Analysis
-
max time kernel
112s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2023 09:43
Behavioral task
behavioral1
Sample
ren_installer.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ren_installer.exe
Resource
win10v2004-20230220-en
General
-
Target
ren_installer.exe
-
Size
3.1MB
-
MD5
10c9f8a8e8c8c9797643d9b1edb01cc1
-
SHA1
defcd4e8bba01bb730572dff40fad78e053f337a
-
SHA256
0809e0c6095acabdcb816728c39fc818741c3197c4635d7a53a926f2f8df7557
-
SHA512
a3c1e18ed24bcc03385a6cb7e50bae9c475c93f0a9af88ac731e9c1923b314ea60e79bd4b9b420b31050ea2d67ac6746cb7d3b2edba7056e91fd665f12311849
-
SSDEEP
49152:+vgt62XlaSFNWPjljiFa2RoUYI3vLroGd4THHB72eh2NT:+vM62XlaSFNWPjljiFXRoUYI3vf
Malware Config
Extracted
quasar
1.4.1
ReServices
185.65.134.175:55498
86e242cc-399d-4e30-a743-e89f0418f106
-
encryption_key
B451C26057A2AEFC83990793720D2316EA48C49A
-
install_name
renservice.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
renservice
-
subdirectory
servicerenk
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4848-133-0x0000000000A80000-0x0000000000DA4000-memory.dmp family_quasar C:\Windows\System32\servicerenk\renservice.exe family_quasar C:\Windows\system32\servicerenk\renservice.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
renservice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation renservice.exe -
Executes dropped EXE 1 IoCs
Processes:
renservice.exepid process 4520 renservice.exe -
Drops file in System32 directory 5 IoCs
Processes:
ren_installer.exerenservice.exedescription ioc process File opened for modification C:\Windows\system32\servicerenk\renservice.exe ren_installer.exe File opened for modification C:\Windows\system32\servicerenk ren_installer.exe File opened for modification C:\Windows\system32\servicerenk\renservice.exe renservice.exe File opened for modification C:\Windows\system32\servicerenk renservice.exe File created C:\Windows\system32\servicerenk\renservice.exe ren_installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ren_installer.exerenservice.exedescription pid process Token: SeDebugPrivilege 4848 ren_installer.exe Token: SeDebugPrivilege 4520 renservice.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
renservice.exepid process 4520 renservice.exe 4520 renservice.exe 4520 renservice.exe 4520 renservice.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
renservice.exepid process 4520 renservice.exe 4520 renservice.exe 4520 renservice.exe 4520 renservice.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ren_installer.exerenservice.execmd.execmd.exedescription pid process target process PID 4848 wrote to memory of 3452 4848 ren_installer.exe schtasks.exe PID 4848 wrote to memory of 3452 4848 ren_installer.exe schtasks.exe PID 4848 wrote to memory of 4520 4848 ren_installer.exe renservice.exe PID 4848 wrote to memory of 4520 4848 ren_installer.exe renservice.exe PID 4520 wrote to memory of 884 4520 renservice.exe schtasks.exe PID 4520 wrote to memory of 884 4520 renservice.exe schtasks.exe PID 4520 wrote to memory of 3668 4520 renservice.exe cmd.exe PID 4520 wrote to memory of 3668 4520 renservice.exe cmd.exe PID 3668 wrote to memory of 452 3668 cmd.exe chcp.com PID 3668 wrote to memory of 452 3668 cmd.exe chcp.com PID 3668 wrote to memory of 2632 3668 cmd.exe cmd.exe PID 3668 wrote to memory of 2632 3668 cmd.exe cmd.exe PID 3668 wrote to memory of 4484 3668 cmd.exe cmd.exe PID 3668 wrote to memory of 4484 3668 cmd.exe cmd.exe PID 3668 wrote to memory of 4876 3668 cmd.exe cmd.exe PID 3668 wrote to memory of 4876 3668 cmd.exe cmd.exe PID 3668 wrote to memory of 5092 3668 cmd.exe cmd.exe