Overview

overview

10

Static

static

5263b2b6ca...in.exe

windows7_x64

10

5263b2b6ca...in.exe

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    13-10-2021 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f.bin.exe

  • Size

    3.3MB

  • MD5

    3dbcc2578008081544f897c8da00eb7a

  • SHA1

    f4482885c164ec964cad395717306f09a0f68a63

  • SHA256

    5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f

  • SHA512

    93c4800e51a44770e1f16ecee997f05d213ee3276fcd5b04afe0a8ad274a77ec99539228a4d75d96c9bd9fb7dfb01df69b5ab17456725476207a25ba7e4f6952

Score
10/10
quasarvenomratgenevasionpersistenceratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

gen

C2

zaidtheboii-50153.portmap.host:50153

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    Z0J9rVN8qwPnSK9m7RW5

  • install_name

    OneDrive.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft OneDrive

  • subdirectory

    Microsoft OneDrive

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 5 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Executes dropped EXE 10 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe"
      2⤵
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:616
      • C:\Windows\SysWOW64\Microsoft OneDrive\OneDrive.exe
        "C:\Windows\SysWOW64\Microsoft OneDrive\OneDrive.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Windows\SysWOW64\Microsoft OneDrive\OneDrive.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:2972
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3128
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:3172
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y9LRaPCR9oPk.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2292
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:3984
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:824
            • C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1400
        • C:\Users\Admin\AppData\Local\Temp\Node.js.exe
          "C:\Users\Admin\AppData\Local\Temp\Node.js.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1148
          • C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
            "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6GlX4gI9pIzKuuw/DkrRWe6jXjwUh/h1n7EugqZqwNbSysR/yatrDqrNROKvQnbu5PjtNSMFXveJslpZPBkRK+GM+f311fJfdbzrHOKSr+bKzYP597NIEt8iS0xAesEdI=
            3⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1792
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:888
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c compile.bat
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2020
                • C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
                  C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3964
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1512
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c compile.bat
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1120
                • C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
                  C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
                  6⤵
                  • Executes dropped EXE
                  PID:1360
                • C:\Users\Admin\AppData\Local\Temp\splwow64.exe
                  C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
                  6⤵
                  • Executes dropped EXE
                  PID:2712
                • C:\Users\Admin\AppData\Local\Temp\hh.exe
                  C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3176
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2108
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c compile.bat
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3616
                • C:\Users\Admin\AppData\Local\Temp\xwizard.exe
                  C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3192
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2660
              • C:\Windows\system32\choice.exe
                choice /C Y /N /D Y /T 3
                5⤵
                  PID:2848

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1148-130-0x0000000005070000-0x0000000005071000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1148-127-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1148-123-0x0000000000B70000-0x0000000000B71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1400-466-0x0000000004990000-0x0000000004991000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1720-115-0x0000000001180000-0x0000000001181000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1792-144-0x0000017876280000-0x0000017876282000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1792-139-0x00000178762C0000-0x00000178765FB000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/1792-149-0x0000017877550000-0x00000178775FC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1792-136-0x0000017873AA0000-0x0000017873AA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1792-142-0x00000178761C0000-0x00000178761C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1792-198-0x0000017874280000-0x00000178742AA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/1792-200-0x00000178761A0000-0x00000178761A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1792-199-0x0000017874150000-0x0000017874156000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1792-201-0x0000017877830000-0x000001787785F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1792-188-0x0000017876240000-0x0000017876241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1792-141-0x0000017874060000-0x0000017874061000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-172-0x0000000008700000-0x0000000008701000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-197-0x0000000009A60000-0x0000000009A61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-162-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-161-0x00000000076A0000-0x00000000076A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-160-0x00000000070F2000-0x00000000070F3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-159-0x00000000070F0000-0x00000000070F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-168-0x0000000007D60000-0x0000000007D61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-189-0x00000000094C0000-0x00000000094C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-157-0x0000000007730000-0x0000000007731000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-195-0x0000000009630000-0x0000000009631000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-156-0x0000000006F90000-0x0000000006F91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-155-0x0000000004B10000-0x0000000004B11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-154-0x0000000004B10000-0x0000000004B11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-196-0x00000000070F3000-0x00000000070F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-170-0x00000000089B0000-0x00000000089B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-164-0x0000000008090000-0x0000000008091000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-181-0x00000000094E0000-0x0000000009513000-memory.dmp

          Filesize

          204KB

          Download

        • memory/3128-173-0x0000000004B10000-0x0000000004B11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3128-190-0x000000007F080000-0x000000007F081000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3144-158-0x0000000005780000-0x0000000005C7E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/3144-171-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3312-129-0x0000000005080000-0x0000000005081000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3312-138-0x0000000005D20000-0x0000000005D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3312-140-0x0000000006110000-0x0000000006111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3312-131-0x0000000005040000-0x0000000005041000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3312-126-0x0000000005580000-0x0000000005581000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3312-122-0x00000000006E0000-0x00000000006E1000-memory.dmp

          Filesize

          4KB

          Download