Overview

overview

10

Static

static

f72b3d37ec...de.exe

windows7_x64

10

f72b3d37ec...de.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-04-2022 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe

  • Size

    3.3MB

  • MD5

    4ef58bf7cc5c16dd648a78ad891d93c5

  • SHA1

    ca979396adf363f2674188dab632ec1aa73f2bcc

  • SHA256

    f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de

  • SHA512

    d83c5ca9e63f8fc98615ce808133dabb7501614818e1cef2f476f2a6a193d6d6dc3ed629c5df9c3e67a51317c147683d3e2249ca8f45a4b36470ef40ea7d792d

Score
10/10
quasarvenomratwarzoneratwraith00hrsevasioninfostealerpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Wraith00hrs

C2

100.26.221.183:4782

Mutex

VNM_MUTEX_kv7tSTHxhbSWaYVuIh

Attributes
  • encryption_key

    VyRhk9JpIqX4HHIRBxn8

  • install_name

    windows chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    chrome Startup

  • subdirectory

    SubDir

Extracted

Family

warzonerat

C2

100.26.221.183:5200

Signatures

  • Contains code to disable Windows Defender 11 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 11 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 8 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe
    "C:\Users\Admin\AppData\Local\Temp\f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Nrqdcmvywlsae.vbs"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:1740
        • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1580
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1208
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
            5⤵
              PID:1328
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\3mtS5A90YvRE.bat" "
            4⤵
            • Loads dropped DLL
            PID:928
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:1728
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:1292
              • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
                "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1100
        • C:\Users\Admin\AppData\Local\Temp\f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe
          "C:\Users\Admin\AppData\Local\Temp\f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe"
          2⤵
          • Adds Run key to start application
          PID:1760

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Nrqdcmvywlsae.vbs
        Filesize

        97B

        MD5

        21cf56d4b0a76046820523108fb676e0

        SHA1

        9535221712c50c9a3fa7e06efe5e1efc016f715d

        SHA256

        2f931374cab0f3601d1698f4943f8e4f83cbfc3efb478bf518091ab23642dbc3

        SHA512

        5c2238aece0a82b63a541142dcee3527e3d1baad206d3fb7c3d226fd99c26c1c2d5d4113584be08118316fd5d78c3f7aca2f3d0e957c87f76b92615a24601cd5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • \Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • \Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • \Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • memory/552-56-0x0000000000000000-mapping.dmp

        Download

      • memory/552-58-0x0000000076241000-0x0000000076243000-memory.dmp

        Filesize

        8KB

        Download

      • memory/928-84-0x0000000000000000-mapping.dmp

        Download

      • memory/1100-87-0x0000000000A50000-0x0000000000ADC000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1208-81-0x000000006F0C0000-0x000000006F66B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1208-78-0x0000000000000000-mapping.dmp

        Download

      • memory/1248-73-0x0000000000000000-mapping.dmp

        Download

      • memory/1248-76-0x00000000000F0000-0x000000000017C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1328-83-0x0000000000000000-mapping.dmp

        Download

      • memory/1352-63-0x0000000000250000-0x000000000026C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1352-54-0x00000000009D0000-0x0000000000D20000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1352-55-0x0000000000D90000-0x0000000000E22000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1580-80-0x0000000000000000-mapping.dmp

        Download

      • memory/1664-82-0x0000000000000000-mapping.dmp

        Download

      • memory/1740-71-0x0000000000000000-mapping.dmp

        Download

      • memory/1756-64-0x0000000000230000-0x00000000002BC000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1756-61-0x0000000000000000-mapping.dmp

        Download

      • memory/1760-65-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1760-66-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1760-69-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1760-89-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1760-90-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1760-92-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1760-93-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1760-94-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1760-95-0x0000000000405CE2-mapping.dmp

        Download

      • memory/1760-98-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1760-99-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download