Analysis
-
max time kernel
156s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 22:53
Behavioral task
behavioral1
Sample
Rat remove.exe
Resource
win10v2004-20240226-en
General
-
Target
Rat remove.exe
-
Size
409KB
-
MD5
4a9a21634ca5574ce01fa7bac0950d54
-
SHA1
c29eb629cbe62c7828f16c5ad6b29ba015eb7b69
-
SHA256
a003924092f4eed3281ccd3f82d95548a809a09436ee07b01b6d738a7c1f809d
-
SHA512
e82f2df2f40cf8d51a85c2ee4e3fe78ff739b1581688b5107cbd8bec53a1d351ef3c16fdf4e709ad7f47afa55e5bcc4ed8de224e587f4dd873e0486b08e7325e
-
SSDEEP
12288:YpiREGJFK6Fcbpdw5sI68ulIPPMQE1SQ:AwpJsb34ZPPsH
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.20:47638
$Sxr-GV6wZsGZZMeZ3qfenc
-
encryption_key
hwFlXMrCGoyqiQGmMvlX
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Anti-Malware Disable Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3248-1-0x0000000000F40000-0x0000000000FAC000-memory.dmp family_quasar -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Rat remove.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Anti-Malware Disable Startup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rat remove.exe\"" Rat remove.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 ip-api.com -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Rat remove.exedescription pid process Token: SeDebugPrivilege 3248 Rat remove.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Rat remove.exepid process 3248 Rat remove.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Rat remove.exedescription pid process target process PID 3248 wrote to memory of 4508 3248 Rat remove.exe schtasks.exe PID 3248 wrote to memory of 4508 3248 Rat remove.exe schtasks.exe PID 3248 wrote to memory of 4508 3248 Rat remove.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rat remove.exe"C:\Users\Admin\AppData\Local\Temp\Rat remove.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Rat remove.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:1696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1