Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 22:55
General
-
Target
Rat remove.exe
-
Size
409KB
-
MD5
4a9a21634ca5574ce01fa7bac0950d54
-
SHA1
c29eb629cbe62c7828f16c5ad6b29ba015eb7b69
-
SHA256
a003924092f4eed3281ccd3f82d95548a809a09436ee07b01b6d738a7c1f809d
-
SHA512
e82f2df2f40cf8d51a85c2ee4e3fe78ff739b1581688b5107cbd8bec53a1d351ef3c16fdf4e709ad7f47afa55e5bcc4ed8de224e587f4dd873e0486b08e7325e
-
SSDEEP
12288:YpiREGJFK6Fcbpdw5sI68ulIPPMQE1SQ:AwpJsb34ZPPsH
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.20:47638
$Sxr-GV6wZsGZZMeZ3qfenc
-
encryption_key
hwFlXMrCGoyqiQGmMvlX
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Anti-Malware Disable Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4528-1-0x0000000000A80000-0x0000000000AEC000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Rat remove.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Rat remove.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exepid process 3908 schtasks.exe 2260 SCHTASKS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Rat remove.exedescription pid process Token: SeDebugPrivilege 4528 Rat remove.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Rat remove.exepid process 4528 Rat remove.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Rat remove.execmd.exedescription pid process target process PID 4528 wrote to memory of 3908 4528 Rat remove.exe schtasks.exe PID 4528 wrote to memory of 3908 4528 Rat remove.exe schtasks.exe PID 4528 wrote to memory of 3908 4528 Rat remove.exe schtasks.exe PID 4528 wrote to memory of 2664 4528 Rat remove.exe schtasks.exe PID 4528 wrote to memory of 2664 4528 Rat remove.exe schtasks.exe PID 4528 wrote to memory of 2664 4528 Rat remove.exe schtasks.exe PID 4528 wrote to memory of 4564 4528 Rat remove.exe cmd.exe PID 4528 wrote to memory of 4564 4528 Rat remove.exe cmd.exe PID 4528 wrote to memory of 4564 4528 Rat remove.exe cmd.exe PID 4564 wrote to memory of 2760 4564 cmd.exe chcp.com PID 4564 wrote to memory of 2760 4564 cmd.exe chcp.com PID 4564 wrote to memory of 2760 4564 cmd.exe chcp.com PID 4564 wrote to memory of 2772 4564 cmd.exe PING.EXE PID 4564 wrote to memory of 2772 4564 cmd.exe PING.EXE PID 4564 wrote to memory of 2772 4564 cmd.exe PING.EXE PID 4528 wrote to memory of 2260 4528 Rat remove.exe SCHTASKS.exe PID 4528 wrote to memory of 2260 4528 Rat remove.exe SCHTASKS.exe PID 4528 wrote to memory of 2260 4528 Rat remove.exe SCHTASKS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rat remove.exe"C:\Users\Admin\AppData\Local\Temp\Rat remove.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Rat remove.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3908 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "Windows Defender Anti-Malware Disable Startup" /f2⤵PID:2664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQepBmbV26RD.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2760
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2772 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Rat remove.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Rat remove.exe'" /sc onlogon /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262B
MD56e458a8aa967ba9244aa970902da1abb
SHA1e2cf7d52250b9aa4fd48c8cc151c79350c68190e
SHA2564c2355377886427fb4bc31cf1ceca35cd5448e83b227fe7daff1c26462db498f
SHA51263e61304ac1a90cfd892e10338169afd3bf46f929ad966ef005857e4c9b9772d24e28f7dc2c356dfb473c8d8b3cff2ca3903ffbb5e663755f1be24bf1f4cfe89
-
Filesize
224B
MD5d5152d58131f1aa7b17ec39e7a6757a6
SHA1a334ebf7fbcaf30b155cfc83ab024392a43c3ca5
SHA25677bfc9c1d8e32109cae8fcc52d9d44de4c1d50af786558f0b7876417c7ca94be
SHA5123fbe74754c2c07584a493d1333d73c0f6db29e7406b35abc19c759a1c68d2e4c0e94f59d5323fd4eda9292d447d2a2a4bed1ebd8288a3becd4087a9c57f9be11