50000-0x0000000001074000-memory.dmp

      Filesize

      3.1MB

    • memory/2164-10-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

      Filesize

      4KB

    • memory/2164-56-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

      Filesize

      9.9MB

    • memory/2196-16-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB

    • memory/2196-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2196-78-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2580-80-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2664-75-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2744-69-0x00000000003C0000-0x00000000003DF000-memory.dmp

      Filesize

      124KB

    • memory/2744-77-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2804-64-0x0000000001C20000-0x0000000001C3F000-memory.dmp

      Filesize

      124KB

    • memory/2804-81-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2804-82-0x0000000001C20000-0x0000000001C3F000-memory.dmp

      Filesize

      124KB

    • memory/2904-76-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB