Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:45
Behavioral task
behavioral1
Sample
kys.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
kys.exe
Resource
win10v2004-20241007-en
General
-
Target
kys.exe
-
Size
3.2MB
-
MD5
0515143005b3e92fe50594bc1e30af7b
-
SHA1
1f565728bcc13bf1e49760c98bd96e15dacb42fc
-
SHA256
676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
-
SHA512
e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
SSDEEP
49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ
Malware Config
Extracted
quasar
1.4.1
victim-hacked
192.168.100.2:4444
16229cd1-6d24-490c-9eb9-35319229cc03
-
encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
-
install_name
victim.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Service
-
subdirectory
SubDir
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/files/0x000a000000023b96-7.dat family_quasar behavioral2/memory/4064-10-0x0000000000330000-0x0000000000654000-memory.dmp family_quasar behavioral2/files/0x000a000000023b98-23.dat family_quasar -
Executes dropped EXE 8 IoCs
pid Process 4064 kys.exe 4820 icsys.icn.exe 4024 victim.exe 2108 explorer.exe 1384 spoolsv.exe 2492 explorer.exe 3832 svchost.exe 3328 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File created C:\Windows\system32\SubDir\victim.exe kys.exe File opened for modification C:\Windows\system32\SubDir\victim.exe kys.exe File opened for modification C:\Windows\system32\SubDir kys.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe kys.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language victim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4028 kys.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4820 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2108 explorer.exe 3832 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4064 kys.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4028 kys.exe 4028 kys.exe 4820 icsys.icn.exe 4820 icsys.icn.exe 4024 victim.exe 2108 explorer.exe 2108 explorer.exe 4024 victim.exe 1384 spoolsv.exe 2492 explorer.exe 1384 spoolsv.exe 2492 explorer.exe 3832 svchost.exe 3832 svchost.exe 3328 spoolsv.exe 3328 spoolsv.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4028 wrote to memory of 4064 4028 kys.exe 82 PID 4028 wrote to memory of 4064 4028 kys.exe 82 PID 4064 wrote to memory of 3664 4064 kys.exe 83 PID 4064 wrote to memory of 3664 4064 kys.exe 83 PID 4028 wrote to memory of 4820 4028 kys.exe 85 PID 4028 wrote to memory of 4820 4028 kys.exe 85 PID 4028 wrote to memory of 4820 4028 kys.exe 85 PID 4064 wrote to memory of 4024 4064 kys.exe 86 PID 4064 wrote to memory of 4024 4064 kys.exe 86 PID 4064 wrote to memory of 4024 4064 kys.exe 86 PID 4820 wrote to memory of 2108 4820 icsys.icn.exe 87 PID 4820 wrote to memory of 2108 4820 icsys.icn.exe 87 PID 4820 wrote to memory of 2108 4820 icsys.icn.exe 87 PID 2108 wrote to memory of 1384 2108 explorer.exe 88 PID 2108 wrote to memory of 1384 2108 explorer.exe 88 PID 2108 wrote to memory of 1384 2108 explorer.exe 88 PID 4024 wrote to memory of 2492 4024 victim.exe 89 PID 4024 wrote to memory of 2492 4024 victim.exe 89 PID 4024 wrote to memory of 2492 4024 victim.exe 89 PID 1384 wrote to memory of 3832 1384 spoolsv.exe 90 PID 1384 wrote to memory of 3832 1384 spoolsv.exe 90 PID 1384 wrote to memory of 3832 1384 spoolsv.exe 90 PID 3832 wrote to memory of 3328 3832 svchost.exe 91 PID 3832 wrote to memory of 3328 3832 svchost.exe 91 PID 3832 wrote to memory of 3328 3832 svchost.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\kys.exe"C:\Users\Admin\AppData\Local\Temp\kys.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\users\admin\appdata\local\temp\kys.exec:\users\admin\appdata\local\temp\kys.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\victim.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3664
-
-
C:\Windows\system32\SubDir\victim.exe"C:\Windows\system32\SubDir\victim.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3328
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55def20bc149e979f4c18e238edb01874
SHA1813b5f3403652337ebf51b36f7c35c17a567786f
SHA2566a98d500eab158f232d41cc190cb13f96749f818995d3bc01477f4231d7c7254
SHA512fb51725d4367db8de825893235c34f6b1533f0a4cf25feac66efefa0c1d33a60d3723692cc9e00b4e0e032972e83e6b1f84d858284f1f1b0160e4e6c7e08bcfd
-
Filesize
135KB
MD520c2fe9a730ef6e2ee732d4b854f125b
SHA169236089a1291f96a66cc0d007944aff1697afdc
SHA25695060d4832274d9f65af5111acb2602a2458c085a51b2ad585aa274cfe6cec27
SHA5120123843886af98dcfbfb7563ba840efa53d4c565c4c11b62716d8c1a23d4678a1089d54f058e16790b73549761f3e0209845dc88cf8aa18dc73f44b2d37a78cc
-
Filesize
135KB
MD566e62bb0fa38ac291d43a10c025899f3
SHA1d1d7498ab9ce18a33916ce9744be992ec26d8f5d
SHA256fd9f1b7b05cfdc3d922174b0764c5bf48e9628e25c8ed0c20125aeb03b5139e1
SHA51256ae71d060932514d09431f540f53060870eb68d177021d83ee60ca872e0d84e39cfb5827bf16fad8bb7b1422250c4266bc10c20d8c6c6f01846fa408ebdafb1
-
Filesize
135KB
MD5d21020e810ed5b2b5f1a02caa5bbe5a3
SHA1873e98dd02a057e73158b1e961c9740d839fc67d
SHA256b5fd86b0717ac0954beb10880e4a0df161bdeae24d11bb4c5d0b839a002501ca
SHA5124adb07d517f5c6e80f4071e60838b50067c681c2e1121064013de815cd87de256566189299a4466bf22a425e44623e18f7a870ea2bad4bdab3fecfa0a3d7e8e9
-
Filesize
3.2MB
MD50515143005b3e92fe50594bc1e30af7b
SHA11f565728bcc13bf1e49760c98bd96e15dacb42fc
SHA256676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
SHA512e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
Filesize
135KB
MD52301c35e378417258da8356437a4a074
SHA12a6d5ddcd3dbe6b58189a986c9c38f797fa58dba
SHA256cd653401b07dea2c1079405a4d919ba4d75f6134985535e8fe1ab64be67f30a1
SHA512d5a6f44ab1ad037218646851918fd2618ccb9fff53a746be2216f35e3cc181ecf415c20cfb8392a24999a28eaca7962d3c53308972ee4dc554d488d9814030a9