Overview

overview

10

Static

static

ce140c5a41...82.exe

windows7_x64

10

ce140c5a41...82.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    201s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982.exe

  • Size

    618KB

  • MD5

    813f353b1285bcaea41f868746ab9fdd

  • SHA1

    301209445bdfd758b1f647bdbcf1609ee07296e7

  • SHA256

    ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

  • SHA512

    1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

Score
10/10
quasarvenomratwindows defender securityevasionpersistenceratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XoAJ77Kcpkuyjz4MJK

Attributes
  • encryption_key

    5nIMwmTRG5wyVhouaxGb

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Security

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982.exe
    "C:\Users\Admin\AppData\Local\Temp\ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982.exe
      "C:\Users\Admin\AppData\Local\Temp\ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982.exe"
      2⤵
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1800
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1464
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Defender Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4044
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nHLHH29XMrUA.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3264
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
                PID:3996
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:1224
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1980
              5⤵
              • Program crash
              PID:3192
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3584
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1464 -ip 1464
      1⤵
        PID:4000

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nHLHH29XMrUA.bat
        Filesize

        226B

        MD5

        5a5d2d1b7490f2bcd2f48fffb45fe3e5

        SHA1

        dfd8040de2712aa14607a1dd51a3924f996d34ad

        SHA256

        9f8897ffdebd53b1e3e7b5b14b0eef9df940c913aa83b38addb414734418907b

        SHA512

        7b243a30b158768a0ddeb63077678ba769344ab83c58a3db944e428d6b3286e08d19d0a8b8f84cd69f8aafb5eec92cb839e1653a3b25bf713a65ce4be9988039

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        618KB

        MD5

        813f353b1285bcaea41f868746ab9fdd

        SHA1

        301209445bdfd758b1f647bdbcf1609ee07296e7

        SHA256

        ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

        SHA512

        1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        618KB

        MD5

        813f353b1285bcaea41f868746ab9fdd

        SHA1

        301209445bdfd758b1f647bdbcf1609ee07296e7

        SHA256

        ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

        SHA512

        1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        618KB

        MD5

        813f353b1285bcaea41f868746ab9fdd

        SHA1

        301209445bdfd758b1f647bdbcf1609ee07296e7

        SHA256

        ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982

        SHA512

        1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38

        Download Submit

      • memory/1224-156-0x0000000000000000-mapping.dmp

        Download

      • memory/1464-150-0x0000000006B10000-0x0000000006B1A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1464-147-0x0000000006790000-0x00000000067CC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1464-142-0x0000000000000000-mapping.dmp

        Download

      • memory/1800-138-0x0000000000000000-mapping.dmp

        Download

      • memory/1992-137-0x0000000005690000-0x00000000056A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1992-136-0x0000000005550000-0x00000000055B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1992-135-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/1992-134-0x0000000000000000-mapping.dmp

        Download

      • memory/2216-139-0x0000000000000000-mapping.dmp

        Download

      • memory/3264-153-0x0000000000000000-mapping.dmp

        Download

      • memory/3540-130-0x0000000000E40000-0x0000000000EE2000-memory.dmp

        Filesize

        648KB

        Download

      • memory/3540-133-0x0000000005850000-0x00000000058EC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3540-132-0x00000000057B0000-0x0000000005842000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3540-131-0x0000000005C40000-0x00000000061E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3584-145-0x0000000000000000-mapping.dmp

        Download

      • memory/3584-151-0x0000000005250000-0x0000000005272000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3584-152-0x0000000005B80000-0x0000000005BE6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3584-149-0x0000000005550000-0x0000000005B78000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3584-146-0x00000000028E0000-0x0000000002916000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3584-157-0x0000000004FC0000-0x0000000004FDE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3584-158-0x0000000006750000-0x0000000006782000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3584-159-0x000000006F970000-0x000000006F9BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3584-160-0x0000000006730000-0x000000000674E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3996-155-0x0000000000000000-mapping.dmp

        Download

      • memory/4044-148-0x0000000000000000-mapping.dmp

        Download