Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 06:45

General

  • Target

    kys.exe

  • Size

    3.2MB

  • MD5

    0515143005b3e92fe50594bc1e30af7b

  • SHA1

    1f565728bcc13bf1e49760c98bd96e15dacb42fc

  • SHA256

    676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53

  • SHA512

    e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c

  • SSDEEP

    49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

victim-hacked

C2

192.168.100.2:4444

Mutex

16229cd1-6d24-490c-9eb9-35319229cc03

Attributes
  • encryption_key

    6B74F0C858B7E90573D4E97997F2A082B9781250

  • install_name

    victim.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Service

  • subdirectory

    SubDir

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\kys.exe
    "C:\Users\Admin\AppData\Local\Temp\kys.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4028
    • \??\c:\users\admin\appdata\local\temp\kys.exe 
      c:\users\admin\appdata\local\temp\kys.exe 
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\victim.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3664
      • C:\Windows\system32\SubDir\victim.exe
        "C:\Windows\system32\SubDir\victim.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4024
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2492
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4820
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2108
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1384
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3832
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kys.exe 

    Filesize

    3.1MB

    MD5

    5def20bc149e979f4c18e238edb01874

    SHA1

    813b5f3403652337ebf51b36f7c35c17a567786f

    SHA256

    6a98d500eab158f232d41cc190cb13f96749f818995d3bc01477f4231d7c7254

    SHA512

    fb51725d4367db8de825893235c34f6b1533f0a4cf25feac66efefa0c1d33a60d3723692cc9e00b4e0e032972e83e6b1f84d858284f1f1b0160e4e6c7e08bcfd

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    135KB

    MD5

    20c2fe9a730ef6e2ee732d4b854f125b

    SHA1

    69236089a1291f96a66cc0d007944aff1697afdc

    SHA256

    95060d4832274d9f65af5111acb2602a2458c085a51b2ad585aa274cfe6cec27

    SHA512

    0123843886af98dcfbfb7563ba840efa53d4c565c4c11b62716d8c1a23d4678a1089d54f058e16790b73549761f3e0209845dc88cf8aa18dc73f44b2d37a78cc

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    66e62bb0fa38ac291d43a10c025899f3

    SHA1

    d1d7498ab9ce18a33916ce9744be992ec26d8f5d

    SHA256

    fd9f1b7b05cfdc3d922174b0764c5bf48e9628e25c8ed0c20125aeb03b5139e1

    SHA512

    56ae71d060932514d09431f540f53060870eb68d177021d83ee60ca872e0d84e39cfb5827bf16fad8bb7b1422250c4266bc10c20d8c6c6f01846fa408ebdafb1

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    d21020e810ed5b2b5f1a02caa5bbe5a3

    SHA1

    873e98dd02a057e73158b1e961c9740d839fc67d

    SHA256

    b5fd86b0717ac0954beb10880e4a0df161bdeae24d11bb4c5d0b839a002501ca

    SHA512

    4adb07d517f5c6e80f4071e60838b50067c681c2e1121064013de815cd87de256566189299a4466bf22a425e44623e18f7a870ea2bad4bdab3fecfa0a3d7e8e9

  • C:\Windows\System32\SubDir\victim.exe

    Filesize

    3.2MB

    MD5

    0515143005b3e92fe50594bc1e30af7b

    SHA1

    1f565728bcc13bf1e49760c98bd96e15dacb42fc

    SHA256

    676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53

    SHA512

    e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c

  • \??\c:\windows\resources\themes\explorer.exe

    Filesize

    135KB

    MD5

    2301c35e378417258da8356437a4a074

    SHA1

    2a6d5ddcd3dbe6b58189a986c9c38f797fa58dba

    SHA256

    cd653401b07dea2c1079405a4d919ba4d75f6134985535e8fe1ab64be67f30a1

    SHA512

    d5a6f44ab1ad037218646851918fd2618ccb9fff53a746be2216f35e3cc181ecf415c20cfb8392a24999a28eaca7962d3c53308972ee4dc554d488d9814030a9

  • memory/1384-63-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2108-66-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2108-28-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2492-54-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3328-62-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3832-67-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4024-56-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4028-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4028-65-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4064-11-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

    Filesize

    10.8MB

  • memory/4064-9-0x00007FFB308F3000-0x00007FFB308F5000-memory.dmp

    Filesize

    8KB

  • memory/4064-34-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

    Filesize

    10.8MB

  • memory/4064-10-0x0000000000330000-0x0000000000654000-memory.dmp

    Filesize

    3.1MB

  • memory/4820-64-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB