Overview

overview

10

Static

static

735cbb1579...04.exe

windows7_x64

10

735cbb1579...04.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    735cbb15792d8be93c653fd2febafc249e57b29faa25aaafb99b42b310bca104.exe

  • Size

    485KB

  • MD5

    320c9b7f61e1a20f89d2b4514d1545f0

  • SHA1

    36d91c66517c404317ddf5b596c4e5f841005c9c

  • SHA256

    735cbb15792d8be93c653fd2febafc249e57b29faa25aaafb99b42b310bca104

  • SHA512

    65d6d236b510f9cf0273b822c3cdad76afcdc5cb0f4c6dc9a2502eb5ea68238810dbe4c8ec332e36270984d77a1c1a7fe2c444c361f725f8a32ce040f990c276

Score
10/10
quasarvenomratoffice04ratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_8vaggmzqQMqTBMXSZ7

Attributes
  • encryption_key

    qRvtw4YHx2BDHavO4SeK

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload 3 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\735cbb15792d8be93c653fd2febafc249e57b29faa25aaafb99b42b310bca104.exe
    "C:\Users\Admin\AppData\Local\Temp\735cbb15792d8be93c653fd2febafc249e57b29faa25aaafb99b42b310bca104.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
      "C:\Users\Admin\AppData\Roaming\$77-Venom.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1668
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1168
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4352

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
    Filesize

    534KB

    MD5

    2e58a2182d8a2b8160b2bddadbc362a2

    SHA1

    8edb5e6815452d2c46f4a0b37ec7be9381ad6727

    SHA256

    4db62762c3c25e877f8968c46246fa4d83cc11bec22e63019ecb3c5b4d1291cf

    SHA512

    5e36b421351eddb89583d6c2448524a28d76576aa95ae53809f83afd695a91a68a3213f1cd043aec9f00261e9324a32a4b4b05f1fed477a89efb62c5403e3e35

    Download Submit

  • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
    Filesize

    534KB

    MD5

    2e58a2182d8a2b8160b2bddadbc362a2

    SHA1

    8edb5e6815452d2c46f4a0b37ec7be9381ad6727

    SHA256

    4db62762c3c25e877f8968c46246fa4d83cc11bec22e63019ecb3c5b4d1291cf

    SHA512

    5e36b421351eddb89583d6c2448524a28d76576aa95ae53809f83afd695a91a68a3213f1cd043aec9f00261e9324a32a4b4b05f1fed477a89efb62c5403e3e35

    Download Submit

  • memory/1668-135-0x00000000005D0000-0x000000000065C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1668-136-0x0000000005380000-0x0000000005924000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1668-137-0x0000000004EF0000-0x0000000004F82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1668-138-0x00000000050D0000-0x0000000005136000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1668-139-0x0000000005CF0000-0x0000000005D02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1668-140-0x0000000006120000-0x000000000615C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1668-141-0x00000000062E0000-0x00000000062EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2272-130-0x0000000074BC0000-0x0000000075171000-memory.dmp

    Filesize

    5.7MB

    Download