Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
27/04/2024, 11:25
240427-nje4saaa9x 10Analysis
-
max time kernel
59s -
max time network
56s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/04/2024, 11:25
General
-
Target
CelexV2.exe
-
Size
3.4MB
-
MD5
086ecd8c32492885d5776efc72a551cc
-
SHA1
05c8a9ea60d0012f9c48d1e4c083a7dafb98b776
-
SHA256
26052a7cbba762383fc09fa567fbe0e4dae8c0f6cd8d1253b656f56cc68fc770
-
SHA512
facceff510b9a384471c2081126c64e4308ff1eb7b14db6974ce6c7d7fbde004e0d37b6d7eccb525c705249cba40fa1e32fb4be8ef04abaec18132917d589dc6
-
SSDEEP
49152:vvde821/aQWl8P0lSk3aKA3Z+nYYSr1JBboGdVTHHB72eh2NTcY2b:vvw821/aQWl8P0lSk3DA3Z+nYYSB3x
Malware Config
Extracted
quasar
1.4.1
Kami
ddqqswwzdzrr.3utilities.com:4782
9e9aa4ca-d696-4e54-9cbd-83e91918f73c
-
encryption_key
4586CDEAC9B29D84A4925415D110E19EDB8D0A8B
-
install_name
KamiRat.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
KamiRat (deactivate this or it will run a the computer startup)
-
subdirectory
Kami
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/4808-0-0x0000000000E50000-0x00000000011B6000-memory.dmp family_quasar behavioral1/files/0x001a00000002ab1b-5.dat family_quasar -
Executes dropped EXE 3 IoCs
pid Process 2988 KamiRat.exe 1952 KamiRat.exe 3168 KamiRat.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\Kami KamiRat.exe File opened for modification C:\Windows\system32\Kami CelexV2.exe File opened for modification C:\Windows\system32\Kami KamiRat.exe File opened for modification C:\Windows\system32\Kami\KamiRat.exe KamiRat.exe File opened for modification C:\Windows\system32\Kami KamiRat.exe File opened for modification C:\Windows\system32\Kami\KamiRat.exe KamiRat.exe File opened for modification C:\Windows\system32\Kami\KamiRat.exe KamiRat.exe File created C:\Windows\system32\Kami\KamiRat.exe CelexV2.exe File opened for modification C:\Windows\system32\Kami\KamiRat.exe CelexV2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4580 schtasks.exe 3128 schtasks.exe 680 schtasks.exe 1012 schtasks.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 3536 PING.EXE 4024 PING.EXE 4668 PING.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4808 CelexV2.exe Token: SeDebugPrivilege 2988 KamiRat.exe Token: SeDebugPrivilege 1952 KamiRat.exe Token: SeDebugPrivilege 2644 CelexV2.exe Token: SeDebugPrivilege 3168 KamiRat.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2988 KamiRat.exe 1952 KamiRat.exe 3168 KamiRat.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4808 wrote to memory of 4580 4808 CelexV2.exe 81 PID 4808 wrote to memory of 4580 4808 CelexV2.exe 81 PID 4808 wrote to memory of 2988 4808 CelexV2.exe 83 PID 4808 wrote to memory of 2988 4808 CelexV2.exe 83 PID 2988 wrote to memory of 3128 2988 KamiRat.exe 84 PID 2988 wrote to memory of 3128 2988 KamiRat.exe 84 PID 2988 wrote to memory of 4768 2988 KamiRat.exe 86 PID 2988 wrote to memory of 4768 2988 KamiRat.exe 86 PID 4768 wrote to memory of 4612 4768 cmd.exe 88 PID 4768 wrote to memory of 4612 4768 cmd.exe 88 PID 4768 wrote to memory of 3536 4768 cmd.exe 89 PID 4768 wrote to memory of 3536 4768 cmd.exe 89 PID 4768 wrote to memory of 1952 4768 cmd.exe 92 PID 4768 wrote to memory of 1952 4768 cmd.exe 92 PID 1952 wrote to memory of 680 1952 KamiRat.exe 93 PID 1952 wrote to memory of 680 1952 KamiRat.exe 93 PID 1952 wrote to memory of 3880 1952 KamiRat.exe 98 PID 1952 wrote to memory of 3880 1952 KamiRat.exe 98 PID 3880 wrote to memory of 1604 3880 cmd.exe 100 PID 3880 wrote to memory of 1604 3880 cmd.exe 100 PID 3880 wrote to memory of 4024 3880 cmd.exe 101 PID 3880 wrote to memory of 4024 3880 cmd.exe 101 PID 3880 wrote to memory of 3168 3880 cmd.exe 102 PID 3880 wrote to memory of 3168 3880 cmd.exe 102 PID 3168 wrote to memory of 1012 3168 KamiRat.exe 103 PID 3168 wrote to memory of 1012 3168 KamiRat.exe 103 PID 3168 wrote to memory of 2380 3168 KamiRat.exe 105 PID 3168 wrote to memory of 2380 3168 KamiRat.exe 105 PID 2380 wrote to memory of 1796 2380 cmd.exe 107 PID 2380 wrote to memory of 1796 2380 cmd.exe 107 PID 2380 wrote to memory of 4668 2380 cmd.exe 108 PID 2380 wrote to memory of 4668 2380 cmd.