Overview

overview

10

Static

static

10

23210003a1...f7.exe

windows7_x64

10

23210003a1...f7.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10-11-2020 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe

  • Size

    534KB

  • MD5

    f811e2467c4093bffa92ec60e7157500

  • SHA1

    2d9c29b8d7156619d144e14ffc2a1ab12424b883

  • SHA256

    23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7

  • SHA512

    f32962a0f05e2918472a74632515596e2152e5e7fd2300c0238aeec73ca03fc2b35301ed9ef3f0a3e42e978c08d562dcd113ddb4ed9b86762f40cd3a59349f5d

Score
10/10
quasarvenomratevasionratrootkitspywarestealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
    "C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe"
    1⤵
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "TwitchFollowy" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2640
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "TwitchFollowy" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:748
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:1604
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WnvI3vrpvdw1.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:2380
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:2452
          • C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
            "C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1328

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/748-26-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-18-0x00000000733A0000-0x0000000073A8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/748-43-0x0000000009000000-0x0000000009001000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-27-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-42-0x0000000008E90000-0x0000000008E91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-34-0x0000000008B20000-0x0000000008B53000-memory.dmp

        Filesize

        204KB

        Download

      • memory/748-44-0x0000000008FB0000-0x0000000008FB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-41-0x0000000008070000-0x0000000008071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-46-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-19-0x0000000004220000-0x0000000004221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-20-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-21-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-22-0x0000000007390000-0x0000000007391000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-24-0x00000000076D0000-0x00000000076D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-25-0x0000000007460000-0x0000000007461000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1328-58-0x00000000733A0000-0x0000000073A8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1500-13-0x00000000733A0000-0x0000000073A8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1500-32-0x0000000006720000-0x0000000006721000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3932-1-0x0000000000C00000-0x0000000000C01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3932-6-0x0000000006390000-0x0000000006391000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3932-3-0x0000000005A70000-0x0000000005A71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3932-0-0x00000000733A0000-0x0000000073A8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3932-4-0x00000000056C0000-0x00000000056C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3932-5-0x0000000005860000-0x0000000005861000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3932-7-0x0000000006760000-0x0000000006761000-memory.dmp

        Filesize

        4KB

        Download