Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:45
Behavioral task
behavioral1
Sample
kys.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
kys.exe
Resource
win10v2004-20241007-en
General
-
Target
kys.exe
-
Size
3.2MB
-
MD5
0515143005b3e92fe50594bc1e30af7b
-
SHA1
1f565728bcc13bf1e49760c98bd96e15dacb42fc
-
SHA256
676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
-
SHA512
e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
SSDEEP
49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ
Malware Config
Extracted
quasar
1.4.1
victim-hacked
192.168.100.2:4444
16229cd1-6d24-490c-9eb9-35319229cc03
-
encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
-
install_name
victim.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Service
-
subdirectory
SubDir
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x00070000000186fd-8.dat family_quasar behavioral1/memory/2164-11-0x0000000000D50000-0x0000000001074000-memory.dmp family_quasar behavioral1/files/0x0007000000018728-46.dat family_quasar -
Executes dropped EXE 8 IoCs
pid Process 2164 kys.exe 1812 icsys.icn.exe 2580 explorer.exe 2904 spoolsv.exe 2744 victim.exe 2804 svchost.exe 1396 spoolsv.exe 2664 explorer.exe -
Loads dropped DLL 7 IoCs
pid Process 2196 kys.exe 2196 kys.exe 1812 icsys.icn.exe 2580 explorer.exe 2904 spoolsv.exe 2804 svchost.exe 2744 victim.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir\victim.exe kys.exe File opened for modification C:\Windows\system32\SubDir kys.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File created C:\Windows\system32\SubDir\victim.exe kys.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe kys.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language victim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2568 schtasks.exe 2672 schtasks.exe 1940 schtasks.exe 1552 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 2196 kys.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2744 victim.exe 2804 svchost.exe 2804 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2580 explorer.exe 2804 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2164 kys.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2196 kys.exe 2196 kys.exe 1812 icsys.icn.exe 1812 icsys.icn.exe 2580 explorer.exe 2580 explorer.exe 2904 spoolsv.exe 2904 spoolsv.exe 2804 svchost.exe 2744 victim.exe 2804 svchost.exe 2744 victim.exe 1396 spoolsv.exe 1396 spoolsv.exe 2664 explorer.exe 2664 explorer.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2164 2196 kys.exe 30 PID 2196 wrote to memory of 2164 2196 kys.exe 30 PID 2196 wrote to memory of 2164 2196 kys.exe 30 PID 2196 wrote to memory of 2164 2196 kys.exe 30 PID 2164 wrote to memory of 2568 2164 kys.exe 31 PID 2164 wrote to memory of 2568 2164 kys.exe 31 PID 2164 wrote to memory of 2568 2164 kys.exe 31 PID 2196 wrote to memory of 1812 2196 kys.exe 33 PID 2196 wrote to memory of 1812 2196 kys.exe 33 PID 2196 wrote to memory of 1812 2196 kys.exe 33 PID 2196 wrote to memory of 1812 2196 kys.exe 33 PID 1812 wrote to memory of 2580 1812 icsys.icn.exe 34 PID 1812 wrote to memory of 2580 1812 icsys.icn.exe 34 PID 1812 wrote to memory of 2580 1812 icsys.icn.exe 34 PID 1812 wrote to memory of 2580 1812 icsys.icn.exe 34 PID 2580 wrote to memory of 2904 2580 explorer.exe 35 PID 2580 wrote to memory of 2904 2580 explorer.exe 35 PID 2580 wrote to memory of 2904 2580 explorer.exe 35 PID 2580 wrote to memory of 2904 2580 explorer.exe 35 PID 2164 wrote to memory of 2744 2164 kys.exe 36 PID 2164 wrote to memory of 2744 2164 kys.exe 36 PID 2164 wrote to memory of 2744 2164 kys.exe 36 PID 2164 wrote to memory of 2744 2164 kys.exe 36 PID 2904 wrote to memory of 2804 2904 spoolsv.exe 37 PID 2904 wrote to memory of 2804 2904 spoolsv.exe 37 PID 2904 wrote to memory of 2804 2904 spoolsv.exe 37 PID 2904 wrote to memory of 2804 