Overview

overview

10

Static

static

10

fbebdf6e8f...2f.exe

windows7_x64

10

fbebdf6e8f...2f.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01/03/2021, 23:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbebdf6e8fa43a2458cd66a14dfa5b7127727c55b93a67f40f400e8c48b6a92f.exe

  • Size

    534KB

  • MD5

    1a6cd9334c846e9aadb214cce3c0359a

  • SHA1

    04536a296bb91ca1b702a2eb8d90fff8a9fe5845

  • SHA256

    fbebdf6e8fa43a2458cd66a14dfa5b7127727c55b93a67f40f400e8c48b6a92f

  • SHA512

    3e4c35c019076621c785728128c4faf29926371d69a01482558df233de1c74062f77700e6aec1e69f7eec82c11c6f1a21d96e90f0decc189c4ff71f11338bf83

Score
10/10
quasarvenomratevasionratrootkitspywarestealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbebdf6e8fa43a2458cd66a14dfa5b7127727c55b93a67f40f400e8c48b6a92f.exe
    "C:\Users\Admin\AppData\Local\Temp\fbebdf6e8fa43a2458cd66a14dfa5b7127727c55b93a67f40f400e8c48b6a92f.exe"
    1⤵
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "CheckerFortnite" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\fbebdf6e8fa43a2458cd66a14dfa5b7127727c55b93a67f40f400e8c48b6a92f.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:496
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "CheckerFortnite" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1936
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:200
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:1472
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SauSV3PmXofn.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:3936
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:2676
          • C:\Users\Admin\AppData\Local\Temp\fbebdf6e8fa43a2458cd66a14dfa5b7127727c55b93a67f40f400e8c48b6a92f.exe
            "C:\Users\Admin\AppData\Local\Temp\fbebdf6e8fa43a2458cd66a14dfa5b7127727c55b93a67f40f400e8c48b6a92f.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:508

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/200-30-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-54-0x00000000094F0000-0x00000000094F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-37-0x0000000008290000-0x0000000008291000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-33-0x00000000083E0000-0x00000000083E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-52-0x0000000009500000-0x0000000009501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-51-0x0000000000FC3000-0x0000000000FC4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-50-0x000000007EE90000-0x000000007EE91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-49-0x0000000009550000-0x0000000009551000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-48-0x0000000009090000-0x0000000009091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-21-0x0000000074090000-0x000000007477E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/200-22-0x0000000001330000-0x0000000001331000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-23-0x0000000007300000-0x0000000007301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-47-0x0000000009020000-0x0000000009021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-24-0x0000000007200000-0x0000000007201000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-27-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-26-0x0000000007B10000-0x0000000007B11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-28-0x0000000000FC2000-0x0000000000FC3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/200-40-0x0000000009040000-0x0000000009073000-memory.dmp

        Filesize

        204KB

        Download

      • memory/200-32-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/212-38-0x00000000063D0000-0x00000000063D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/212-25-0x0000000004E20000-0x0000000004E21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/212-16-0x0000000074090000-0x000000007477E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/508-69-0x0000000004D60000-0x0000000004D61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/508-64-0x0000000074090000-0x000000007477E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/652-6-0x0000000004970000-0x0000000004971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-2-0x0000000074090000-0x000000007477E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/652-7-0x0000000004B50000-0x0000000004B51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-10-0x0000000005A60000-0x0000000005A61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-9-0x0000000005690000-0x0000000005691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-3-0x0000000000040000-0x0000000000041000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-8-0x0000000004B60000-0x0000000004B61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-5-0x0000000004E70000-0x0000000004E71000-memory.dmp

        Filesize

        4KB

        Download