Overview

overview

10

Static

static

5263b2b6ca...in.exe

windows7_x64

10

5263b2b6ca...in.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    13-10-2021 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f.bin.exe

  • Size

    3.3MB

  • MD5

    3dbcc2578008081544f897c8da00eb7a

  • SHA1

    f4482885c164ec964cad395717306f09a0f68a63

  • SHA256

    5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f

  • SHA512

    93c4800e51a44770e1f16ecee997f05d213ee3276fcd5b04afe0a8ad274a77ec99539228a4d75d96c9bd9fb7dfb01df69b5ab17456725476207a25ba7e4f6952

Score
10/10
quasarvenomratgenevasionpersistenceratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

gen

C2

zaidtheboii-50153.portmap.host:50153

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    Z0J9rVN8qwPnSK9m7RW5

  • install_name

    OneDrive.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft OneDrive

  • subdirectory

    Microsoft OneDrive

Signatures

  • Contains code to disable Windows Defender 7 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 7 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1300
      • C:\Windows\SysWOW64\Microsoft OneDrive\OneDrive.exe
        "C:\Windows\SysWOW64\Microsoft OneDrive\OneDrive.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Windows\SysWOW64\Microsoft OneDrive\OneDrive.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:1968
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
          • Deletes itself
          PID:1404
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7461CeYoxAzk.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:1420
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:1724
          • C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:696
      • C:\Users\Admin\AppData\Local\Temp\Node.js.exe
        "C:\Users\Admin\AppData\Local\Temp\Node.js.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
          "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6GlX4gI9pIzKuuw/DkrRWe6jXjwUh/h1n7EugqZqwNbSysR/yatrDqrNROKvQnbu5PjtNSMFXveJslpZPBkRK+GM+f311fJfdbzrHOKSr+bKzYP597NIEt8iS0xAesEdI=
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1980 -s 1404
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1888

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/632-65-0x0000000000B50000-0x0000000000B51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-69-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/696-142-0x00000000049A0000-0x00000000049A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/860-70-0x0000000004670000-0x0000000004671000-memory.dmp

      Filesize

      4KB

      Download

    • memory/860-64-0x0000000000D50000-0x0000000000D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1380-54-0x0000000074C71000-0x0000000074C73000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1380-55-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1576-76-0x0000000001260000-0x0000000001261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1576-79-0x0000000000D90000-0x0000000000D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1888-132-0x0000000001B80000-0x0000000001B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1888-131-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1960-88-0x0000000002411000-0x0000000002412000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1960-87-0x0000000002410000-0x0000000002411000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1960-89-0x0000000002412000-0x0000000002414000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1980-94-0x000000001ADE0000-0x000000001AE8C000-memory.dmp

      Filesize

      688KB

      Download

    • memory/1980-95-0x000000001B190000-0x000000001B192000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1980-93-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1980-92-0x000000001B460000-0x000000001B79B000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/1980-90-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

      Filesize

      4KB

      Download