Overview

overview

10

Static

static

a0824896a6...c1.exe

windows7_x64

10

a0824896a6...c1.exe

windows10_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    167s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    22-09-2021 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe

  • Size

    1.0MB

  • MD5

    d9ae9f8e6be0c1d7c70a1d1b86f44a8c

  • SHA1

    1564057c68ed04ffe76aa192e867ed40cd868840

  • SHA256

    a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1

  • SHA512

    d13a512177f86e9a3de60c6b525175005870d5c1536f9e2af80da0c881314d3833b7140e777c65950d71053907f4608237f595490372e5e003fc9c3925786e2b

Score
10/10
quasarvenom clientmicrosoftphishingspywaretrojan

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Venom Client

C2

192.168.0.149:4455

Mutex

PNMCyu2XSzVny0gdTw

Attributes
  • encryption_key

    aPDdCEtQpHs1yTAHJZ1B

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

Signatures

  • Quasar Payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe
    "C:\Users\Admin\AppData\Local\Temp\a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe
      "C:\Users\Admin\AppData\Local\Temp\a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe"
      2⤵
      • Checks computer location settings
      PID:3612
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4076
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4044
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3028
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:980
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1932
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:2168
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2340
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4984
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4376
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:912
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    1c76ad47cf4f5e51693ed8c6d99002de

    SHA1

    cf2914b7d39ef5a4428ef3ab9cf5e85ac4b92f5d

    SHA256

    2310ebe1062d3ce79ea17a779b441840b8f9f42a3cba988489cf4cf305fe9e57

    SHA512

    a87fe88cb29d29e047b22b1ff87944d4f76a6b91185dbad3ad135b0240107a36cd1964a5456011476bca9589ff30db6ddd76abe4167fa74a6dfd3bc27e1ccb2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    6f77d216ea5107af12c0cfa68f304205

    SHA1

    96693ae79a141be94b73162d141d3089011689a7

    SHA256

    064b7eb067e9fe4612c3b030f724a405b58a17fea7d7d835178a476d81a734a1

    SHA512

    eeca05e3d7714b822c888485e8d0027f846fd17f72e6f9fef56f8013f0040e3e6b074ebe16b99dd8354f2f496fbfff54f2699e73bea1effe4bdc6c0a0e88bb49

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
    MD5

    0db264b38ac3c5f6c140ba120a7fe72f

    SHA1

    51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

    SHA256

    2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

    SHA512

    3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
    MD5

    ca36b124fe106a3f7e9196164dbe3d3b

    SHA1

    8bfb2901fd9f26cbca6cfb482e9875da52c31b9e

    SHA256

    5a60686ebcc4077fecade0aef020c7b92d4299df4260c49c8d3ca6d6d456b3dd

    SHA512

    14cff2666dd0f52bdd6bbbc107dcf47cbfaf73c63d8336db29edec3d62c74f0bec994bd452241f4babfcc05f3bfde8fa00d49d0b6004cde03b79a48560456eb5

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
    MD5

    4dc78f0e76018d653d6af1a0d8bf6c51

    SHA1

    f0ce6dc395ef04cacc71e9fb54b5cc380a136722

    SHA256

    133de1f5563dbe23f1aef61040e2dfb111fa5bc20cf648a000b229ed3b0600d3

    SHA512

    575351eb3a6967be5d7d24806a66eb90ec77760751a80c1fb3964ecbe96563ff33d4dbe1d484fcd95c6833867721f2b0f5ec181a070a2cf6a70e1e638fde4dce

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
    MD5

    d41b22938829e95db205ba860a9d700c

    SHA1

    91f3c8cd1add18da365e6c0c96fd4974c70667c9

    SHA256

    5b38cdcdbf500bdbaafa0fd3157e16e7ed2eabdbb2044e07c0737583c63831c9

    SHA512

    e51dbd7aa55df68750618aec73f2269f7b3ea503b5df847b8ec9bd520a57757291be25fac84ced86cc3ea8995ad03b4d821966302fa468caf2a80c6aaea35bdd

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
    MD5

    4c2037fe937b28967fc6bb9e0d172f23

    SHA1

    99963d841d76583e8cb5574073dab6ee76b74ed6

    SHA256

    a7084624c423aa86d0eec26d9aa2d351066df3ba3c51952981adf1d474f63c8a

    SHA512

    7d9db73a7c6ad10c6cfd1f39d841065c5f25bd2d499b46a470c6d9d69d4046f2ee5577f5b1017084d54beff66e78462cfe24b6e5f32129d121acf84b02950c1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{50885B87-6CB5-44CF-80E2-F6145884BB76}.dat
    MD5

    5f8b201e7ca7a6d58751dbec1a1ca33d

    SHA1

    1d6afed368d9a88225cc386a1c66754dbd65cd82

    SHA256

    1d17d8e903b347c030772b00ffd9bcf34a6920e6b32e0214f7ac29266337a246

    SHA512

    85cc27e5141b46081d1a905b656ad715e66116c246bd38a2bb7c8f3798b883589bc0d12c82e62cf91338f1c2b2f3109f3b6e783bc43faae9ccbe8c8384ede112

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{652ED8FB-4BB9-4876-908F-FEB118A8D030}.dat
    MD5

    dd3c0d552b76ed5fbca011a71832c9ac

    SHA1

    531c275857da18cfeedabf3e2897bf0e4c76168d

    SHA256

    249168068474430aed06e9424a6cb92f6fbd0f57d35d1ede19923019552db262

    SHA512

    85c5883a9ed62de04d4f7b0e1da99f3c984360ef916c06f53b6e921512ad6e3eea687db9aa55efe757e7e582a29d2864894219117b240af63e933155d8f4127d

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2274612954.pri
    MD5

    0db264b38ac3c5f6c140ba120a7fe72f

    SHA1

    51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

    SHA256

    2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

    SHA512

    3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

    Download Submit
  • memory/3612-118-0x0000000000400000-0x00000000004EC000-memory.dmp
    Filesize

    944KB

    Download
  • memory/3612-119-0x00000000004E614E-mapping.dmp
    Download