Analysis
-
max time kernel
134s -
max time network
178s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-09-2021 18:19
Static task
static1
Behavioral task
behavioral1
Sample
1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe
Resource
win7v20210408
General
-
Target
1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe
-
Size
546KB
-
MD5
099bce8eba599fd7262af4fe930ab098
-
SHA1
ccdfce07b8ca10a2b33e670dc09550e0b43d5dcb
-
SHA256
1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8
-
SHA512
3b9aa646ba2862bbd1644ed62034dcf4ff3a6d4b9f63ecc95281832dfbc03cd96c4a1894150ea45b4288abd9eae9a7ee2fa01634a3d7232c169d4c7e3681e345
Malware Config
Extracted
quasar
2.1.0.0
Office04
10.0.0.74:1177
VNM_MUTEX_DweppWsG4TQ0OOm4Hi
-
encryption_key
G5PWQxh2RxlVLvkDxu7P
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/files/0x00040000000130b4-62.dat disable_win_def behavioral1/files/0x00040000000130b4-64.dat disable_win_def behavioral1/files/0x00040000000130b4-65.dat disable_win_def -
Quasar Payload 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x00040000000130b4-62.dat family_quasar behavioral1/files/0x00040000000130b4-64.dat family_quasar behavioral1/files/0x00040000000130b4-65.dat family_quasar -
Executes dropped EXE 1 IoCs
Processes:
$77-Venom.exepid Process 1840 $77-Venom.exe -
Loads dropped DLL 1 IoCs
Processes:
1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exepid Process 752 1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
$77-Venom.exedescription pid Process Token: SeDebugPrivilege 1840 $77-Venom.exe Token: SeDebugPrivilege 1840 $77-Venom.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exedescription pid Process procid_target PID 752 wrote to memory of 1840 752 1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe 25 PID 752 wrote to memory of 1840 752 1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe 25 PID 752 wrote to memory of 1840 752 1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe 25 PID 752 wrote to memory of 1840 752 1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe 25
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe"C:\Users\Admin\AppData\Local\Temp\1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Roaming\$77-Venom.exe"C:\Users\Admin\AppData\Roaming\$77-Venom.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
eab7a704a7bea20eaa5494acecaada27
SHA1f6ca815c1e4f567b55609d7785b26f510cf86402
SHA2562cfa1686bbe1abeca02cc0009a8cdc523343814758fa621854fd6ef8fc2235a5
SHA5128989eee40ee97463b3dcd2823cdc687d0918791490f1f39f81ac4e8ce9484681bb18bef906b5e833261f304ddfdb6da711acbeedb8007bf1de1eda87bc99cfbf
-
MD5
eab7a704a7bea20eaa5494acecaada27
SHA1f6ca815c1e4f567b55609d7785b26f510cf86402
SHA2562cfa1686bbe1abeca02cc0009a8cdc523343814758fa621854fd6ef8fc2235a5
SHA5128989eee40ee97463b3dcd2823cdc687d0918791490f1f39f81ac4e8ce9484681bb18bef906b5e833261f304ddfdb6da711acbeedb8007bf1de1eda87bc99cfbf
-
MD5
eab7a704a7bea20eaa5494acecaada27
SHA1f6ca815c1e4f567b55609d7785b26f510cf86402
SHA2562cfa1686bbe1abeca02cc0009a8cdc523343814758fa621854fd6ef8fc2235a5
SHA5128989eee40ee97463b3dcd2823cdc687d0918791490f1f39f81ac4e8ce9484681bb18bef906b5e833261f304ddfdb6da711acbeedb8007bf1de1eda87bc99cfbf