PID 3668 wrote to memory of 5092 3668 cmd.exe cmd.exe PID 3668 wrote to memory of 1236 3668 cmd.exe cmd.exe PID 3668 wrote to memory of 1236 3668 cmd.exe cmd.exe PID 4520 wrote to memory of 4472 4520 renservice.exe schtasks.exe PID 4520 wrote to memory of 4472 4520 renservice.exe schtasks.exe PID 4520 wrote to memory of 4748 4520 renservice.exe cmd.exe PID 4520 wrote to memory of 4748 4520 renservice.exe cmd.exe PID 4748 wrote to memory of 752 4748 cmd.exe chcp.com PID 4748 wrote to memory of 752 4748 cmd.exe chcp.com PID 4748 wrote to memory of 980 4748 cmd.exe PING.EXE PID 4748 wrote to memory of 980 4748 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ren_installer.exe"C:\Users\Admin\AppData\Local\Temp\ren_installer.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "renservice" /sc ONLOGON /tr "C:\Windows\system32\servicerenk\renservice.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\servicerenk\renservice.exe"C:\Windows\system32\servicerenk\renservice.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "renservice" /sc ONLOGON /tr "C:\Windows\system32\servicerenk\renservice.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /K CHCP 4373⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comCHCP 4374⤵
-
C:\Windows\system32\cmd.execmd.exe4⤵
-
C:\Windows\system32\cmd.execmd.exe4⤵
-
C:\Windows\system32\cmd.execmd.exe4⤵
-
C:\Windows\system32\cmd.execmd.exe4⤵
-
C:\Windows\system32\cmd.execmd.exe4⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "renservice" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEJsROPL1SCi.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XEJsROPL1SCi.batFilesize
209B
MD509c5858ca4ebb542a545c715d7d37bac
SHA10dfaf1a63d5bfdc18fd88d0bfddd0fb888a37d28
SHA256756315f75d0bf56a106fb9d13dfd85fd3e2ac9b87c3dae6aaaa59c591230c9b1
SHA512d6ddec5cdb61761a9a5608c99a50933acbffa85bb84fe0bd1160012c551aacc5c55a4351c0cba3599cec2b9c1536fc4c6104b90dee4ca8c776df3fdb04cb46da
-
C:\Windows\System32\servicerenk\renservice.exeFilesize
3.1MB
MD510c9f8a8e8c8c9797643d9b1edb01cc1
SHA1defcd4e8bba01bb730572dff40fad78e053f337a
SHA2560809e0c6095acabdcb816728c39fc818741c3197c4635d7a53a926f2f8df7557
SHA512a3c1e18ed24bcc03385a6cb7e50bae9c475c93f0a9af88ac731e9c1923b314ea60e79bd4b9b420b31050ea2d67ac6746cb7d3b2edba7056e91fd665f12311849
-
C:\Windows\system32\servicerenk\renservice.exeFilesize
3.1MB
MD510c9f8a8e8c8c9797643d9b1edb01cc1
SHA1defcd4e8bba01bb730572dff40fad78e053f337a
SHA2560809e0c6095acabdcb816728c39fc818741c3197c4635d7a53a926f2f8df7557
SHA512a3c1e18ed24bcc03385a6cb7e50bae9c475c93f0a9af88ac731e9c1923b314ea60e79bd4b9b420b31050ea2d67ac6746cb7d3b2edba7056e91fd665f12311849
-
memory/4520-143-0x000000001C420000-0x000000001C4D2000-memory.dmpFilesize
712KB
-
memory/4520-141-0x000000001B4C0000-0x000000001B4D0000-memory.dmpFilesize
64KB
-
memory/4520-142-0x000000001C310000-0x000000001C360000-memory.dmpFilesize
320KB
-
memory/4520-146-0x000000001C360000-0x000000001C372000-memory.dmpFilesize
72KB
-
memory/4520-147-0x000000001C3C0000-0x000000001C3FC000-memory.dmpFilesize
240KB
-
memory/4520-148-0x000000001B4C0000-0x000000001B4D0000-memory.dmpFilesize
64KB
-
memory/4520-149-0x000000001CE20000-0x000000001CFC9000-memory.dmpFilesize
1.7MB
-
memory/4520-150-0x000000001CE20000-0x000000001CFC9000-memory.dmpFilesize
1.7MB
-
memory/4520-151-0x000000001CE20000-0x000000001CFC9000-memory.dmpFilesize
1.7MB
-
memory/4520-161-0x000000001CE20000-0x000000001CFC9000-memory.dmpFilesize
1.7MB
-
memory/4848-133-0x0000000000A80000-0x0000000000DA4000-memory.dmpFilesize
3.1MB
-
memory/4848-134-0x000000001BAC0000-0x000000001BAD0000-memory.dmpFilesize
64KB