Overview

overview

10

Static

static

10

e9235af153...05.exe

windows7_x64

10

e9235af153...05.exe

windows10_x64

10

Analysis

  • max time kernel
    160s
  • max time network
    166s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    08-09-2021 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9235af1531343351a94508e6795d9fdc05bb06b334e8368dc39f0fe12c46f05.exe

  • Size

    814KB

  • MD5

    303ea82c0a37e377879a61a6d403ab48

  • SHA1

    f3f542e801ae5a7689864d974e1b4776468acbe2

  • SHA256

    e9235af1531343351a94508e6795d9fdc05bb06b334e8368dc39f0fe12c46f05

  • SHA512

    d280e0e59a51135a78cf7699c89317768f8a045441a20990ab286a48be9e20c93ef1eea85f18d9517654f28218c960d21f2ececbe0baa3c8a2790e1304c7c279

Score
10/10
quasarvenomratclientevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Client

C2

spicy-scissors.auto.playit.gg:40602

Mutex

VNM_MUTEX_ZPezzH7q77HhYvgQHf

Attributes
  • encryption_key

    qDSGWka1LfDTYuj2fN6F

  • install_name

    GNU.exe

  • log_directory

    Logs

  • reconnect_delay

    2500

  • startup_key

    Windows Security

  • subdirectory

    Ubuntu

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9235af1531343351a94508e6795d9fdc05bb06b334e8368dc39f0fe12c46f05.exe
    "C:\Users\Admin\AppData\Local\Temp\e9235af1531343351a94508e6795d9fdc05bb06b334e8368dc39f0fe12c46f05.exe"
    1⤵
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\e9235af1531343351a94508e6795d9fdc05bb06b334e8368dc39f0fe12c46f05.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:3584
    • C:\Users\Admin\AppData\Roaming\Ubuntu\GNU.exe
      "C:\Users\Admin\AppData\Roaming\Ubuntu\GNU.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Ubuntu\GNU.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4084
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:3884
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egLDFswknq7E.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:2520
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:1284
          • C:\Users\Admin\AppData\Local\Temp\e9235af1531343351a94508e6795d9fdc05bb06b334e8368dc39f0fe12c46f05.exe
            "C:\Users\Admin\AppData\Local\Temp\e9235af1531343351a94508e6795d9fdc05bb06b334e8368dc39f0fe12c46f05.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1476

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1476-399-0x00000000055E0000-0x0000000005ADE000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/2108-143-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-158-0x0000000009410000-0x0000000009443000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2108-372-0x00000000096C0000-0x00000000096C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-366-0x00000000096D0000-0x00000000096D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-136-0x0000000004970000-0x0000000004971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-134-0x0000000004980000-0x0000000004981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-137-0x0000000004972000-0x0000000004973000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-138-0x0000000007380000-0x0000000007381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-139-0x00000000079F0000-0x00000000079F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-140-0x0000000007A90000-0x0000000007A91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-142-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-241-0x0000000004973000-0x0000000004974000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-144-0x0000000008680000-0x0000000008681000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-172-0x0000000009740000-0x0000000009741000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-149-0x0000000008460000-0x0000000008461000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-171-0x0000000009560000-0x0000000009561000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-170-0x000000007F070000-0x000000007F071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-165-0x00000000093F0000-0x00000000093F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3184-150-0x0000000006A60000-0x0000000006A61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3184-135-0x0000000005520000-0x0000000005521000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3692-115-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3692-122-0x0000000006640000-0x0000000006641000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3692-121-0x0000000006270000-0x0000000006271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3692-120-0x0000000005710000-0x0000000005711000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3692-119-0x0000000005540000-0x0000000005541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3692-118-0x0000000005570000-0x0000000005571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3692-117-0x0000000005A70000-0x0000000005A71000-memory.dmp

        Filesize

        4KB

        Download