Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 11:49
Static task
static1
Behavioral task
behavioral1
Sample
5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
Resource
win7-20220414-en
General
-
Target
5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
-
Size
716KB
-
MD5
57a24eb9bd6fcda2c033c8ca10890e09
-
SHA1
35a011428d3a4020658c294e35527c4205ede798
-
SHA256
5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952
-
SHA512
4bdca657fb1faf8bc9ea9459bb022837792483abb87d3bf257609a31e91b5f59af1fa672d588f567779f3b113c1b04a6ef1f81f6ff7c9779a6b4eb917c02e67c
Malware Config
Extracted
quasar
2.1.0.0
Mundo
201.111.223.252:6700
VNM_MUTEX_KJflzK0oXUK0jjdJ05
-
encryption_key
eSgMT4XlUNEBcxqW7GsH
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x0007000000022ecd-133.dat disable_win_def behavioral2/files/0x0007000000022ecd-134.dat disable_win_def behavioral2/memory/1552-135-0x0000000000C70000-0x0000000000CFA000-memory.dmp disable_win_def -
Quasar Payload 3 IoCs
resource yara_rule behavioral2/files/0x0007000000022ecd-133.dat family_quasar behavioral2/files/0x0007000000022ecd-134.dat family_quasar behavioral2/memory/1552-135-0x0000000000C70000-0x0000000000CFA000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1552 Pe.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2020 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe 2020 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2020 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe Token: SeDebugPrivilege 1552 Pe.exe Token: SeDebugPrivilege 1552 Pe.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1552 2020 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe 81 PID 2020 wrote to memory of 1552 2020 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe 81 PID 2020 wrote to memory of 1552 2020 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe"C:\Users\Admin\AppData\Local\Temp\5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\Pe.exe"C:\Users\Admin\AppData\Local\Temp\Pe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
526KB
MD5c2f7ea121023823382bd0db241dc61e8
SHA1afbe7c9bfe0e4515e022e0342cb8a2541602f675
SHA2564fa410894274212479e682167d2182e16288a718b6afdf09c1f6620976fceca9
SHA5126ec7e64a2b4c171161f9f342b5077819fbcd04e0d5ce190f5c3cdf655a7185323d8fb2ae9699d082f1f8e9d648e321b5b25d286c67e7b0b82ee0d88e24866d77
-
Filesize
526KB
MD5c2f7ea121023823382bd0db241dc61e8
SHA1afbe7c9bfe0e4515e022e0342cb8a2541602f675
SHA2564fa410894274212479e682167d2182e16288a718b6afdf09c1f6620976fceca9
SHA5126ec7e64a2b4c171161f9f342b5077819fbcd04e0d5ce190f5c3cdf655a7185323d8fb2ae9699d082f1f8e9d648e321b5b25d286c67e7b0b82ee0d88e24866d77