Overview

overview

10

Static

static

472b809159...04.exe

windows7_x64

1

472b809159...04.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    12s
  • max time network
    56s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-05-2022 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04.exe

  • Size

    962KB

  • MD5

    2d8a7a711bf1308a13f02f36ad88bf3b

  • SHA1

    df45338383fda3fdc745c9564b76ebd84aaffe19

  • SHA256

    472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04

  • SHA512

    1cc23482ce5a3ae33713c1aebb6ef503d211512934d12b873ba86d140f9d042dbbd1544aa399b5fefa5a371e24209a21f5994146d7cda9c5ffc63c4b0005b74a

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

codexm0106.ddns.net:1177

Mutex

VNM_MUTEX_Xnd6D5iIpqWwMJAqx5

Attributes
  • encryption_key

    iN4UZnXEraSZhG0zbaFO

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    2000

  • startup_key

    windows startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04.exe
    "C:\Users\Admin\AppData\Local\Temp\472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Local\Temp\472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04.exe
      "C:\Users\Admin\AppData\Local\Temp\472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04.exe"
      2⤵
      • Windows security modification
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "windows startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4500
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4200
        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
          4⤵
          • Executes dropped EXE
          PID:960
        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:864
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "windows startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3964
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LJ1rKPwzUCOv.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5060
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
                PID:3700
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:1992
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 2272
              5⤵
              • Program crash
              PID:372
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4048
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 864 -ip 864
      1⤵
        PID:3364

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\LJ1rKPwzUCOv.bat
        Filesize

        207B

        MD5

        f1788c991f03bf9d9beb2fce24771813

        SHA1

        ca3a96711709daf6224ee397a44f5f7f425c41fc

        SHA256

        47fbdaac20cc03489e0a78ab94aa0b8d4725a3343cb38028f3f49e42587b1ad8

        SHA512

        d9a54d8b21d239bb1e9658922f42b5e53b8dfd3b0531bb6fb0c0fc286c1759770c6d265267c4b265920c80f9ea1e48f19a56ace8986bd2e87861888d8992408b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        962KB

        MD5

        2d8a7a711bf1308a13f02f36ad88bf3b

        SHA1

        df45338383fda3fdc745c9564b76ebd84aaffe19

        SHA256

        472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04

        SHA512

        1cc23482ce5a3ae33713c1aebb6ef503d211512934d12b873ba86d140f9d042dbbd1544aa399b5fefa5a371e24209a21f5994146d7cda9c5ffc63c4b0005b74a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        962KB

        MD5

        2d8a7a711bf1308a13f02f36ad88bf3b

        SHA1

        df45338383fda3fdc745c9564b76ebd84aaffe19

        SHA256

        472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04

        SHA512

        1cc23482ce5a3ae33713c1aebb6ef503d211512934d12b873ba86d140f9d042dbbd1544aa399b5fefa5a371e24209a21f5994146d7cda9c5ffc63c4b0005b74a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        962KB

        MD5

        2d8a7a711bf1308a13f02f36ad88bf3b

        SHA1

        df45338383fda3fdc745c9564b76ebd84aaffe19

        SHA256

        472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04

        SHA512

        1cc23482ce5a3ae33713c1aebb6ef503d211512934d12b873ba86d140f9d042dbbd1544aa399b5fefa5a371e24209a21f5994146d7cda9c5ffc63c4b0005b74a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        962KB

        MD5

        2d8a7a711bf1308a13f02f36ad88bf3b

        SHA1

        df45338383fda3fdc745c9564b76ebd84aaffe19

        SHA256

        472b8091593a2fef317573e75d7bd424ba67b164c0aaaa06c26de6b15d19bb04

        SHA512

        1cc23482ce5a3ae33713c1aebb6ef503d211512934d12b873ba86d140f9d042dbbd1544aa399b5fefa5a371e24209a21f5994146d7cda9c5ffc63c4b0005b74a

        Download Submit

      • memory/864-146-0x0000000000000000-mapping.dmp

        Download

      • memory/864-154-0x0000000006C90000-0x0000000006C9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/960-144-0x0000000000000000-mapping.dmp

        Download

      • memory/1992-163-0x0000000000000000-mapping.dmp

        Download

      • memory/3700-160-0x0000000000000000-mapping.dmp

        Download

      • memory/3964-153-0x0000000000000000-mapping.dmp

        Download

      • memory/4032-137-0x0000000006A90000-0x0000000006ACC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4032-136-0x0000000006520000-0x0000000006532000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4032-135-0x0000000005910000-0x0000000005976000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4032-134-0x0000000000400000-0x00000000004C4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/4032-133-0x0000000000000000-mapping.dmp

        Download

      • memory/4048-155-0x00000000068F0000-0x0000000006922000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4048-156-0x000000006F940000-0x000000006F98C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4048-149-0x0000000005620000-0x0000000005C48000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4048-150-0x0000000005390000-0x00000000053B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4048-151-0x0000000005530000-0x0000000005596000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4048-152-0x0000000006320000-0x000000000633E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4048-141-0x0000000000000000-mapping.dmp

        Download

      • memory/4048-165-0x00000000078C0000-0x0000000007956000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4048-164-0x00000000076B0000-0x00000000076BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4048-143-0x00000000029E0000-0x0000000002A16000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4048-157-0x00000000068D0000-0x00000000068EE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4048-162-0x0000000007640000-0x000000000765A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4048-161-0x0000000007C80000-0x00000000082FA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4200-139-0x0000000000000000-mapping.dmp

        Download

      • memory/4296-132-0x00000000058D0000-0x0000000005962000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4296-131-0x0000000005E80000-0x0000000006424000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4296-130-0x0000000000E60000-0x0000000000F56000-memory.dmp

        Filesize

        984KB

        Download

      • memory/4500-138-0x0000000000000000-mapping.dmp

        Download

      • memory/5060-158-0x0000000000000000-mapping.dmp

        Download