Overview

overview

10

Static

static

34e12b6ed2...4e.exe

windows7_x64

10

34e12b6ed2...4e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    169s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    14-04-2022 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34e12b6ed242c02d15dca535ad869485e2ac55491e46181ce08ede26957bd94e.exe

  • Size

    1.2MB

  • MD5

    a7850e7c98d51d8143fac5ea73a8b7c1

  • SHA1

    d983449e7e47fd7abd80ebcd7e00941bcfe59c50

  • SHA256

    34e12b6ed242c02d15dca535ad869485e2ac55491e46181ce08ede26957bd94e

  • SHA512

    a8c91d8f41e57cb3e6e5247a17a4e9e103d64f7b53a4e2b8da7e9d1ee7c4578f9c191fd25a9f422d175034e59492535ee8d19045a1ac2ec836959527d23c48b9

Score
10/10
quasarvenomratwarzoneratshooter00hrsevasioninfostealerpersistenceratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

shooter00hrs

C2

185.219.134.245:4782

Mutex

VNM_MUTEX_ZFDh9LaTbTmwqFwo3L

Attributes
  • encryption_key

    wGYjrQIx5abERLvzC8Zu

  • install_name

    windows chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    chrome Startup

  • subdirectory

    SubDir

Extracted

Family

warzonerat

C2

185.219.134.245:5200

Signatures

  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 6 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34e12b6ed242c02d15dca535ad869485e2ac55491e46181ce08ede26957bd94e.exe
    "C:\Users\Admin\AppData\Local\Temp\34e12b6ed242c02d15dca535ad869485e2ac55491e46181ce08ede26957bd94e.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pxjdcddn.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4288
      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4112
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:2108
        • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4104
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3868
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
            5⤵
              PID:1152
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYTPdSoxliTn.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1300
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:3764
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:3948
              • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
                "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1852
        • C:\Users\Admin\AppData\Local\Temp\34e12b6ed242c02d15dca535ad869485e2ac55491e46181ce08ede26957bd94e.exe
          "C:\Users\Admin\AppData\Local\Temp\34e12b6ed242c02d15dca535ad869485e2ac55491e46181ce08ede26957bd94e.exe"
          2⤵
          • Adds Run key to start application
          PID:4060
        • C:\Users\Admin\AppData\Local\Temp\34e12b6ed242c02d15dca535ad869485e2ac55491e46181ce08ede26957bd94e.exe
          "C:\Users\Admin\AppData\Local\Temp\34e12b6ed242c02d15dca535ad869485e2ac55491e46181ce08ede26957bd94e.exe"
          2⤵
            PID:4124

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\$77-Venom.exe.log
          Filesize

          1KB

          MD5

          8013ca45a4b68a281377f2c7b517ac8a

          SHA1

          aff79b7c8f408e5ae6f00cf9d83e2fd95d9affc3

          SHA256

          234381ea204c431d0936c4141a38381629938e4f5d40dd0ef01de6a282abbae7

          SHA512

          428305df713c12d2165303a9b0433c83a0e3f3088a9551deb6403e9351814c38c2377e7c22ede57bcd23ca764e02fce431c52aba6bf4b998b89a518129fda2d6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
          Filesize

          534KB

          MD5

          3702c2b44a1d4877f4d1187be6c33958

          SHA1

          4755c7d9fb0582f94b8feb44be9d3c70031a0f33

          SHA256

          295277e76cfe8b80f6a2a9db2c69fdd2b36b4866b35fdec4cd7d6c67faecceb6

          SHA512

          11d073f0a6120a3fc874fed5162810c780f52adfb21f8c9cf2720991c7ea6236a0bb5be28b40f35819c21db354dda52b818479104d50be9bd89b3d901c209aca

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
          Filesize

          534KB

          MD5

          3702c2b44a1d4877f4d1187be6c33958

          SHA1

          4755c7d9fb0582f94b8feb44be9d3c70031a0f33

          SHA256

          295277e76cfe8b80f6a2a9db2c69fdd2b36b4866b35fdec4cd7d6c67faecceb6

          SHA512

          11d073f0a6120a3fc874fed5162810c780f52adfb21f8c9cf2720991c7ea6236a0bb5be28b40f35819c21db354dda52b818479104d50be9bd89b3d901c209aca

