Overview

overview

10

Static

static

9956615381...24.exe

windows7_x64

10

9956615381...24.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    54s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824.exe

  • Size

    600KB

  • MD5

    38842bfc2ef9e1a4734a3ac4d4fa0b0d

  • SHA1

    d7702f8f8b6d8baa46c066948b8278bfe868cff5

  • SHA256

    995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824

  • SHA512

    067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346

Score
10/10
quasarvenomratwindows securityevasionpersistenceratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XaCO2YtLAsadylDHBP

Attributes
  • encryption_key

    eKgGUbCubcSIafuOAN5V

  • install_name

    windows security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows security

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824.exe
    "C:\Users\Admin\AppData\Local\Temp\995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Users\Admin\AppData\Local\Temp\995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824.exe
      "C:\Users\Admin\AppData\Local\Temp\995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824.exe"
      2⤵
      • Windows security modification
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1780
      • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4232
        • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4340
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2480
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GxIBqO0Bjx5t.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3868
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
                PID:1628
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:1776
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 2224
              5⤵
              • Program crash
              PID:2500
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4452
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4340 -ip 4340
      1⤵
        PID:3080

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824.exe.log
        Filesize

        507B

        MD5

        8cf94b5356be60247d331660005941ec

        SHA1

        fdedb361f40f22cb6a086c808fc0056d4e421131

        SHA256

        52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

        SHA512

        b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windows security.exe.log
        Filesize

        507B

        MD5

        8cf94b5356be60247d331660005941ec

        SHA1

        fdedb361f40f22cb6a086c808fc0056d4e421131

        SHA256

        52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

        SHA512

        b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\GxIBqO0Bjx5t.bat
        Filesize

        217B

        MD5

        a143fc184a75653dc3388e9fdb4cd2f4

        SHA1

        5d8449084f74a31fbdbd734eb145b6760050ff3d

        SHA256

        8235ca10580b9cd0323cd23e7ae33b4e93334e6315d3402180365ff2d553e7a6

        SHA512

        8c10b85779e45df9aa5c195b2099a55bb041f91b3c5fc088803e188df19fdd8d4f03f5038f549cb70ba5041adcc6b67fb511b2497141ca3871ce46e6acc25759

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
        Filesize

        600KB

        MD5

        38842bfc2ef9e1a4734a3ac4d4fa0b0d

        SHA1

        d7702f8f8b6d8baa46c066948b8278bfe868cff5

        SHA256

        995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824

        SHA512

        067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
        Filesize

        600KB

        MD5

        38842bfc2ef9e1a4734a3ac4d4fa0b0d

        SHA1

        d7702f8f8b6d8baa46c066948b8278bfe868cff5

        SHA256

        995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824

        SHA512

        067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
        Filesize

        600KB

        MD5

        38842bfc2ef9e1a4734a3ac4d4fa0b0d

        SHA1

        d7702f8f8b6d8baa46c066948b8278bfe868cff5

        SHA256

        995661538199d5b1f816b33bf4a5b0dc50840e054a14dc54189aa63db3b6b824

        SHA512

        067a32950f8800f2ab64d80c6910abf20e0204457abca4156a5a93624c230720b7904fe48ef26ab2ea15958abdb8a53306513c4db74ca69f02de679c5c360346

        Download Submit

      • memory/2736-130-0x0000000000780000-0x000000000081C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2736-133-0x0000000005340000-0x00000000053DC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2736-132-0x00000000052A0000-0x0000000005332000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2736-131-0x00000000057B0000-0x0000000005D54000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4340-161-0x0000000007400000-0x000000000740A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4452-149-0x00000000055E0000-0x0000000005C08000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4452-158-0x0000000007910000-0x000000000791A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4452-151-0x0000000005CC0000-0x0000000005D26000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4452-152-0x00000000065A0000-0x00000000065BE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4452-153-0x0000000006B50000-0x0000000006B82000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4452-154-0x00000000707F0000-0x000000007083C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4452-155-0x0000000006B30000-0x0000000006B4E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4452-157-0x00000000078A0000-0x00000000078BA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4452-156-0x0000000007EE0000-0x000000000855A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4452-150-0x0000000005540000-0x0000000005562000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4452-159-0x0000000007B20000-0x0000000007BB6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4452-144-0x0000000002BF0000-0x0000000002C26000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4452-168-0x0000000006990000-0x0000000006998000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4452-167-0x0000000007B00000-0x0000000007B1A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4452-166-0x00000000069C0000-0x00000000069CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/5036-135-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/5036-137-0x00000000055F0000-0x0000000005656000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5036-138-0x0000000005720000-0x0000000005732000-memory.dmp

        Filesize

        72KB

        Download