Analysis

  • max time kernel
    140s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-05-2022 20:09

General

  • Target

    d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

  • Size

    664KB

  • MD5

    1f2f26a299287d8353502a9133df4cf1

  • SHA1

    ee40f71067f91d23841e2f2f2b178a153e0f4e07

  • SHA256

    d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

  • SHA512

    135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

karmina113.sytes.net:2222

karmina200.sytes.net:2222

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    Utv1d8B5zhHYcWfy3OEQ

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
    "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
      "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"
      2⤵
      • Checks computer location settings
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1860
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3392
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:540
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2400
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:4908

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

      Filesize

      425B

      MD5

      4eaca4566b22b01cd3bc115b9b0b2196

      SHA1

      e743e0792c19f71740416e7b3c061d9f1336bf94

      SHA256

      34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

      SHA512

      bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe.log

      Filesize

      425B

      MD5

      4eaca4566b22b01cd3bc115b9b0b2196

      SHA1

      e743e0792c19f71740416e7b3c061d9f1336bf94

      SHA256

      34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

      SHA512

      bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

      Filesize

      664KB

      MD5

      1f2f26a299287d8353502a9133df4cf1

      SHA1

      ee40f71067f91d23841e2f2f2b178a153e0f4e07

      SHA256

      d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

      SHA512

      135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

      Filesize

      664KB

      MD5

      1f2f26a299287d8353502a9133df4cf1

      SHA1

      ee40f71067f91d23841e2f2f2b178a153e0f4e07

      SHA256

      d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

      SHA512

      135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

      Filesize

      664KB

      MD5

      1f2f26a299287d8353502a9133df4cf1

      SHA1

      ee40f71067f91d23841e2f2f2b178a153e0f4e07

      SHA256

      d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

      SHA512

      135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

    • memory/2400-149-0x0000000004DD0000-0x00000000053F8000-memory.dmp

      Filesize

      6.2MB

    • memory/2400-160-0x0000000007100000-0x000000000710A000-memory.dmp

      Filesize

      40KB

    • memory/2400-155-0x0000000006F40000-0x0000000006F72000-memory.dmp

      Filesize

      200KB

    • memory/2400-164-0x0000000007320000-0x0000000007328000-memory.dmp

      Filesize

      32KB

    • memory/2400-163-0x00000000073D0000-0x00000000073EA000-memory.dmp

      Filesize

      104KB

    • memory/2400-144-0x00000000046F0000-0x0000000004726000-memory.dmp

      Filesize

      216KB

    • memory/2400-162-0x00000000072E0000-0x00000000072EE000-memory.dmp

      Filesize

      56KB

    • memory/2400-161-0x0000000007330000-0x00000000073C6000-memory.dmp

      Filesize

      600KB

    • memory/2400-156-0x000000006FE20000-0x000000006FE6C000-memory.dmp

      Filesize

      304KB

    • memory/2400-159-0x00000000070A0000-0x00000000070BA000-memory.dmp

      Filesize

      104KB

    • memory/2400-150-0x0000000004CF0000-0x0000000004D12000-memory.dmp

      Filesize

      136KB

    • memory/2400-151-0x0000000005400000-0x0000000005466000-memory.dmp

      Filesize

      408KB

    • memory/2400-158-0x00000000076F0000-0x0000000007D6A000-memory.dmp

      Filesize

      6.5MB

    • memory/2400-157-0x0000000006350000-0x000000000636E000-memory.dmp

      Filesize

      120KB

    • memory/2400-154-0x0000000005D90000-0x0000000005DAE000-memory.dmp

      Filesize

      120KB

    • memory/3392-153-0x00000000068E0000-0x00000000068EA000-memory.dmp

      Filesize

      40KB

    • memory/3648-130-0x0000000000BE0000-0x0000000000C8C000-memory.dmp

      Filesize

      688KB

    • memory/4964-132-0x0000000000400000-0x000000000048C000-memory.dmp

      Filesize

      560KB

    • memory/4964-134-0x0000000005A70000-0x0000000006014000-memory.dmp

      Filesize

      5.6MB

    • memory/4964-138-0x0000000006C00000-0x0000000006C3C000-memory.dmp

      Filesize

      240KB

    • memory/4964-135-0x0000000005560000-0x00000000055F2000-memory.dmp

      Filesize

      584KB

    • memory/4964-136-0x0000000005900000-0x0000000005966000-memory.dmp

      Filesize

      408KB

    • memory/4964-137-0x0000000006690000-0x00000000066A2000-memory.dmp

      Filesize

      72KB