Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 22:55
General
-
Target
Rat remove.exe
-
Size
409KB
-
MD5
4a9a21634ca5574ce01fa7bac0950d54
-
SHA1
c29eb629cbe62c7828f16c5ad6b29ba015eb7b69
-
SHA256
a003924092f4eed3281ccd3f82d95548a809a09436ee07b01b6d738a7c1f809d
-
SHA512
e82f2df2f40cf8d51a85c2ee4e3fe78ff739b1581688b5107cbd8bec53a1d351ef3c16fdf4e709ad7f47afa55e5bcc4ed8de224e587f4dd873e0486b08e7325e
-
SSDEEP
12288:YpiREGJFK6Fcbpdw5sI68ulIPPMQE1SQ:AwpJsb34ZPPsH
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.20:47638
$Sxr-GV6wZsGZZMeZ3qfenc
-
encryption_key
hwFlXMrCGoyqiQGmMvlX
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Anti-Malware Disable Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1276-1-0x0000000000120000-0x000000000018C000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Rat remove.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation Rat remove.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exepid process 3396 schtasks.exe 4480 SCHTASKS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Rat remove.exedescription pid process Token: SeDebugPrivilege 1276 Rat remove.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Rat remove.exepid process 1276 Rat remove.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Rat remove.execmd.exedescription pid process target process PID 1276 wrote to memory of 3396 1276 Rat remove.exe schtasks.exe PID 1276 wrote to memory of 3396 1276 Rat remove.exe schtasks.exe PID 1276 wrote to memory of 3396 1276 Rat remove.exe schtasks.exe PID 1276 wrote to memory of 5020 1276 Rat remove.exe schtasks.exe PID 1276 wrote to memory of 5020 1276 Rat remove.exe schtasks.exe PID 1276 wrote to memory of 5020 1276 Rat remove.exe schtasks.exe PID 1276 wrote to memory of 2260 1276 Rat remove.exe cmd.exe PID 1276 wrote to memory of 2260 1276 Rat remove.exe cmd.exe PID 1276 wrote to memory of 2260 1276 Rat remove.exe cmd.exe PID 2260 wrote to memory of 4276 2260 cmd.exe chcp.com PID 2260 wrote to memory of 4276 2260 cmd.exe chcp.com PID 2260 wrote to memory of 4276 2260 cmd.exe chcp.com PID 2260 wrote to memory of 4076 2260 cmd.exe PING.EXE PID 2260 wrote to memory of 4076 2260 cmd.exe PING.EXE PID 2260 wrote to memory of 4076 2260 cmd.exe PING.EXE PID 1276 wrote to memory of 4480 1276 Rat remove.exe SCHTASKS.exe PID 1276 wrote to memory of 4480 1276 Rat remove.exe SCHTASKS.exe PID 1276 wrote to memory of 4480 1276 Rat remove.exe SCHTASKS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rat remove.exe"C:\Users\Admin\AppData\Local\Temp\Rat remove.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Rat remove.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3396 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "Windows Defender Anti-Malware Disable Startup" /f2⤵PID:5020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwAG0zFFvTWu.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4276
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:4076 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Rat remove.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Rat remove.exe'" /sc onlogon /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:4480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262B
MD5e7dbf79e696c2577d6f01f1ff81bd528
SHA154bcbd0020ad44e8742ba12d96676f158a6fe46f
SHA256a4390db30166f944329bcc7567a97f77b6076e91b42353add4cfce250ce82141
SHA512e266a31c4c73f06088dda5658b8b8bbb7ee0814899f3308d5a73f272b72bbc51493e5eca445e730d916b184f8e9dfa50c6d75ca9bbb706c3520a742b0a91e7a0
-
Filesize
224B
MD5d8d86a1db5cf6c66133aa2b81ab2c2ad
SHA11cc50c45b4ad894c60f9ef450c0c2fad57eea0d0
SHA25687d807d620068668f2a3d588c0c27cc5f7efac870f275452b4ff9c833ea38cde
SHA5120bb29dbbe7c88ba68fd2515d7b2f6aa4c9c8108039fb1308cec8c58f3d3e68d9b7130b643f872361569d1ea102dd2fc24bf16ee945f154a4662b57cd31c4efd6