Overview

overview

10

Static

static

c3fc5c1cd6...48.exe

windows7_x64

10

c3fc5c1cd6...48.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    68s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-05-2022 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe

  • Size

    617KB

  • MD5

    7ca7553bd7447c208b5ef00e7374cb44

  • SHA1

    2718e5d21d8f12748f8353cd5574554c654f82a0

  • SHA256

    c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

  • SHA512

    472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

Score
10/10
quasarvenomratwindows defender security hostevasionpersistenceratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security Host

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_s1ArJSYbui8dt0HUpJ

Attributes
  • encryption_key

    8gl4TCjsLQUmqCIxalku

  • install_name

    Windows Defender Security Host.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Security Host

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe
    "C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe
      "C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe"
      2⤵
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3576
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2280
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4604
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1504
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYy0xuDJaWKm.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3604
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
                PID:3312
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:2148
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1980
              5⤵
              • Program crash
              PID:2240
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2560
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4604 -ip 4604
      1⤵
        PID:5024

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Defender Security Host.exe.log
        Filesize

        507B

        MD5

        76ffb2f33cb32ade8fc862a67599e9d8

        SHA1

        920cc4ab75b36d2f9f6e979b74db568973c49130

        SHA256

        f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

        SHA512

        f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe.log
        Filesize

        507B

        MD5

        76ffb2f33cb32ade8fc862a67599e9d8

        SHA1

        920cc4ab75b36d2f9f6e979b74db568973c49130

        SHA256

        f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

        SHA512

        f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\KYy0xuDJaWKm.bat
        Filesize

        231B

        MD5

        59679caf3413d97d4900896af82244e2

        SHA1

        3d106fd60329b509b47c224b9492a1744e78b74f

        SHA256

        79c451278795d398209acdd6c05410282482c8b49bd604ed2f07cbadd797f3e1

        SHA512

        bd040d36baf1e75c75f3041b14d1178029a92c1a082151ed3fe7df2cc696d06fd6fd0f46e002f4d8b6e20f1049dbf45524e119ee2c1e3eaa234a80cb4f3b0c96

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        Filesize

        617KB

        MD5

        7ca7553bd7447c208b5ef00e7374cb44

        SHA1

        2718e5d21d8f12748f8353cd5574554c654f82a0

        SHA256

        c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

        SHA512

        472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        Filesize

        617KB

        MD5

        7ca7553bd7447c208b5ef00e7374cb44

        SHA1

        2718e5d21d8f12748f8353cd5574554c654f82a0

        SHA256

        c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

        SHA512

        472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        Filesize

        617KB

        MD5

        7ca7553bd7447c208b5ef00e7374cb44

        SHA1

        2718e5d21d8f12748f8353cd5574554c654f82a0

        SHA256

        c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

        SHA512

        472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

        Download Submit

      • memory/1468-132-0x00000000058D0000-0x0000000005962000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1468-133-0x0000000005970000-0x0000000005A0C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1468-130-0x0000000000D60000-0x0000000000E02000-memory.dmp

        Filesize

        648KB

        Download

      • memory/1468-131-0x0000000005DE0000-0x0000000006384000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2560-158-0x0000000006240000-0x000000000625E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2560-151-0x0000000005530000-0x0000000005552000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2560-167-0x0000000007300000-0x000000000730E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2560-166-0x0000000007340000-0x00000000073D6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2560-165-0x0000000007140000-0x000000000714A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2560-149-0x0000000004820000-0x0000000004856000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-150-0x0000000004E90000-0x00000000054B8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2560-152-0x0000000005690000-0x00000000056F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2560-153-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2560-163-0x00000000070C0000-0x00000000070DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2560-162-0x0000000007700000-0x0000000007D7A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2560-156-0x0000000006270000-0x00000000062A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2560-157-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3576-135-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/3576-137-0x0000000005A30000-0x0000000005A96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3576-138-0x0000000005700000-0x0000000005712000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3576-139-0x0000000006B60000-0x0000000006B9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4604-155-0x0000000006E70000-0x0000000006E7A000-memory.dmp

        Filesize

        40KB

        Download