Overview

overview

10

Static

static

10

defbae45ea...19.exe

windows7_x64

10

defbae45ea...19.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    07-01-2022 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19.exe

  • Size

    637KB

  • MD5

    3ae1b43ae183a646db68834676be741c

  • SHA1

    e50bb029949247457a6c9faa31e38f1fb9dfd6ae

  • SHA256

    defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19

  • SHA512

    eb4f887d7e73f8130ae6d2f7cf27e6921a304b4a94ca50e2e747b7f057dd7d3e882556edf27dd1fdb625d0b74afc7d000702a034f258609ded97cd7940abfe70

Score
10/10
quasarvenomratkrnlevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

KRNL

C2

127.0.0.1:4782

quadrad.duckdns.org:1604
Mutex

VNM_MUTEX_w5oFkfEj8KXNrXmElF

Attributes
  • encryption_key

    HNAC3wR1K0TyDxzlsLfi

  • install_name

    KRNL By IceBerg.exe

  • log_directory

    Logs

  • reconnect_delay

    100

  • startup_key

    KRNL By IceBerg

  • subdirectory

    Boostrapper

Signatures

  • Contains code to disable Windows Defender 8 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 8 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19.exe
    "C:\Users\Admin\AppData\Local\Temp\defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19.exe"
    1⤵
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "KRNL By IceBerg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4016
    • C:\Users\Admin\AppData\Roaming\Boostrapper\KRNL By IceBerg.exe
      "C:\Users\Admin\AppData\Roaming\Boostrapper\KRNL By IceBerg.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "KRNL By IceBerg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Boostrapper\KRNL By IceBerg.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3292
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:2196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\llPt1GVQb8ho.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:2308
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:2072
          • C:\Users\Admin\AppData\Local\Temp\defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19.exe
            "C:\Users\Admin\AppData\Local\Temp\defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1976

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1976-397-0x0000000000620000-0x00000000006C6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/1976-398-0x0000000000620000-0x00000000006C6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/1976-399-0x0000000005510000-0x0000000005A0E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1976-400-0x0000000005010000-0x00000000050A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1976-401-0x0000000004F90000-0x0000000004F91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-402-0x00000000051B0000-0x0000000005216000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3192-373-0x00000000099C0000-0x00000000099DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3192-163-0x0000000007D30000-0x0000000007D96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3192-133-0x0000000003220000-0x0000000003221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3192-134-0x0000000004B30000-0x0000000004B66000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3192-136-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3192-137-0x0000000006FE2000-0x0000000006FE3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3192-138-0x0000000007620000-0x0000000007C48000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3192-139-0x0000000007580000-0x00000000075A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3192-140-0x0000000007C50000-0x0000000007CB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3192-141-0x0000000007D30000-0x0000000007D96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3192-142-0x0000000007F80000-0x00000000082D0000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3192-144-0x0000000008390000-0x00000000083DB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3192-143-0x0000000007DD0000-0x0000000007DEC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3192-379-0x00000000099B0000-0x00000000099B8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3192-374-0x00000000099B0000-0x00000000099B8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3192-147-0x00000000086D0000-0x0000000008746000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3192-368-0x00000000099C0000-0x00000000099DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3192-175-0x0000000006FE3000-0x0000000006FE4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3192-150-0x0000000003220000-0x0000000003221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3192-158-0x0000000007620000-0x0000000007C48000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3192-159-0x0000000009500000-0x0000000009533000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3192-160-0x0000000009500000-0x0000000009533000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3192-161-0x0000000007580000-0x00000000075A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3192-162-0x0000000007C50000-0x0000000007CB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3192-132-0x0000000003220000-0x0000000003221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3192-165-0x00000000086D0000-0x0000000008746000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3192-164-0x0000000008390000-0x00000000083DB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3192-166-0x00000000094E0000-0x00000000094FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3192-174-0x000000007E990000-0x000000007E991000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3192-172-0x0000000009640000-0x00000000096E5000-memory.dmp

        Filesize

        660KB

        Download

      • memory/3192-173-0x0000000009A10000-0x0000000009AA4000-memory.dmp

        Filesize

        592KB

        Download

      • memory/3500-116-0x0000000000450000-0x00000000004F6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/3500-115-0x0000000000450000-0x00000000004F6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/3500-117-0x00000000051C0000-0x00000000056BE000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3500-118-0x0000000004DF0000-0x0000000004E82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3500-119-0x0000000004CC0000-0x00000000051BE000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3500-120-0x00000000056C0000-0x0000000005726000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3500-121-0x0000000005CB0000-0x0000000005CC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3500-122-0x00000000060A0000-0x00000000060DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4048-145-0x0000000005570000-0x00000000055D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4048-127-0x0000000000A20000-0x0000000000AC6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/4048-135-0x0000000002C80000-0x0000000002C81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4048-129-0x0000000000A20000-0x0000000000AC6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/4048-130-0x0000000005830000-0x0000000005D2E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/4048-131-0x00000000053D0000-0x0000000005462000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4048-169-0x0000000006760000-0x000000000676A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4048-146-0x00000000053B0000-0x00000000053C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4048-148-0x00000000065C0000-0x00000000065FE000-memory.dmp

        Filesize

        248KB

        Download