Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 22:59
General
-
Target
Rat remove.exe
-
Size
409KB
-
MD5
4a9a21634ca5574ce01fa7bac0950d54
-
SHA1
c29eb629cbe62c7828f16c5ad6b29ba015eb7b69
-
SHA256
a003924092f4eed3281ccd3f82d95548a809a09436ee07b01b6d738a7c1f809d
-
SHA512
e82f2df2f40cf8d51a85c2ee4e3fe78ff739b1581688b5107cbd8bec53a1d351ef3c16fdf4e709ad7f47afa55e5bcc4ed8de224e587f4dd873e0486b08e7325e
-
SSDEEP
12288:YpiREGJFK6Fcbpdw5sI68ulIPPMQE1SQ:AwpJsb34ZPPsH
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.20:47638
$Sxr-GV6wZsGZZMeZ3qfenc
-
encryption_key
hwFlXMrCGoyqiQGmMvlX
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Anti-Malware Disable Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5004-1-0x00000000003F0000-0x000000000045C000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Rat remove.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Rat remove.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exepid process 740 schtasks.exe 4136 SCHTASKS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Rat remove.exedescription pid process Token: SeDebugPrivilege 5004 Rat remove.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Rat remove.exepid process 5004 Rat remove.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Rat remove.execmd.exedescription pid process target process PID 5004 wrote to memory of 740 5004 Rat remove.exe schtasks.exe PID 5004 wrote to memory of 740 5004 Rat remove.exe schtasks.exe PID 5004 wrote to memory of 740 5004 Rat remove.exe schtasks.exe PID 5004 wrote to memory of 3492 5004 Rat remove.exe schtasks.exe PID 5004 wrote to memory of 3492 5004 Rat remove.exe schtasks.exe PID 5004 wrote to memory of 3492 5004 Rat remove.exe schtasks.exe PID 5004 wrote to memory of 4080 5004 Rat remove.exe cmd.exe PID 5004 wrote to memory of 4080 5004 Rat remove.exe cmd.exe PID 5004 wrote to memory of 4080 5004 Rat remove.exe cmd.exe PID 4080 wrote to memory of 4824 4080 cmd.exe chcp.com PID 4080 wrote to memory of 4824 4080 cmd.exe chcp.com PID 4080 wrote to memory of 4824 4080 cmd.exe chcp.com PID 4080 wrote to memory of 2756 4080 cmd.exe PING.EXE PID 4080 wrote to memory of 2756 4080 cmd.exe PING.EXE PID 4080 wrote to memory of 2756 4080 cmd.exe PING.EXE PID 5004 wrote to memory of 4136 5004 Rat remove.exe SCHTASKS.exe PID 5004 wrote to memory of 4136 5004 Rat remove.exe SCHTASKS.exe PID 5004 wrote to memory of 4136 5004 Rat remove.exe SCHTASKS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rat remove.exe"C:\Users\Admin\AppData\Local\Temp\Rat remove.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Rat remove.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:740 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "Windows Defender Anti-Malware Disable Startup" /f2⤵PID:3492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCD6eaFyephK.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4824
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2756 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Rat remove.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Rat remove.exe'" /sc onlogon /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:4136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262B
MD5f1bd35827fbb8eb1d811e4f220a0fab7
SHA15f8da21f02f50db692ed4aeef8902d15be6759c5
SHA25644e55090488a6aac5b6f1d6cbe3ea0b5ab62df7989411f83a8c79414fbcdd7e2
SHA5124ad8e10ff454d5bc65085876c93311c0824e43ebbad169af4469820944758e3947999f84a72d42c4e529fba313f6712073358425d98e129e1d47b594b561c951