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CelexV2.exe"C:\Users\Admin\AppData\Local\Temp\CelexV2.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "KamiRat (deactivate this or it will run a the computer startup)" /sc ONLOGON /tr "C:\Windows\system32\Kami\KamiRat.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4580
-
-
C:\Windows\system32\Kami\KamiRat.exe"C:\Windows\system32\Kami\KamiRat.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "KamiRat (deactivate this or it will run a the computer startup)" /sc ONLOGON /tr "C:\Windows\system32\Kami\KamiRat.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6yE5IPeiFJGr.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:3536
-
-
C:\Windows\system32\Kami\KamiRat.exe"C:\Windows\system32\Kami\KamiRat.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "KamiRat (deactivate this or it will run a the computer startup)" /sc ONLOGON /tr "C:\Windows\system32\Kami\KamiRat.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ZUE7pJAgeAW.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:4024
-
-
C:\Windows\system32\Kami\KamiRat.exe"C:\Windows\system32\Kami\KamiRat.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "KamiRat (deactivate this or it will run a the computer startup)" /sc ONLOGON /tr "C:\Windows\system32\Kami\KamiRat.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:1012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O8SEBxO0xxRe.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1796
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:4668
-
-
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\CelexV2.exe"C:\Users\Admin\AppData\Local\Temp\CelexV2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
2KB
MD515eab799098760706ed95d314e75449d
SHA1273fb07e40148d5c267ca53f958c5075d24c4444
SHA25645030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778
SHA51250c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c
-
Filesize
195B
MD5a08fd31c6006098b009aebd647e34760
SHA1124e163fba19cd27803b0ff19e228bd587c501de
SHA256131a6a48f441b7e6936121ce44d752961244015ac1ddc9bb189ed973e9bfb7a6
SHA51278855830aaac610643bbc8db72083c3bfa845089dcb9e30e7b476eb9395d22ae6356928d85fe750f150e6b9da8979458661859d8413c352ce128dfeefee1bdd1
-
Filesize
195B
MD52d6da53ad7170fc8e6ab1d17c81b96fe
SHA199229fbac4edb1fdc6635aeaab8b913eca225979
SHA256036f35ee715edf898b621766b805ee107ffe65a779f221beef5712f79f6efebd
SHA512c6e43af1d52139f9daaaef2136f3fbfc542b0334cbd49014d9c5cb448e8c80d5aea85d5ecf3bec5b261e66d9b53db0de5a817ec96fc641eb5c21ab3d62165475
-
Filesize
195B
MD583cfc02e86141e4b7e41e2eb9cbf3a98
SHA13c43403fe9b45f63c893c2df227fa4c7e1e39f02
SHA2562b756993e44b5afd4e28e574d4d304b6a5654d2bea8f2f282e66cb86ed6d1959
SHA512a4d57c2e10f6a282bac5a52205b6059da076ad78a227407a3aabe6959e721622173131cf89bf5c0deeea3e0aaccbb81601c2fa1394b38e08afd689efb608936d
-
Filesize
3.4MB
MD5086ecd8c32492885d5776efc72a551cc
SHA105c8a9ea60d0012f9c48d1e4c083a7dafb98b776
SHA25626052a7cbba762383fc09fa567fbe0e4dae8c0f6cd8d1253b656f56cc68fc770
SHA512facceff510b9a384471c2081126c64e4308ff1eb7b14db6974ce6c7d7fbde004e0d37b6d7eccb525c705249cba40fa1e32fb4be8ef04abaec18132917d589dc6