Overview

overview

10

Static

static

f72b3d37ec...de.exe

windows7_x64

10

f72b3d37ec...de.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-04-2022 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe

  • Size

    3.3MB

  • MD5

    4ef58bf7cc5c16dd648a78ad891d93c5

  • SHA1

    ca979396adf363f2674188dab632ec1aa73f2bcc

  • SHA256

    f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de

  • SHA512

    d83c5ca9e63f8fc98615ce808133dabb7501614818e1cef2f476f2a6a193d6d6dc3ed629c5df9c3e67a51317c147683d3e2249ca8f45a4b36470ef40ea7d792d

Score
10/10
quasarvenomratwarzoneratwraith00hrsevasioninfostealerpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Wraith00hrs

C2

100.26.221.183:4782

Mutex

VNM_MUTEX_kv7tSTHxhbSWaYVuIh

Attributes
  • encryption_key

    VyRhk9JpIqX4HHIRBxn8

  • install_name

    windows chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    chrome Startup

  • subdirectory

    SubDir

Extracted

Family

warzonerat

C2

100.26.221.183:5200

Signatures

  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 6 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe
    "C:\Users\Admin\AppData\Local\Temp\f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Nrqdcmvywlsae.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:3840
        • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2032
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
            5⤵
              PID:3144
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmjcrJRiavWv.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2072
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:1120
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:1692
              • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
                "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4216
        • C:\Users\Admin\AppData\Local\Temp\f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe
          "C:\Users\Admin\AppData\Local\Temp\f72b3d37eccda431076b6c55d02aab44f6ca4d3138026b2fd4031593bac4c2de.exe"
          2⤵
          • Adds Run key to start application
          PID:3592

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\$77-Venom.exe.log
        Filesize

        1KB

        MD5

        10eab9c2684febb5327b6976f2047587

        SHA1

        a12ed54146a7f5c4c580416aecb899549712449e

        SHA256

        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

        SHA512

        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Nrqdcmvywlsae.vbs
        Filesize

        97B

        MD5

        21cf56d4b0a76046820523108fb676e0

        SHA1

        9535221712c50c9a3fa7e06efe5e1efc016f715d

        SHA256

        2f931374cab0f3601d1698f4943f8e4f83cbfc3efb478bf518091ab23642dbc3

        SHA512

        5c2238aece0a82b63a541142dcee3527e3d1baad206d3fb7c3d226fd99c26c1c2d5d4113584be08118316fd5d78c3f7aca2f3d0e957c87f76b92615a24601cd5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\UmjcrJRiavWv.bat
        Filesize

        206B

        MD5

        1961318b20e43865cb91006451e41744

        SHA1

        f3199a59d5abbfdb04010e3277be0a1f722823e2

        SHA256

        6da35751f00ee29b6c0dc0fa0a5cf8604c3bef20f72ea35dfd28e3e7c378cbfe

        SHA512

        b69e8d6b5b7b522ff27866d41248a3c4a970ac2f6d73482bcb89030608a7bf249ec83bd76f4399916c71c30cb1c8b255209476fc13b91cf1ec69a99a884086f3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • memory/1120-174-0x0000000000000000-mapping.dmp

        Download

      • memory/1380-130-0x00000000002A0000-0x00000000005F0000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1692-175-0x0000000000000000-mapping.dmp

        Download

      • memory/2032-156-0x0000000000000000-mapping.dmp

        Download

      • memory/2064-131-0x0000000000000000-mapping.dmp

        Download

      • memory/2072-172-0x0000000000000000-mapping.dmp

        Download

      • memory/2148-158-0x0000000006050000-0x000000000605A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2148-148-0x0000000000000000-mapping.dmp

        Download

      • memory/2288-170-0x0000000000000000-mapping.dmp

        Download

      • memory/2628-145-0x0000000006020000-0x0000000006032000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2628-144-0x0000000005000000-0x0000000005066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2628-143-0x0000000005080000-0x0000000005112000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2628-142-0x00000000054D0000-0x0000000005A74000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2628-141-0x00000000006F0000-0x000000000077C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2628-137-0x0000000000000000-mapping.dmp

        Download

      • memory/2628-146-0x0000000006440000-0x000000000647C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3144-171-0x0000000000000000-mapping.dmp

        Download

      • memory/3592-139-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3592-135-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3592-140-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3592-133-0x0000000000000000-mapping.dmp

        Download

      • memory/3840-147-0x0000000000000000-mapping.dmp

        Download

      • memory/4216-176-0x0000000000000000-mapping.dmp

        Download

      • memory/4800-155-0x0000000005240000-0x00000000052A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4800-163-0x0000000007330000-0x00000000079AA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4800-164-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4800-165-0x0000000006D40000-0x0000000006D4A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4800-166-0x0000000006F70000-0x0000000007006000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4800-167-0x0000000006F20000-0x0000000006F2E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4800-168-0x0000000007010000-0x000000000702A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4800-169-0x0000000006F60000-0x0000000006F68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4800-162-0x0000000005D90000-0x0000000005DAE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4800-161-0x000000006FA90000-0x000000006FADC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4800-160-0x0000000005F90000-0x0000000005FC2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4800-159-0x0000000000C55000-0x0000000000C57000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4800-157-0x0000000004750000-0x000000000476E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4800-154-0x0000000004A10000-0x0000000004A32000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4800-153-0x0000000004B10000-0x0000000005138000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4800-152-0x0000000000C60000-0x0000000000C96000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4800-151-0x0000000000000000-mapping.dmp

        Download