Overview

overview

10

Static

static

6342882a03...92.exe

windows7_x64

10

6342882a03...92.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294222s
  • max time network
    198s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    24-03-2022 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

  • Size

    663KB

  • MD5

    ce171e0a1a242feebb1ea67a852fe6cd

  • SHA1

    25c0ae74d178e052aac7a4f49f26bf1c65e410ce

  • SHA256

    6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

  • SHA512

    8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

82.153.167.249:4782

Mutex

VNM_MUTEX_madi8mVzHkv9VeMWQh

Attributes
  • encryption_key

    T2hhcYUj1x3W0YPA9otN

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 8 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 8 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
    "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
    1⤵
    • Windows security modification
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1712
    • C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
      "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
      2⤵
      • Loads dropped DLL
      • Windows security modification
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:856
        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1732
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1736
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1684
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:896
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\RZHFMVT1HQPf.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:988
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:916
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:360
            • C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
              "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
              4⤵
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1436
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe" -Force
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:948
              • C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
                "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1608
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1712
                5⤵
                • Program crash
                PID:1980
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1704
          2⤵
          • Program crash
          PID:1000

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/856-86-0x000000006E0A0000-0x000000006E64B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/948-116-0x000000006DC20000-0x000000006E1CB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1048-54-0x0000000000EE0000-0x0000000000F8C000-memory.dmp

        Filesize

        688KB

        Download

      • memory/1048-55-0x0000000000DB0000-0x0000000000E50000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1272-78-0x00000000011B0000-0x000000000125C000-memory.dmp

        Filesize

        688KB

        Download

      • memory/1300-63-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1300-61-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1300-70-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1300-60-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1300-64-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1300-65-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1300-68-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1712-57-0x00000000749A1000-0x00000000749A3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1712-58-0x000000006EC00000-0x000000006F1AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1712-59-0x0000000002350000-0x0000000002F9A000-memory.dmp

        Filesize

        12.3MB

        Download

      • memory/1976-85-0x000000006E0A0000-0x000000006E64B000-memory.dmp

        Filesize

        5.7MB

        Download