Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
15-06-2024 19:01
General
-
Target
Remcosv4.9.3LightMOD.exe
-
Size
40.3MB
-
MD5
d3de21913cdebc1c84d668de22831d85
-
SHA1
2619ebb87016473c06ed820a8d26120b704b8023
-
SHA256
4ff6da365ddd8c3f3e4c186022ab9447b2f6123adf991a81cd58bc71ecb2522a
-
SHA512
bccee54ff31b9321020276c311f609951c47dac790ddfc47bcca0d19052fcd5d27340cb99d87f4c762e11c99f39a2b7cbe379d2fabdc8da91c637adccd8339cf
-
SSDEEP
786432:MukwgGc0LdSPyiMJj2uK0P7ts6CcEwVOgjxBdgoz8pF4zqIdvXO/:Xc0QaiYj2AP7y62wV5jxBXVPG
Malware Config
Extracted
quasar
1.4.1
Remcos
team-circles.gl.at.ply.gg:25349
109bae44-c7e4-46f2-82cd-2c3efb4dc47e
-
encryption_key
78AF43F549EE55D0FC30D38EC96EAA6F3A3F5CDF
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
WD Defender
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe"C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d4JRyx7MclZe.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\II61zF3datav.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKW8AKrQyRrH.bat" "8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UZttjw4P4z1P.bat" "10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f12⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iw0IkepjtkE4.bat" "12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f14⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CxCIzacfbgAD.bat" "14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f16⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y6PRFWzDgVPd.bat" "16⤵
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f18⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Temp\CxCIzacfbgAD.batFilesize
220B
MD5bc7d5be260cce4823e4895938b6ce44b
SHA187a5c1cbd785b4c7f792093d637e4678ff57911d
SHA25635245389170d2fa56a66ad41981171e8dc83df15e769604193c68f245f4119ac
SHA5123a35697391e62c70a5bbd10594dfc17c11288763a36fdc3baed8812a4e8157379d647a037ee4fbbe464bef3ed007ba6d98d9094ca29f62238aa7ff0139b5a5db
-
C:\Users\Admin\AppData\Local\Temp\II61zF3datav.batFilesize
220B
MD5dfaac48c02e84a1fff0413c1247ea532
SHA1b3aa72d178b0c18fe19922d8efa0e14da6803eef
SHA2567c0f620498cd3af929c830bc09ed8a8b69173eb4e448351967d02b362cb4f5a4
SHA5121a6cb45770b37e17dddd0d6d14d9e4e82c2f7b868a59bd095c69e1722765a889f15a2fb4820c700573a09d40379d06f34f86f1b9f4847c9de3e7453894b9b0eb
-
C:\Users\Admin\AppData\Local\Temp\Iw0IkepjtkE4.batFilesize
220B
MD5e471c73881f70d90f33d4258f16c6009
SHA12f7e51d7ca6b131975b8299ccd49388e41e13c59
SHA2563dd9b20814b3a8564dc441d8f44d838acd9539884bf19c7ae237fa0fbad55ce5
SHA5122e13a16aecaab21948af86cb090fbfb1557c3f12016e5e9d635260bbfcb161e3d157f174734791e23b157ca44a4a895ea66c565b468432802585b6ae5658949e
-
C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exeFilesize
39.2MB
MD56eacce4a82cf898472ad2aa8b0267cca
SHA1954def54ec22b1ade594e7f501384fe19d2bbfef
SHA256522a915d9a78b68fee628014e4559e82bcbf137d9abc521e57b6e7aca695cec7
SHA5123004e9f64ba6258b3780d534bd59b3c8ae611e29d846e0aaa197af892f56708379b4996295de5c777ef845a031c44915bf3faa17b137f892a81373423bd47ad1
