Overview

overview

10

Static

static

10

d9fffd6ede...4b.exe

windows7_x64

10

d9fffd6ede...4b.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    02-03-2021 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9fffd6edeeaeb271645ebd329755660356ed84bbfdd773c7c3aa1d4b594904b.exe

  • Size

    534KB

  • MD5

    3eb993c8d8b647f850cfa469d57a2dec

  • SHA1

    da5dc696590815cb6389c693a7edad6e65722c51

  • SHA256

    d9fffd6edeeaeb271645ebd329755660356ed84bbfdd773c7c3aa1d4b594904b

  • SHA512

    df2b679ea062146b3bb2be292a4ec09671e107abab7fbb7784aa9a78a22baa37e24220796c07b0abbe2cdf6de5b56707567c99ac73badceac075c93482611061

Score
10/10
quasarvenomratevasionratrootkitspywarestealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9fffd6edeeaeb271645ebd329755660356ed84bbfdd773c7c3aa1d4b594904b.exe
    "C:\Users\Admin\AppData\Local\Temp\d9fffd6edeeaeb271645ebd329755660356ed84bbfdd773c7c3aa1d4b594904b.exe"
    1⤵
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "CheckerFortnite" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d9fffd6edeeaeb271645ebd329755660356ed84bbfdd773c7c3aa1d4b594904b.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:3968
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "CheckerFortnite" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3116
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:188
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:3724
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2W1c9iDxalZl.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:3484
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:2824
          • C:\Users\Admin\AppData\Local\Temp\d9fffd6edeeaeb271645ebd329755660356ed84bbfdd773c7c3aa1d4b594904b.exe
            "C:\Users\Admin\AppData\Local\Temp\d9fffd6edeeaeb271645ebd329755660356ed84bbfdd773c7c3aa1d4b594904b.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3244

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/188-31-0x0000000007A40000-0x0000000007A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-54-0x0000000009390000-0x0000000009391000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-37-0x00000000083C0000-0x00000000083C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-52-0x00000000093A0000-0x00000000093A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-51-0x00000000093F0000-0x00000000093F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-50-0x0000000004603000-0x0000000004604000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-49-0x000000007EEF0000-0x000000007EEF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-36-0x0000000007210000-0x0000000007211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-48-0x0000000009240000-0x0000000009241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-21-0x0000000073C40000-0x000000007432E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/188-22-0x0000000004610000-0x0000000004611000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-47-0x00000000090D0000-0x00000000090D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-26-0x0000000004602000-0x0000000004603000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-25-0x0000000004600000-0x0000000004601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-24-0x0000000007230000-0x0000000007231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-27-0x0000000006F80000-0x0000000006F81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-28-0x0000000007020000-0x0000000007021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/188-40-0x0000000009110000-0x0000000009143000-memory.dmp

        Filesize

        204KB

        Download

      • memory/188-38-0x0000000008120000-0x0000000008121000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3244-69-0x0000000005450000-0x0000000005451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3244-64-0x0000000073C40000-0x000000007432E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3920-5-0x0000000005370000-0x0000000005371000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3920-6-0x0000000004D90000-0x0000000004D91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3920-8-0x0000000004F70000-0x0000000004F71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3920-7-0x0000000005040000-0x0000000005041000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3920-2-0x0000000073C40000-0x000000007432E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3920-9-0x0000000005350000-0x0000000005351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3920-3-0x0000000000480000-0x0000000000481000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3920-10-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4056-15-0x0000000073C40000-0x000000007432E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/4056-23-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4056-35-0x00000000065A0000-0x00000000065A1000-memory.dmp

        Filesize

        4KB

        Download