Overview

overview

10

Static

static

cela.exe

windows7_x64

10

cela.exe

windows10_x64

10

Analysis

  • max time kernel
    5s
  • max time network
    7s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-12-2020 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cela.exe

  • Size

    930KB

  • MD5

    507c92e12c99eb53544aba006004b843

  • SHA1

    11205b1e7e9317192994f5a9037d0f9924f29469

  • SHA256

    3f50cb0f25bc9fdaa5c75865eaca04ed12f45d5419b6624f1cf0f507be3cdafe

  • SHA512

    21b13fa6b070f3fecab15fe8c4124c4ec592b2886eff6a9b39efef84097aa33defc0815a1696617674072343144c83f6756f349e2b71afef11e69f46f614bc16

Score
10/10
quasarvenomratevasionratrootkitspywarestealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cela.exe
    "C:\Users\Admin\AppData\Local\Temp\cela.exe"
    1⤵
    • Windows security modification
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cela.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:3264
    • C:\Users\Admin\AppData\Roaming\SubDir\update.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\update.exe"
      2⤵
      • Executes dropped EXE
      PID:3164
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4580
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUSIYPFdEVOy.bat" "
        3⤵
          PID:4572
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3384

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3164-15-0x0000000073410000-0x0000000073AFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3384-26-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3384-23-0x0000000007550000-0x0000000007551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3384-31-0x0000000008670000-0x0000000008671000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3384-28-0x0000000008320000-0x0000000008321000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3384-27-0x0000000007E60000-0x0000000007E61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3384-20-0x0000000073410000-0x0000000073AFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3384-21-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3384-22-0x00000000076C0000-0x00000000076C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3384-24-0x0000000007600000-0x0000000007601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-5-0x00000000054C0000-0x00000000054C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-2-0x0000000073410000-0x0000000073AFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4764-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-9-0x00000000063C0000-0x00000000063C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-6-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-7-0x00000000052D0000-0x00000000052D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-8-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

      Filesize

      4KB

      Download