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
          Filesize

          534KB

          MD5

          3702c2b44a1d4877f4d1187be6c33958

          SHA1

          4755c7d9fb0582f94b8feb44be9d3c70031a0f33

          SHA256

          295277e76cfe8b80f6a2a9db2c69fdd2b36b4866b35fdec4cd7d6c67faecceb6

          SHA512

          11d073f0a6120a3fc874fed5162810c780f52adfb21f8c9cf2720991c7ea6236a0bb5be28b40f35819c21db354dda52b818479104d50be9bd89b3d901c209aca

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Pxjdcddn.vbs
          Filesize

          97B

          MD5

          21cf56d4b0a76046820523108fb676e0

          SHA1

          9535221712c50c9a3fa7e06efe5e1efc016f715d

          SHA256

          2f931374cab0f3601d1698f4943f8e4f83cbfc3efb478bf518091ab23642dbc3

          SHA512

          5c2238aece0a82b63a541142dcee3527e3d1baad206d3fb7c3d226fd99c26c1c2d5d4113584be08118316fd5d78c3f7aca2f3d0e957c87f76b92615a24601cd5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dYTPdSoxliTn.bat
          Filesize

          206B

          MD5

          d045daa5fdb8107cbfab2fcc28e79bd5

          SHA1

          4fb8742b20bef4f1b542ea7b04e1e113affd4db8

          SHA256

          622a13ceda43477f905c6308f23c3d80b6a690ab179e6005c86e82859c033ad1

          SHA512

          0389093d6c9341ac0eb365b0edee7b6c70009510be16cfa56910ad56190a80a284db579a5da6510e3f57ffe8650694951262d6d2bfc697e5be15027ef535c582

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
          Filesize

          534KB

          MD5

          3702c2b44a1d4877f4d1187be6c33958

          SHA1

          4755c7d9fb0582f94b8feb44be9d3c70031a0f33

          SHA256

          295277e76cfe8b80f6a2a9db2c69fdd2b36b4866b35fdec4cd7d6c67faecceb6

          SHA512

          11d073f0a6120a3fc874fed5162810c780f52adfb21f8c9cf2720991c7ea6236a0bb5be28b40f35819c21db354dda52b818479104d50be9bd89b3d901c209aca

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
          Filesize

          534KB

          MD5

          3702c2b44a1d4877f4d1187be6c33958

          SHA1

          4755c7d9fb0582f94b8feb44be9d3c70031a0f33

          SHA256

          295277e76cfe8b80f6a2a9db2c69fdd2b36b4866b35fdec4cd7d6c67faecceb6

          SHA512

          11d073f0a6120a3fc874fed5162810c780f52adfb21f8c9cf2720991c7ea6236a0bb5be28b40f35819c21db354dda52b818479104d50be9bd89b3d901c209aca

          Download Submit

        • memory/2344-153-0x0000000005F80000-0x0000000005FBC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2344-155-0x0000000006310000-0x000000000631A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3012-124-0x0000000000ED0000-0x0000000000FFC000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3012-127-0x0000000005960000-0x000000000597E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3012-126-0x0000000005980000-0x00000000059F6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3012-125-0x0000000005E70000-0x0000000006414000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3868-161-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3868-157-0x0000000007860000-0x0000000007892000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3868-148-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/3868-149-0x0000000005BA0000-0x00000000061C8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3868-150-0x0000000005A80000-0x0000000005AA2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3868-151-0x00000000061D0000-0x0000000006236000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3868-152-0x00000000068D0000-0x00000000068EE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3868-166-0x0000000007E60000-0x0000000007E68000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3868-165-0x0000000007F10000-0x0000000007F2A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3868-156-0x0000000005565000-0x0000000005567000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3868-164-0x0000000007E20000-0x0000000007E2E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3868-158-0x0000000070640000-0x000000007068C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3868-159-0x0000000006C90000-0x0000000006CAE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3868-160-0x0000000008220000-0x000000000889A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3868-163-0x0000000007E70000-0x0000000007F06000-memory.dmp

          Filesize

          600KB

          Download

        • memory/3868-162-0x0000000007B70000-0x0000000007B7A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4060-140-0x0000000000400000-0x0000000000554000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4060-136-0x0000000000400000-0x0000000000554000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4060-139-0x0000000000400000-0x0000000000554000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4112-137-0x00000000057B0000-0x0000000005842000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4112-141-0x0000000005710000-0x0000000005776000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4112-134-0x0000000000DF0000-0x0000000000E7C000-memory.dmp

          Filesize

          560KB

          Download

        • memory/4112-142-0x0000000006520000-0x0000000006532000-memory.dmp

          Filesize

          72KB

          Download