Overview

overview

10

Static

static

6fb67950f8...ed.exe

windows7_x64

10

6fb67950f8...ed.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fb67950f8de0f87ee4cd34d50d068ee4b5e5418d363a189da0d9949db6be8ed.exe

  • Size

    640KB

  • MD5

    e2afad2e4405ec0c5c22398203a3443d

  • SHA1

    eb212f7682d5fa24f9580aaeeaee6c3b3318f548

  • SHA256

    6fb67950f8de0f87ee4cd34d50d068ee4b5e5418d363a189da0d9949db6be8ed

  • SHA512

    30aa913e09d206d7ed08d0d71e97444fdb350dd2f8d8e382c2c4c4b236196b245a4dc6e229d5c7cad5f1ce0bfba1675cd677f82eb7728f59299922008843b5c3

Score
10/10
quasarvenomratsvhostevasionratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_rHOHbrAQKctPD4d68w

Attributes
  • encryption_key

    rDFwhCyuKMqXO7llDpB2

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 6 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fb67950f8de0f87ee4cd34d50d068ee4b5e5418d363a189da0d9949db6be8ed.exe
    "C:\Users\Admin\AppData\Local\Temp\6fb67950f8de0f87ee4cd34d50d068ee4b5e5418d363a189da0d9949db6be8ed.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Roaming\test1.exe
      "C:\Users\Admin\AppData\Roaming\test1.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\test1.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2424
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:816
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1444
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:4340
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eLi7bmQLrBEk.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:1636
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:4252
            • C:\Users\Admin\AppData\Roaming\test1.exe
              "C:\Users\Admin\AppData\Roaming\test1.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4376
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 1560
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4984

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\test1.exe.log
        Filesize

        1KB

        MD5

        10eab9c2684febb5327b6976f2047587

        SHA1

        a12ed54146a7f5c4c580416aecb899549712449e

        SHA256

        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

        SHA512

        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\eLi7bmQLrBEk.bat
        Filesize

        199B

        MD5

        12915625d1d7e411665fde35ead1c485

        SHA1

        447342a467c93d42f9bc89a160928c4cede4e1ed

        SHA256

        0daedbed5f176fb24f94656bee223bb95539ba7eb289a53e5a2e889aabe0d6e5

        SHA512

        523166c6e966a192f809bf86e0b63a418b898e5d05f283d55e1199c12d0483e106d1fd51dd372287a346d7401600916624b02a8d722fafa4b771e2646a8c73b2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        655KB

        MD5

        43e5556cab3ba9cd353b0c6cf1548d75

        SHA1

        64cf51c0d612cb6276e59639071406c1d2e86702

        SHA256

        286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

        SHA512

        edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        655KB

        MD5

        43e5556cab3ba9cd353b0c6cf1548d75

        SHA1

        64cf51c0d612cb6276e59639071406c1d2e86702

        SHA256

        286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

        SHA512

        edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

        Download Submit

      • C:\Users\Admin\AppData\Roaming\test1.exe
        Filesize

        655KB

        MD5

        43e5556cab3ba9cd353b0c6cf1548d75

        SHA1

        64cf51c0d612cb6276e59639071406c1d2e86702

        SHA256

        286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

        SHA512

        edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

        Download Submit

      • C:\Users\Admin\AppData\Roaming\test1.exe
        Filesize

        655KB

        MD5

        43e5556cab3ba9cd353b0c6cf1548d75

        SHA1

        64cf51c0d612cb6276e59639071406c1d2e86702

        SHA256

        286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

        SHA512

        edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

        Download Submit

      • C:\Users\Admin\AppData\Roaming\test1.exe
        Filesize

        655KB

        MD5

        43e5556cab3ba9cd353b0c6cf1548d75

        SHA1

        64cf51c0d612cb6276e59639071406c1d2e86702

        SHA256

        286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

        SHA512

        edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

        Download Submit

      • memory/1444-160-0x00000000070F0000-0x00000000070FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1444-157-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1444-162-0x00000000071E0000-0x00000000071E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1444-161-0x0000000007200000-0x000000000721A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1444-159-0x0000000007140000-0x00000000071D6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1444-158-0x0000000006F30000-0x0000000006F3A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1444-146-0x0000000002280000-0x00000000022B6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1444-147-0x0000000004E90000-0x00000000054B8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1444-148-0x0000000004DF0000-0x0000000004E12000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1444-149-0x00000000054C0000-0x0000000005526000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1444-150-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1444-156-0x0000000007500000-0x0000000007B7A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1444-155-0x0000000006170000-0x000000000618E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1444-154-0x0000000072CC0000-0x0000000072D0C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1444-153-0x0000000006B70000-0x0000000006BA2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1820-139-0x0000000005CD0000-0x0000000005CE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1820-137-0x0000000004F30000-0x0000000004FC2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1820-138-0x0000000004FD0000-0x0000000005036000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1820-136-0x00000000053C0000-0x0000000005964000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1820-135-0x0000000000230000-0x00000000002DA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/1820-140-0x00000000060F0000-0x000000000612C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2092-130-0x00000000746B0000-0x0000000074C61000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4632-152-0x0000000006470000-0x000000000647A000-memory.dmp

        Filesize

        40KB

        Download