Analysis
-
max time kernel
191s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 12:51
Behavioral task
behavioral1
Sample
getrat.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
getrat.exe
Resource
win11-20240426-en
General
-
Target
getrat.exe
-
Size
409KB
-
MD5
18b1039a3013abc959410add72aab2d2
-
SHA1
23fc4f25ea5bcb635254b8b6ef6cb79d05f4372d
-
SHA256
74072cb82f64ed34239c3841331663624e148cf50d7dc9cf340c71ebff24e6fd
-
SHA512
924791c7854c522e772e531dfa9fbf44be6f8da3532a82135138d6b5b803f190e680988436b55b64f29ca6cf2eb0af397769d299ce00f48200ea66b1c04964df
-
SSDEEP
6144:jMs9p1kREG60olIZHeDzCNz3IqR21C7+bXakEA8b/jt/vIBKPrx5:LpiREGJ3ZHeDzC7RHiSXt/vIB0rv
Malware Config
Extracted
quasar
3.1.5
SeroXen | v3.1.5 |
adult-mai.gl.at.ply.gg:51745
$Sxr-jy6vh8CtEJL5ceZuIb
-
encryption_key
1TbGeXOsJEBH7iT0wKPt
-
install_name
$sxr-powershell.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
lol
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3544-1-0x0000000000490000-0x00000000004FC000-memory.dmp family_quasar C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
$sxr-powershell.exepid process 3272 $sxr-powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
getrat.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lol = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\getrat.exe\"" getrat.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ip-api.com -
Drops file in System32 directory 4 IoCs
Processes:
getrat.exe$sxr-powershell.exedescription ioc process File created C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe getrat.exe File opened for modification C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe getrat.exe File opened for modification C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe $sxr-powershell.exe File opened for modification C:\Windows\SysWOW64\$sxr-seroxen2 $sxr-powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
SCHTASKS.exeschtasks.exeSCHTASKS.exeschtasks.exepid process 6124 SCHTASKS.exe 5368 schtasks.exe 4360 SCHTASKS.exe 5976 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
getrat.exe$sxr-powershell.exetaskmgr.exegetrat.exedescription pid process Token: SeDebugPrivilege 3544 getrat.exe Token: SeDebugPrivilege 3272 $sxr-powershell.exe Token: SeDebugPrivilege 3124 taskmgr.exe Token: SeSystemProfilePrivilege 3124 taskmgr.exe Token: SeCreateGlobalPrivilege 3124 taskmgr.exe Token: SeDebugPrivilege 4304 getrat.exe Token: 33 3124 taskmgr.exe Token: SeIncBasePriorityPrivilege 3124 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe 3124 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 3272 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
getrat.exe$sxr-powershell.exegetrat.exedescription pid process target process PID 3544 wrote to memory of 5368 3544 getrat.exe schtasks.exe PID 3544 wrote to memory of 5368 3544 getrat.exe schtasks.exe PID 3544 wrote to memory of 5368 3544 getrat.exe schtasks.exe PID 3544 wrote to memory of 3272 3544 getrat.exe $sxr-powershell.exe PID 3544 wrote to memory of 3272 3544 getrat.exe $sxr-powershell.exe PID 3544 wrote to memory of 3272 3544 getrat.exe $sxr-powershell.exe PID 3544 wrote to memory of 4360 3544 getrat.exe SCHTASKS.exe PID 3544 wrote to memory of 4360 3544 getrat.exe SCHTASKS.exe PID 3544 wrote to memory of 4360 3544 getrat.exe SCHTASKS.exe PID 3272 wrote to memory of 5976 3272 $sxr-powershell.exe schtasks.exe PID 3272 wrote to memory of 5976 3272 $sxr-powershell.exe schtasks.exe PID 3272 wrote to memory of 5976 3272 $sxr-powershell.exe schtasks.exe PID 4304 wrote to memory of 6124 4304 getrat.exe SCHTASKS.exe PID 4304 wrote to memory of 6124 4304 getrat.exe SCHTASKS.exe PID 4304 wrote to memory of 6124 4304 getrat.exe SCHTASKS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\getrat.exe"C:\Users\Admin\AppData\Local\Temp\getrat.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "lol" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\getrat.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe"C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "lol" /sc ONLOGON /tr "C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77getrat.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\getrat.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\getrat.exe"C:\Users\Admin\AppData\Local\Temp\getrat.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77getrat.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\getrat.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\getrat.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exeFilesize
409KB
MD518b1039a3013abc959410add72aab2d2
SHA123fc4f25ea5bcb635254b8b6ef6cb79d05f4372d
SHA25674072cb82f64ed34239c3841331663624e148cf50d7dc9cf340c71ebff24e6fd
SHA512924791c7854c522e772e531dfa9fbf44be6f8da3532a82135138d6b5b803f190e680988436b55b64f29ca6cf2eb0af397769d299ce00f48200ea66b1c04964df
-
memory/3124-35-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3124-29-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3124-31-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3124-32-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3124-33-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3124-34-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3124-25-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3124-30-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3124-23-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3124-24-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmpFilesize
4KB
-
memory/3272-15-0x0000000074DA0000-0x0000000075550000-memory.dmpFilesize
7.7MB
-
memory/3272-19-0x0000000006B20000-0x0000000006B2A000-memory.dmpFilesize
40KB
-
memory/3272-20-0x0000000074DA0000-0x0000000075550000-memory.dmpFilesize
7.7MB
-
memory/3272-14-0x0000000074DA0000-0x0000000075550000-memory.dmpFilesize
7.7MB
-
memory/3544-6-0x0000000005F20000-0x0000000005F32000-memory.dmpFilesize
72KB
-
memory/3544-17-0x0000000074DA0000-0x0000000075550000-memory.dmpFilesize
7.7MB
-
memory/3544-9-0x0000000074DAE000-0x0000000074DAF000-memory.dmpFilesize
4KB
-
memory/3544-7-0x0000000006360000-0x000000000639C000-memory.dmpFilesize
240KB
-
memory/3544-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmpFilesize
4KB
-
memory/3544-5-0x0000000005320000-0x0000000005386000-memory.dmpFilesize
408KB
-
memory/3544-4-0x0000000074DA0000-0x0000000075550000-memory.dmpFilesize
7.7MB
-
memory/3544-3-0x0000000004F10000-0x0000000004FA2000-memory.dmpFilesize
584KB
-
memory/3544-2-0x0000000005410000-0x00000000059B4000-memory.dmpFilesize
5.6MB
-
memory/3544-1-0x0000000000490000-0x00000000004FC000-memory.dmpFilesize
432KB