Overview

overview

10

Static

static

e0e76e89c5...4d.exe

windows7_x64

10

e0e76e89c5...4d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    33s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18-04-2022 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe

  • Size

    644KB

  • MD5

    ba6403b11dfc7faf3eabf9a6c71c38e4

  • SHA1

    19a7760b1bfa03b9a650462e4e9d8a08f1ce069f

  • SHA256

    e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d

  • SHA512

    491e26588db0033dfcd1580aaeb1ddd8a23d19b71dea6a0b2f50b3175b2b758ffd310b978dd38a2ba8e40c6692d1adfc6f753a99abe9e5a09b891beb051a0807

Score
10/10
quasarvenomratwindows securityevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_px0s48GfhAUBhjVpWU

Attributes
  • encryption_key

    yvDiKJ3lhd7v25pBa6mQ

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe
    "C:\Users\Admin\AppData\Local\Temp\e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Users\Admin\AppData\Local\Temp\e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe
      "C:\Users\Admin\AppData\Local\Temp\e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Users\Admin\AppData\Local\Temp\e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe
        "C:\Users\Admin\AppData\Local\Temp\e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe"
        3⤵
        • Windows security modification
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:3720
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4620
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2168
            • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
              "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
              6⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1540
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe" /rl HIGHEST /f
                7⤵
                • Creates scheduled task(s)
                PID:112
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCPhKncHg1wZ.bat" "
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2224
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                    PID:3680
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 10 localhost
                    8⤵
                    • Runs ping.exe
                    PID:4400
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1984
                  7⤵
                  • Program crash
                  PID:4856
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1540 -ip 1540
      1⤵
        PID:2716

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security.exe.log
        Filesize

        507B

        MD5

        76ffb2f33cb32ade8fc862a67599e9d8

        SHA1

        920cc4ab75b36d2f9f6e979b74db568973c49130

        SHA256

        f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

        SHA512

        f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe.log
        Filesize

        507B

        MD5

        76ffb2f33cb32ade8fc862a67599e9d8

        SHA1

        920cc4ab75b36d2f9f6e979b74db568973c49130

        SHA256

        f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

        SHA512

        f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\KCPhKncHg1wZ.bat
        Filesize

        217B

        MD5

        03b89e4b80ef1b86c93c0ed58fb2b3f4

        SHA1

        cbfe9fc7c682c63085ac3d1973c7c320602798df

        SHA256

        610688f08ea33ef01b57321305a977fba5c2e546c0a24f47768fa56bae1a7a4a

        SHA512

        9e5de88b61404d019e7c315a837d933635975ed31a293e83369bb09835bc5f3c8b862b43fb6293ce409969f9a35e50d00262b0e8b1900851af3272b45faac755

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        Filesize

        644KB

        MD5

        ba6403b11dfc7faf3eabf9a6c71c38e4

        SHA1

        19a7760b1bfa03b9a650462e4e9d8a08f1ce069f

        SHA256

        e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d

        SHA512

        491e26588db0033dfcd1580aaeb1ddd8a23d19b71dea6a0b2f50b3175b2b758ffd310b978dd38a2ba8e40c6692d1adfc6f753a99abe9e5a09b891beb051a0807

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        Filesize

        644KB

        MD5

        ba6403b11dfc7faf3eabf9a6c71c38e4

        SHA1

        19a7760b1bfa03b9a650462e4e9d8a08f1ce069f

        SHA256

        e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d

        SHA512

        491e26588db0033dfcd1580aaeb1ddd8a23d19b71dea6a0b2f50b3175b2b758ffd310b978dd38a2ba8e40c6692d1adfc6f753a99abe9e5a09b891beb051a0807

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        Filesize

        644KB

        MD5

        ba6403b11dfc7faf3eabf9a6c71c38e4

        SHA1

        19a7760b1bfa03b9a650462e4e9d8a08f1ce069f

        SHA256

        e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d

        SHA512

        491e26588db0033dfcd1580aaeb1ddd8a23d19b71dea6a0b2f50b3175b2b758ffd310b978dd38a2ba8e40c6692d1adfc6f753a99abe9e5a09b891beb051a0807

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        Filesize

        644KB

        MD5

        ba6403b11dfc7faf3eabf9a6c71c38e4

        SHA1

        19a7760b1bfa03b9a650462e4e9d8a08f1ce069f

        SHA256

        e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d

        SHA512

        491e26588db0033dfcd1580aaeb1ddd8a23d19b71dea6a0b2f50b3175b2b758ffd310b978dd38a2ba8e40c6692d1adfc6f753a99abe9e5a09b891beb051a0807

        Download Submit

      • memory/112-159-0x0000000000000000-mapping.dmp

        Download

      • memory/864-140-0x0000000006560000-0x0000000006572000-memory.dmp

        Filesize

        72KB

        Download

      • memory/864-141-0x0000000006AD0000-0x0000000006B0C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/864-137-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/864-136-0x0000000000000000-mapping.dmp

        Download

      • memory/864-139-0x0000000005940000-0x00000000059A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1540-160-0x00000000066B0000-0x00000000066BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1540-153-0x0000000000000000-mapping.dmp

        Download

      • memory/2168-148-0x0000000000000000-mapping.dmp

        Download

      • memory/2224-164-0x0000000000000000-mapping.dmp

        Download

      • memory/2956-134-0x0000000000000000-mapping.dmp

        Download

      • memory/2956-135-0x0000000000400000-0x0000000000492000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3680-166-0x0000000000000000-mapping.dmp

        Download

      • memory/3720-142-0x0000000000000000-mapping.dmp

        Download

      • memory/4400-167-0x0000000000000000-mapping.dmp

        Download

      • memory/4408-132-0x0000000005820000-0x00000000058B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4408-133-0x00000000058C0000-0x000000000595C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4408-131-0x0000000005C50000-0x00000000061F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4408-130-0x0000000000D20000-0x0000000000DC8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/4620-143-0x0000000000000000-mapping.dmp

        Download

      • memory/4656-146-0x0000000000000000-mapping.dmp

        Download

      • memory/4656-158-0x0000000006820000-0x000000000683E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4656-161-0x0000000006DF0000-0x0000000006E22000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4656-162-0x0000000070160000-0x00000000701AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4656-163-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4656-157-0x0000000006080000-0x00000000060E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4656-156-0x0000000005950000-0x0000000005972000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4656-152-0x00000000059E0000-0x0000000006008000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4656-147-0x0000000002F10000-0x0000000002F46000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4656-168-0x0000000008240000-0x00000000088BA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4656-169-0x0000000007920000-0x000000000793A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4656-170-0x0000000007990000-0x000000000799A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4656-171-0x0000000007DB0000-0x0000000007E46000-memory.dmp

        Filesize

        600KB

        Download