2904 spoolsv.exe 37 PID 2804 wrote to memory of 1396 2804 svchost.exe 38 PID 2804 wrote to memory of 1396 2804 svchost.exe 38 PID 2804 wrote to memory of 1396 2804 svchost.exe 38 PID 2804 wrote to memory of 1396 2804 svchost.exe 38 PID 2744 wrote to memory of 2664 2744 victim.exe 39 PID 2744 wrote to memory of 2664 2744 victim.exe 39 PID 2744 wrote to memory of 2664 2744 victim.exe 39 PID 2744 wrote to memory of 2664 2744 victim.exe 39 PID 2580 wrote to memory of 2052 2580 explorer.exe 40 PID 2580 wrote to memory of 2052 2580 explorer.exe 40 PID 2580 wrote to memory of 2052 2580 explorer.exe 40 PID 2580 wrote to memory of 2052 2580 explorer.exe 40 PID 2804 wrote to memory of 2672 2804 svchost.exe 41 PID 2804 wrote to memory of 2672 2804 svchost.exe 41 PID 2804 wrote to memory of 2672 2804 svchost.exe 41 PID 2804 wrote to memory of 2672 2804 svchost.exe 41 PID 2804 wrote to memory of 1940 2804 svchost.exe 45 PID 2804 wrote to memory of 1940 2804 svchost.exe 45 PID 2804 wrote to memory of 1940 2804 svchost.exe 45 PID 2804 wrote to memory of 1940 2804 svchost.exe 45 PID 2804 wrote to memory of 1552 2804 svchost.exe 47 PID 2804 wrote to memory of 1552 2804 svchost.exe 47 PID 2804 wrote to memory of 1552 2804 svchost.exe 47 PID 2804 wrote to memory of 1552 2804 svchost.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\kys.exe"C:\Users\Admin\AppData\Local\Temp\kys.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\users\admin\appdata\local\temp\kys.exec:\users\admin\appdata\local\temp\kys.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\victim.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2568
-
-
C:\Windows\system32\SubDir\victim.exe"C:\Windows\system32\SubDir\victim.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1396
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:47 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:48 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:49 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1552
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2052
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55def20bc149e979f4c18e238edb01874
SHA1813b5f3403652337ebf51b36f7c35c17a567786f
SHA2566a98d500eab158f232d41cc190cb13f96749f818995d3bc01477f4231d7c7254
SHA512fb51725d4367db8de825893235c34f6b1533f0a4cf25feac66efefa0c1d33a60d3723692cc9e00b4e0e032972e83e6b1f84d858284f1f1b0160e4e6c7e08bcfd
-
Filesize
135KB
MD5795ae8f64b75bcfc220839aa846b8eb6
SHA13b44d6ecddc74ef9dfeeed4ff5c07aa1ab6e672c
SHA256aa3741f7c2e9aea34972ea8494ec949ec105014624552d50dfdc5cdbba06b1b1
SHA51232e1a0dd920c199ef245f1f199d084bf5633df0476331f4aaece72a957f96bb99d6e21bdde8f0370afaf9e5af7c2cf35abfc5687adb0416e3c8545df9de682d6
-
Filesize
135KB
MD592abe5e2ed00ab4f9d2a3d5c4f1fd44c
SHA1738b210f04c423d86d021890cbb3b66dc5bdd695
SHA25645bbb5ff77d8bb78061d0e75d25e70d4d8fbc5f1bd63ef6aa8b6a4abef7c6bed
SHA5121f43a9752dbbef4b470a3e29ad289bc2869b61ceef8f5a892e24d9d50aa4fea3c9b183527c87da8f9315227db54db15c135099de44b000b02feec2579151b18f
-
Filesize
3.2MB
MD50515143005b3e92fe50594bc1e30af7b
SHA11f565728bcc13bf1e49760c98bd96e15dacb42fc
SHA256676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
SHA512e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
Filesize
135KB
MD520c2fe9a730ef6e2ee732d4b854f125b
SHA169236089a1291f96a66cc0d007944aff1697afdc
SHA25695060d4832274d9f65af5111acb2602a2458c085a51b2ad585aa274cfe6cec27
SHA5120123843886af98dcfbfb7563ba840efa53d4c565c4c11b62716d8c1a23d4678a1089d54f058e16790b73549761f3e0209845dc88cf8aa18dc73f44b2d37a78cc
-
Filesize
135KB
MD5899ba353f7c2680709dea8c6f2061c35
SHA1072ea43691a46b22c89b031aae28df5f7b1551f6
SHA2565844a506446e36200299cc7120977272b0d9a848bfd2e5b45eea7ea38adb76c6
SHA5123b0d6c02d7484c58455ba7aa76fab0da507c1c6f9f1610c4c1d4462d6e170ecb82133b00e5c59a818b31e2b64d9775aeb07adffc74c3611691f787c992f3a433