Overview

overview

10

Static

static

bf9d1ce445...5d.exe

windows7_x64

10

bf9d1ce445...5d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-04-2022 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe

  • Size

    1.1MB

  • MD5

    a7bb91d79310d34d7c94e897257b3b5f

  • SHA1

    156ef770d35ffc4da767fe156a91af27ec2808bd

  • SHA256

    bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d

  • SHA512

    9a067c7d1382b6ab9869345d4f6d524f8ab3c0d862162ad5e48184a35b5dc8ebd9674dd8b81667b78b3e43895e9d97509d63d1642be15d35b390567a47f10284

Score
10/10
quasarvenomratwarzoneratwraith00hrsevasioninfostealerpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Wraith00hrs

C2

100.26.221.183:4782

Mutex

VNM_MUTEX_kv7tSTHxhbSWaYVuIh

Attributes
  • encryption_key

    VyRhk9JpIqX4HHIRBxn8

  • install_name

    windows chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    chrome Startup

  • subdirectory

    SubDir

Extracted

Family

warzonerat

C2

100.26.221.183:5200

Signatures

  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 6 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
    "C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cnlfayagwcnd.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4680
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:4800
        • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2372
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4556
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4836
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:456
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
            5⤵
              PID:4236
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKVrhYM8ZK4R.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4468
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:204
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:4808
              • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
                "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4080
        • C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
          "C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe"
          2⤵
          • Adds Run key to start application
          PID:3856

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\$77-Venom.exe.log
        Filesize

        1KB

        MD5

        10eab9c2684febb5327b6976f2047587

        SHA1

        a12ed54146a7f5c4c580416aecb899549712449e

        SHA256

        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

        SHA512

        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cnlfayagwcnd.vbs
        Filesize

        97B

        MD5

        21cf56d4b0a76046820523108fb676e0

        SHA1

        9535221712c50c9a3fa7e06efe5e1efc016f715d

        SHA256

        2f931374cab0f3601d1698f4943f8e4f83cbfc3efb478bf518091ab23642dbc3

        SHA512

        5c2238aece0a82b63a541142dcee3527e3d1baad206d3fb7c3d226fd99c26c1c2d5d4113584be08118316fd5d78c3f7aca2f3d0e957c87f76b92615a24601cd5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\uKVrhYM8ZK4R.bat
        Filesize

        206B

        MD5

        6361466db9be91070c236f11a6a88c97

        SHA1

        c0ebcb52beda93f5168533c53a58be7046b84cf6

        SHA256

        d6b43ff6389a693131be6d37f77aa70a665070140c06d1431bdf36fc3622e46f

        SHA512

        7bbd2ab619cdae0dbfb4fa147833eb359826c31babec4f748d9f4091b6fb823583efffdc8646a04d3449d99bf1fcf20093d671c11b204db4cbb45936279eb465

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
        Filesize

        534KB

        MD5

        4ad1c7279f350bad69cec245674fbdbd

        SHA1

        af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

        SHA256

        9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

        SHA512

        740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

        Download Submit

      • memory/204-174-0x0000000000000000-mapping.dmp

        Download

      • memory/456-170-0x0000000000000000-mapping.dmp

        Download

      • memory/2372-158-0x00000000065F0000-0x00000000065FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2372-148-0x0000000000000000-mapping.dmp

        Download

      • memory/3856-141-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3856-143-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3856-138-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3856-136-0x0000000000000000-mapping.dmp

        Download

      • memory/4080-176-0x0000000000000000-mapping.dmp

        Download

      • memory/4236-171-0x0000000000000000-mapping.dmp

        Download

      • memory/4468-172-0x0000000000000000-mapping.dmp

        Download

      • memory/4556-157-0x0000000000000000-mapping.dmp

        Download

      • memory/4680-137-0x0000000000E20000-0x0000000000EAC000-memory.dmp

        Filesize

        560KB

        Download

      • memory/4680-146-0x0000000006970000-0x00000000069AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4680-145-0x0000000006550000-0x0000000006562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4680-144-0x0000000005930000-0x0000000005996000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4680-142-0x0000000005790000-0x0000000005822000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4680-140-0x0000000005CA0000-0x0000000006244000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4680-134-0x0000000000000000-mapping.dmp

        Download

      • memory/4800-147-0x0000000000000000-mapping.dmp

        Download

      • memory/4808-175-0x0000000000000000-mapping.dmp

        Download

      • memory/4836-155-0x0000000006070000-0x00000000060D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4836-169-0x0000000007D50000-0x0000000007D58000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4836-162-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4836-163-0x0000000008070000-0x00000000086EA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4836-164-0x0000000007A30000-0x0000000007A4A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4836-165-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4836-166-0x0000000007CB0000-0x0000000007D46000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4836-167-0x0000000007C60000-0x0000000007C6E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4836-168-0x0000000007D70000-0x0000000007D8A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4836-161-0x0000000070580000-0x00000000705CC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4836-160-0x00000000078E0000-0x0000000007912000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4836-159-0x00000000052B5000-0x00000000052B7000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4836-156-0x0000000006340000-0x000000000635E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4836-151-0x0000000000000000-mapping.dmp

        Download

      • memory/4836-154-0x0000000005FD0000-0x0000000005FF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4836-153-0x00000000058F0000-0x0000000005F18000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4836-152-0x0000000005180000-0x00000000051B6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4888-131-0x0000000000000000-mapping.dmp

        Download

      • memory/5076-130-0x0000000000490000-0x00000000005B6000-memory.dmp

        Filesize

        1.1MB

        Download