Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 22:34
General
-
Target
3c408a0b4fc83fa3e387a1d45e03009340a75b1519529eb55d910e84d9e6bbe5.exe
-
Size
1.6MB
-
MD5
cef80abf8c3f0cde0085f3253ab0381a
-
SHA1
a7de60994d1c16409700a2deccb6cb1423153967
-
SHA256
3c408a0b4fc83fa3e387a1d45e03009340a75b1519529eb55d910e84d9e6bbe5
-
SHA512
80e4a4dad8c49ed24226346ec769ad595e1ffa26c2167ae0e7c622a10e59cf12a2d2ec1486d7cb168cc3df963d2653be3669855ced35b67548e860573b4f850d
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c408a0b4fc83fa3e387a1d45e03009340a75b1519529eb55d910e84d9e6bbe5.exe"C:\Users\Admin\AppData\Local\Temp\3c408a0b4fc83fa3e387a1d45e03009340a75b1519529eb55d910e84d9e6bbe5.exe"1⤵
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Computer_Waifu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3c408a0b4fc83fa3e387a1d45e03009340a75b1519529eb55d910e84d9e6bbe5.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Computer_Waifu" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SPcoVgDA6uYr.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 22443⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 22443⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 44641⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5cef80abf8c3f0cde0085f3253ab0381a
SHA1a7de60994d1c16409700a2deccb6cb1423153967
SHA2563c408a0b4fc83fa3e387a1d45e03009340a75b1519529eb55d910e84d9e6bbe5
SHA51280e4a4dad8c49ed24226346ec769ad595e1ffa26c2167ae0e7c622a10e59cf12a2d2ec1486d7cb168cc3df963d2653be3669855ced35b67548e860573b4f850d
-
Filesize
1.6MB
MD5cef80abf8c3f0cde0085f3253ab0381a
SHA1a7de60994d1c16409700a2deccb6cb1423153967
SHA2563c408a0b4fc83fa3e387a1d45e03009340a75b1519529eb55d910e84d9e6bbe5
SHA51280e4a4dad8c49ed24226346ec769ad595e1ffa26c2167ae0e7c622a10e59cf12a2d2ec1486d7cb168cc3df963d2653be3669855ced35b67548e860573b4f850d
-
Filesize
199B
MD576c7e3021c794872d8c78d2881f9a38d
SHA1b6bca19080086b68925c74d3243735dd5819fd62
SHA256cefd78f3ce8babf35b2f3b44a4e9451de8277cbcc2d8597b6781a1ef4b615843
SHA5122b0130e005f7f2482e8136d675499fd796b529eafbe113e865cc77f4d312ace850184db0206f400f25171e24e9c75343ca206b0cacc15bbdcbef10d1310d0c7a
-
Filesize
1.6MB
MD5cef80abf8c3f0cde0085f3253ab0381a
SHA1a7de60994d1c16409700a2deccb6cb1423153967
SHA2563c408a0b4fc83fa3e387a1d45e03009340a75b1519529eb55d910e84d9e6bbe5
SHA51280e4a4dad8c49ed24226346ec769ad595e1ffa26c2167ae0e7c622a10e59cf12a2d2ec1486d7cb168cc3df963d2653be3669855ced35b67548e860573b4f850d
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
4.5MB
-
Filesize
5.6MB
-
Filesize
4.5MB
-
-
-
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
6.5MB
-
-
Filesize
120KB
-
-
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
40KB
-
-
-