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exeFilesize
3.1MB
MD50296021acfb4f37e63df4de7461ebfd9
SHA114117dba6ce87cbb6561ebdfffec60cb21860800
SHA2564fc6d003d67f0a1b3a276018516c6a0fe6301b10efe9e41fccd2e5a645a3333a
SHA512ffff32821dc347531f6e814df23b1f848df002c33ca83c635bc2fb1d3b810e9c21ffa6da6f0beb1a207f55a9d4048828545d678a8137991d1de2266bcbe1deee
-
C:\Users\Admin\AppData\Local\Temp\UZttjw4P4z1P.batFilesize
220B
MD557f65dd6450e8f46d070c4303f249f70
SHA1b46f3ef3d1ccc788ed040a4eaf869dff23f9202a
SHA25651b403ea03fe3f50a1de1df2cf6e330b406d777daf50a1528f249fc8be6e7ec5
SHA5121fbe571f323d42603d282798407c5a04ad2ac3967796f2a8e71693f3bb7ba566d738be0a408088ad32bca25912fbe0807c5c339a2e0fa6dee7e025cbc098cb06
-
C:\Users\Admin\AppData\Local\Temp\d4JRyx7MclZe.batFilesize
220B
MD5c6dbeeb59302789c2fd17ee467280be0
SHA18ff7a2f2a21d6f113ff01e1855b5943d30194f25
SHA2561ba4aa48878d66d12c014c2c3267e60eb42a547eadd261f81270c0c15076b8c2
SHA5127dd82db3fc9be769c87226bab87c21ae2d10ae9055e2f042dbc65ca341a839ba3eb8f789d6d5ed1ae804f91244c9dbde336075c404094c9ddb71a00656e21c73
-
C:\Users\Admin\AppData\Local\Temp\uKW8AKrQyRrH.batFilesize
220B
MD5a86cbae20775287a30e3176469f547a3
SHA183dbf7dbb89e9982d51e7983647460510277fe0c
SHA2567cf5080526ec6049d03aae088126cb8f604cc33a49f453e96e9d2a8e56e21f44
SHA512134895067a762ccdf511e52d0ce7b70ed54f79749c5a4b57cc4e616873673b855924e02e1dc2c39cce857a6f06ab967695da4c725443098ccb524ee331925ac8
-
C:\Users\Admin\AppData\Local\Temp\y6PRFWzDgVPd.batFilesize
220B
MD51c46c31511380c92d8bbda2ddd871844
SHA1132d2e7b29e27f739ac8e5f8f0e47fcf60c5f9b4
SHA2562983aa8fe86bb2a321ba9b75996cbe18f34c3ca112ed920f9bc8520b2d3bbe50
SHA512bc3027c1deee4ab3bb2221df0c5b6f3e1a535c998850bf46db5c72cedef48acd6f483b10a6d7f53b7c00d9c467b8742fe53324afb5e44778ccfb8bd1062856b7
-
memory/1524-39-0x0000000006940000-0x0000000006941000-memory.dmpFilesize
4KB
-
memory/1524-44-0x0000000000400000-0x000000000668E000-memory.dmpFilesize
98.6MB
-
memory/1524-36-0x0000000006900000-0x0000000006901000-memory.dmpFilesize
4KB
-
memory/1524-40-0x0000000006B70000-0x0000000006B71000-memory.dmpFilesize
4KB
-
memory/1524-41-0x0000000006B80000-0x0000000006B81000-memory.dmpFilesize
4KB
-
memory/1524-42-0x0000000006B90000-0x0000000006B91000-memory.dmpFilesize
4KB
-
memory/1524-43-0x0000000006BA0000-0x0000000006BA1000-memory.dmpFilesize
4KB
-
memory/1524-38-0x0000000006930000-0x0000000006931000-memory.dmpFilesize
4KB
-
memory/1524-37-0x0000000006920000-0x0000000006921000-memory.dmpFilesize
4KB
-
memory/2548-26-0x0000000000F10000-0x0000000001234000-memory.dmpFilesize
3.1MB
-
memory/3288-35-0x000000001BE30000-0x000000001BEE2000-memory.dmpFilesize
712KB
-
memory/3288-34-0x000000001BD20000-0x000000001BD70000-memory.dmpFilesize
320KB
-
memory/4820-0-0x00007FFDE6193000-0x00007FFDE6195000-memory.dmpFilesize
8KB
-
memory/4820-25-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmpFilesize
10.8MB
-
memory/4820-2-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmpFilesize
10.8MB
-
memory/4820-1-0x00000000003A0000-0x0000000002BF4000-memory.dmpFilesize
40.3MB