Overview

overview

10

Static

static

f1f367c2bd...3a.exe

windows7_x64

10

f1f367c2bd...3a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a.exe

  • Size

    709KB

  • MD5

    dbdca8a3ffa33284e03a1a7bd57e12ad

  • SHA1

    facc92651a792c4c8abe606ca47424b4f042224b

  • SHA256

    f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a

  • SHA512

    727cd27bfb0ffc7a9f76fd02417de92a34ef4a1ed341953b1f5c6f78f851c83d5de390d3168df89367196a3de25eb370be1c3867affc94ae6520dff22d36bd94

Score
10/10
quasarvenomratsvhostratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes
  • encryption_key

    yaa63tXY4j55os5llHHd

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload 3 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a.exe
    "C:\Users\Admin\AppData\Local\Temp\f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
      "C:\Users\Admin\AppData\Roaming\$77-Venom.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4260
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\null (2).docx" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:488
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    1⤵
      PID:4056
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:2832
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3796

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
        Filesize

        534KB

        MD5

        84c1dc6b428904cc2a6746653849df0f

        SHA1

        5cce4078427481f4d7456b5a4f3930ae6e706fb4

        SHA256

        bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

        SHA512

        3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

        Download Submit

      • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
        Filesize

        534KB

        MD5

        84c1dc6b428904cc2a6746653849df0f

        SHA1

        5cce4078427481f4d7456b5a4f3930ae6e706fb4

        SHA256

        bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

        SHA512

        3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

        Download Submit

      • C:\Users\Admin\AppData\Roaming\null (2).docx
        Filesize

        2KB

        MD5

        b73ace90e3fbada0e8baa0d47b2cbd6f

        SHA1

        2147bfa5d92cb0c3fd296e7c90befa08564240a6

        SHA256

        94f271283b679ee024724d1aee0f4ead90ce56fb67813b5e0cbc082091fbe364

        SHA512

        d1a9d73fca25a73782bd0170937225afdb402a354a7fb6ea308114e276aed7f77ef211c458dd03292d2e90cd1d61976340396540ac410d452bda363f6d2ee157

        Download Submit

      • memory/488-142-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-140-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-152-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-145-0x00007FFE35080000-0x00007FFE35090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-154-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-138-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-139-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-151-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-141-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-153-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/488-143-0x00007FFE35080000-0x00007FFE35090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3796-155-0x00000151CDA40000-0x00000151CDA50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3796-156-0x00000151CDB40000-0x00000151CDB50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4260-144-0x0000000005620000-0x0000000005686000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4260-149-0x0000000006960000-0x000000000696A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4260-147-0x0000000006660000-0x000000000669C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4260-146-0x0000000006230000-0x0000000006242000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4260-137-0x0000000005230000-0x00000000052C2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4260-136-0x00000000058D0000-0x0000000005E74000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4260-135-0x0000000000910000-0x000000000099C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/4508-130-0x0000000074F30000-0x00000000754E1000-memory.dmp

        Filesize

        5.7MB

        Download