Analysis
-
max time kernel
160s -
max time network
238s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-05-2022 01:04
General
-
Target
e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c.exe
-
Size
303KB
-
MD5
a500424ebd54b1e006ccad65266562e3
-
SHA1
18be3591da1c3d79aee29026c30c67567e3b2bad
-
SHA256
e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c
-
SHA512
c197f02534c15b82f81def7d60349fba1e72c0b82d8b11fe64856a7ae7833e9d9d70d723bac8e1809ceda2cc9c76eb87025199230ba08ebc89bde2f6b71931ec
Malware Config
Extracted
quasar
- encryption_key
- install_name
- log_directory
-
reconnect_delay
3000
- startup_key
- subdirectory
Extracted
quasar
2.1.0.0
Office04
myconect.ddns.net:6606
VNM_MUTEX_bW2Pm17MwUNvIYeCrf
-
encryption_key
skMcIyTXgvAaYya6lzLD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar Payload 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c.exe"C:\Users\Admin\AppData\Local\Temp\e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\llzyc3jj.inf2⤵
-
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\oll0vnyx.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\temp\oll0vnyx.exeC:\Windows\temp\oll0vnyx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
534KB
MD5e4dc9cb250120aebeee969906d1a7a22
SHA1c0f9d3a2531cc25e212d9adbf8614903d8a6247e
SHA25614de179b37e9958b3a1d22f22b0bb545be1cb166aeaf5a4892ccd616ee7e544f
SHA51221461e4fdc16ba99ae24a1f2fa39465678e851591d7402c762a04bf286b9ec8230a0acd147f0c9d54fb6a3428be1851c4d75f46b6cf917a44b3b399e8897667b
-
Filesize
606B
MD5ad76f118b0278581d2a703bd00f651f9
SHA15213ec16e7ee6e501d057df259ca447277757502
SHA256b2626c0b59d178165ca851615716fdcad47fc8d87fc32a2ed9b5af0503727398
SHA512248e7d45248a559386d48c87440a7d89d99256aca7dff7e56811a88aed79dbb2cbd191d9feb96b4ed072270beb4d887420fcbbbb3ab4ba6a23a46925cc4e0e4d
-
Filesize
534KB
MD5e4dc9cb250120aebeee969906d1a7a22
SHA1c0f9d3a2531cc25e212d9adbf8614903d8a6247e
SHA25614de179b37e9958b3a1d22f22b0bb545be1cb166aeaf5a4892ccd616ee7e544f
SHA51221461e4fdc16ba99ae24a1f2fa39465678e851591d7402c762a04bf286b9ec8230a0acd147f0c9d54fb6a3428be1851c4d75f46b6cf917a44b3b399e8897667b
-
Filesize
328KB
-
Filesize
568KB
-
Filesize
124KB
-
Filesize
560KB
-
Filesize
8KB
-
Filesize
8KB