Overview

overview

10

Static

static

1b465c6989...57.exe

windows7_x64

10

1b465c6989...57.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    18-10-2021 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b465c6989637df1d5c511919c43e457.exe

  • Size

    861KB

  • MD5

    1b465c6989637df1d5c511919c43e457

  • SHA1

    317f8bf5133176cd0f4125c6f2f0fdfc226754ab

  • SHA256

    0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095

  • SHA512

    e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

grace.adds-only.xyz:1609

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    wHq4o3k6UfKZv19jkcxs

  • install_name

    winrara.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 6 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe
    "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3540
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp919D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1568
    • C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe
      "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe"
      2⤵
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2404
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2880
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18AF.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:3456
        • C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:648
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:296
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:3136
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HfABvahzud3J.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2176
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:3896
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:344
            • C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe
              "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe"
              4⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:680
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:364
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE0C.tmp"
                5⤵
                • Creates scheduled task(s)
                PID:908
              • C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe
                "C:\Users\Admin\AppData\Local\Temp\1b465c6989637df1d5c511919c43e457.exe"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2464

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/364-973-0x0000000006F43000-0x0000000006F44000-memory.dmp

        Filesize

        4KB

        Download

      • memory/364-944-0x0000000006F42000-0x0000000006F43000-memory.dmp

        Filesize

        4KB

        Download

      • memory/364-941-0x0000000006F40000-0x0000000006F41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/364-972-0x000000007EDC0000-0x000000007EDC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/648-664-0x0000000005200000-0x0000000005201000-memory.dmp

        Filesize

        4KB

        Download

      • memory/680-926-0x0000000007370000-0x000000000786E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/2404-170-0x0000000007630000-0x0000000007B2E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/2460-119-0x0000000004F20000-0x0000000004F21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2460-122-0x0000000007860000-0x0000000007868000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2460-121-0x00000000098C0000-0x00000000098C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2460-120-0x0000000007520000-0x0000000007521000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2460-123-0x0000000009BC0000-0x0000000009C68000-memory.dmp

        Filesize

        672KB

        Download

      • memory/2460-118-0x00000000073C0000-0x00000000073C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2460-117-0x00000000078C0000-0x00000000078C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2460-115-0x00000000005D0000-0x00000000005D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2464-942-0x0000000005540000-0x0000000005541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2520-171-0x00000000011A0000-0x00000000011A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2520-261-0x000000007F840000-0x000000007F841000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2520-172-0x00000000011A2000-0x00000000011A3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2520-156-0x00000000002D0000-0x00000000002D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2520-158-0x00000000002D0000-0x00000000002D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2520-263-0x00000000011A3000-0x00000000011A4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2584-142-0x0000000004D40000-0x000000000523E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/2584-128-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2584-148-0x0000000006050000-0x0000000006051000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2584-147-0x0000000005B40000-0x0000000005B41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2880-737-0x00000000071A3000-0x00000000071A4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2880-689-0x000000007EB30000-0x000000007EB31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2880-662-0x00000000071A0000-0x00000000071A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2880-663-0x00000000071A2000-0x00000000071A3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-146-0x0000000008500000-0x0000000008501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-139-0x0000000007E80000-0x0000000007E81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-162-0x00000000010A0000-0x00000000010A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-213-0x0000000004B43000-0x0000000004B44000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-143-0x0000000007C90000-0x0000000007C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-191-0x000000007EF50000-0x000000007EF51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-141-0x0000000004B42000-0x0000000004B43000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-140-0x0000000004B40000-0x0000000004B41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-144-0x0000000008750000-0x0000000008751000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-137-0x0000000007580000-0x0000000007581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-138-0x0000000007E10000-0x0000000007E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-136-0x00000000073D0000-0x00000000073D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-131-0x0000000007600000-0x0000000007601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-188-0x0000000009300000-0x0000000009301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-181-0x0000000009320000-0x0000000009353000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3540-129-0x0000000001250000-0x0000000001251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-125-0x00000000010A0000-0x00000000010A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3540-127-0x00000000010A0000-0x00000000010A1000-memory.dmp

        Filesize

        4KB

        Download