Overview

overview

10

Static

static

8349f7ac2a...a2.exe

windows7_x64

10

8349f7ac2a...a2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    83s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-05-2022 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe

  • Size

    618KB

  • MD5

    b4a017055a4928d2c8d7261285f9bda9

  • SHA1

    4987b49f51a86f302d77f48c542e270952242b13

  • SHA256

    8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

  • SHA512

    c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

Score
10/10
quasarvenomratwindows defender security hostevasionpersistenceratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security Host

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_s1ArJSYbui8dt0HUpJ

Attributes
  • encryption_key

    8gl4TCjsLQUmqCIxalku

  • install_name

    Windows Defender Security Host.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Security Host

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 8 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 8 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
    "C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
      "C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe"
      2⤵
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1700
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
          4⤵
          • Executes dropped EXE
          PID:1336
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
          4⤵
          • Executes dropped EXE
          PID:1016
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:988
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\g6y0ASXYmC0g.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:1540
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:1380
            • C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
              "C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe"
              4⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1688
              • C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
                "C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:952

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\g6y0ASXYmC0g.bat
        Filesize

        261B

        MD5

        46530d655e77cc6c47e0c96d20c61914

        SHA1

        5116da87413c5485a6bce82094155f25d23b7068

        SHA256

        67f0daf1429a3c32d47008cdcaaa2b957d70f50097e0084339a2b7f9c9d2e92d

        SHA512

        7e1527e517bbb8ec4f3de3ac281f82b784cbee7e69f061cf8cd6134e932e00f3c6e80081858bdceace361874c5c218daedd0c7e35c1c96b61bfab789d584ca45

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        Filesize

        618KB

        MD5

        b4a017055a4928d2c8d7261285f9bda9

        SHA1

        4987b49f51a86f302d77f48c542e270952242b13

        SHA256

        8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

        SHA512

        c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        Filesize

        618KB

        MD5

        b4a017055a4928d2c8d7261285f9bda9

        SHA1

        4987b49f51a86f302d77f48c542e270952242b13

        SHA256

        8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

        SHA512

        c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        Filesize

        618KB

        MD5

        b4a017055a4928d2c8d7261285f9bda9

        SHA1

        4987b49f51a86f302d77f48c542e270952242b13

        SHA256

        8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

        SHA512

        c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        Filesize

        618KB

        MD5

        b4a017055a4928d2c8d7261285f9bda9

        SHA1

        4987b49f51a86f302d77f48c542e270952242b13

        SHA256

        8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

        SHA512

        c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

        Download Submit

      • \Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        Filesize

        618KB

        MD5

        b4a017055a4928d2c8d7261285f9bda9

        SHA1

        4987b49f51a86f302d77f48c542e270952242b13

        SHA256

        8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

        SHA512

        c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

        Download Submit

      • memory/276-62-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/276-57-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/276-65-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/276-67-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/276-58-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/276-61-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/276-60-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1036-74-0x0000000000A90000-0x0000000000B32000-memory.dmp

        Filesize

        648KB

        Download

      • memory/1648-90-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2020-56-0x0000000000560000-0x000000000056A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2020-54-0x0000000001360000-0x0000000001402000-memory.dmp

        Filesize

        648KB

        Download

      • memory/2020-55-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

        Filesize

        8KB

        Download