Overview

overview

10

Static

static

150ba1e4f4...c8.exe

windows7_x64

10

150ba1e4f4...c8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-04-2022 04:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe

  • Size

    1.2MB

  • MD5

    a56950b911b53a07e64b1a2f87c2907c

  • SHA1

    2d61afb037ac5ce044b5258b581b28badffae235

  • SHA256

    150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8

  • SHA512

    16a3417b212243bb8bb9814636f364971292a75cf2901d936141ddb7afa7ad63da52bcbfa429de7f867ac05fa71d7c7c34459d3e86243cecfeee46f34ccf0bcc

Score
10/10
quasarvenomratwarzoneratwraith00hrsevasioninfostealerpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

warzonerat

C2

100.26.221.183:5200

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Wraith00hrs

C2

100.26.221.183:4782

Mutex

VNM_MUTEX_kv7tSTHxhbSWaYVuIh

Attributes
  • encryption_key

    VyRhk9JpIqX4HHIRBxn8

  • install_name

    windows chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    chrome Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 6 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
    "C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ucjyesajhla.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe
        "C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:1616
        • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4416
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4808
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4396
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3956
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
            5⤵
              PID:2208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaabZwTzf5PP.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2440
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:1840
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:4084
              • C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe
                "C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3496
        • C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
          "C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"
          2⤵
          • Adds Run key to start application
          PID:5044

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CreativeCloudv.exe.log
        Filesize

        1KB

        MD5

        10eab9c2684febb5327b6976f2047587

        SHA1

        a12ed54146a7f5c4c580416aecb899549712449e

        SHA256

        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

        SHA512

        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JaabZwTzf5PP.bat
        Filesize

        211B

        MD5

        1217506aad2f753c7cac627866546e80

        SHA1

        976d60c056c216abbe8a2bf6cad628be17a3d66e

        SHA256

        7eb02bc66bc22313bf3cff222f037452c713b655db92643bf728144d16c1a8da

        SHA512

        b01be6cbd36fe151080a56d2013cbf70f41ec533afe66fd81e6967820068f782bb010a6b8bb26878f4d9d0de167130d0f154fae4c4ef47b526d626d96c93635f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Ucjyesajhla.vbs
        Filesize

        102B

        MD5

        4e190d8967b1a3444f9415b850f7f1de

        SHA1

        ba0336117fd8f29d19befb740d702cb32b9458ec

        SHA256

        5968a1b0a70ee3af256dbbc94ea040822985a965b68fa5964037b25231a1151d

        SHA512

        5afbd7492274ec2abb6d6fae4bd5f97f684fe1f27e11f73e4548b16a93f50fddb889a0747e2171345ededa8674ee8c50508cb7db188ca30a468c590075f528e8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • memory/1616-147-0x0000000000000000-mapping.dmp

        Download

      • memory/1692-131-0x0000000000000000-mapping.dmp

        Download

      • memory/1840-173-0x0000000000000000-mapping.dmp

        Download

      • memory/2208-170-0x0000000000000000-mapping.dmp

        Download

      • memory/2440-171-0x0000000000000000-mapping.dmp

        Download

      • memory/3496-175-0x0000000000000000-mapping.dmp

        Download

      • memory/3956-169-0x0000000000000000-mapping.dmp

        Download

      • memory/4084-174-0x0000000000000000-mapping.dmp

        Download

      • memory/4396-164-0x0000000007A10000-0x0000000007A1A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4396-162-0x0000000007FE0000-0x000000000865A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4396-168-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4396-167-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4396-151-0x0000000000000000-mapping.dmp

        Download

      • memory/4396-152-0x0000000002D70000-0x0000000002DA6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4396-153-0x00000000059C0000-0x0000000005FE8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4396-154-0x00000000057E0000-0x0000000005802000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4396-155-0x0000000005FF0000-0x0000000006056000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4396-156-0x00000000066A0000-0x00000000066BE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4396-166-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4396-165-0x0000000007C20000-0x0000000007CB6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4396-159-0x0000000006C60000-0x0000000006C92000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4396-160-0x00000000702B0000-0x00000000702FC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4396-161-0x0000000006C40000-0x0000000006C5E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4396-163-0x00000000079A0000-0x00000000079BA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4416-158-0x00000000064B0000-0x00000000064BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4416-148-0x0000000000000000-mapping.dmp

        Download

      • memory/4536-141-0x0000000005AF0000-0x0000000006094000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4536-145-0x00000000055C0000-0x00000000055D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4536-144-0x0000000005980000-0x00000000059E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4536-143-0x00000000055E0000-0x0000000005672000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4536-146-0x0000000006A30000-0x0000000006A6C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4536-137-0x0000000000000000-mapping.dmp

        Download

      • memory/4536-140-0x0000000000BA0000-0x0000000000C2C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/4760-130-0x0000000000F50000-0x0000000001084000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4808-157-0x0000000000000000-mapping.dmp

        Download

      • memory/5044-142-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/5044-138-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/5044-134-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/5044-133-0x0000000000000000-mapping.dmp

        Download