Overview

overview

10

Static

static

6342882a03...92.exe

windows7_x64

10

6342882a03...92.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    184s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    24-03-2022 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

  • Size

    663KB

  • MD5

    ce171e0a1a242feebb1ea67a852fe6cd

  • SHA1

    25c0ae74d178e052aac7a4f49f26bf1c65e410ce

  • SHA256

    6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

  • SHA512

    8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

82.153.167.249:4782

Mutex

VNM_MUTEX_madi8mVzHkv9VeMWQh

Attributes
  • encryption_key

    T2hhcYUj1x3W0YPA9otN

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 12 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 43 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
    "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
    1⤵
    • Checks computer location settings
    • Windows security modification
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4788
    • C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
      "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
      2⤵
      • Checks computer location settings
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Windows security modification
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4504
        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
          4⤵
          • Executes dropped EXE
          PID:948
        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 2148
          4⤵
          • Program crash
          PID:1992
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1988
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3768
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:1040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5VoUjiKHLKbe.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3736
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:2416
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:3096
            • C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
              "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
              4⤵
              • Checks computer location settings
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4640
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe" -Force
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:660
              • C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
                "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1672
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 2120
                5⤵
                • Program crash
                PID:4184
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 2136
          2⤵
          • Program crash
          PID:4252
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4420 -ip 4420
        1⤵
          PID:3092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 780 -ip 780
          1⤵
            PID:1604
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4640 -ip 4640
            1⤵
              PID:2704

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/660-188-0x0000000002AC5000-0x0000000002AC7000-memory.dmp

              Filesize

              8KB

              Download

            • memory/660-187-0x000000006F330000-0x000000006F37C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1988-164-0x000000006F4C0000-0x000000006F50C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1988-162-0x00000000049E5000-0x00000000049E7000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3552-142-0x00000000056A0000-0x0000000005732000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3552-143-0x0000000006660000-0x0000000006672000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3552-141-0x0000000000400000-0x000000000048C000-memory.dmp

              Filesize

              560KB

              Download

            • memory/3552-144-0x0000000006BC0000-0x0000000006BFC000-memory.dmp

              Filesize

              240KB

              Download

            • memory/4420-130-0x0000000000E60000-0x0000000000F0C000-memory.dmp

              Filesize

              688KB

              Download

            • memory/4420-132-0x0000000005D50000-0x00000000062F4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4420-131-0x00000000056F0000-0x000000000578C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/4504-165-0x0000000004E35000-0x0000000004E37000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4504-166-0x000000006F4C0000-0x000000006F50C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4504-168-0x0000000007830000-0x000000000783E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4504-169-0x0000000007950000-0x000000000796A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4788-138-0x0000000005770000-0x00000000057D6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4788-161-0x00000000071A0000-0x00000000071AA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4788-136-0x0000000004DE0000-0x0000000004E02000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4788-135-0x00000000050D0000-0x00000000056F8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4788-170-0x0000000007440000-0x0000000007448000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4788-139-0x0000000005E10000-0x0000000005E2E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4788-150-0x000000006F4C0000-0x000000006F50C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4788-134-0x0000000002490000-0x00000000024C6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/4788-163-0x00000000073A0000-0x0000000007436000-memory.dmp

              Filesize

              600KB

              Download

            • memory/4788-137-0x0000000005000000-0x0000000005066000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4788-149-0x0000000006DF0000-0x0000000006E22000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4788-151-0x0000000002595000-0x0000000002597000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4788-155-0x0000000007110000-0x000000000712A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4788-153-0x0000000007760000-0x0000000007DDA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/4788-152-0x00000000063D0000-0x00000000063EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4960-167-0x0000000006CB0000-0x0000000006CBA000-memory.dmp

              Filesize

              40KB

              Download