Analysis
-
max time kernel
91s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 19:26
General
-
Target
0x0008000000013a18-65.exe
-
Size
535KB
-
MD5
4d97786ab8047ad6c08532ed7a017573
-
SHA1
a64d07233d813f9a085722295dca62ca726e291a
-
SHA256
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870
-
SHA512
9224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2
Malware Config
Extracted
quasar
2.1.0.0
V/R/B
siyatermi.duckdns.org:1518
VNM_MUTEX_mJ6pCWZMe3OMOha5bj
-
encryption_key
g1Bi32PXFGwyBI9DJGTD
-
install_name
Start Process.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Browser Module
-
subdirectory
Sys Resources
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar Payload 3 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe"C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Browser Module" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe"C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Browser Module" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q0FTDFlqjGYl.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe"C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
218B
MD5302d58966603a4015c24984b61702bb4
SHA13c9644bbf7ef131cbe76ea45e4106591ec19813a
SHA25637ebf9eb2c9d56b4b3a1494652cce5aa90b6611409aff48f462af429a2cee2d8
SHA5127b87d73b7f70d119aa03587bd01b8d2c3bf6a13c29ca20a0e073a26d1adb743794b974a7ada0b6a20819f5fa5b3d67f35c2994c0bb41d0c0f34129314fb0a468
-
Filesize
535KB
MD54d97786ab8047ad6c08532ed7a017573
SHA1a64d07233d813f9a085722295dca62ca726e291a
SHA2565a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870
SHA5129224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2
-
Filesize
535KB
MD54d97786ab8047ad6c08532ed7a017573
SHA1a64d07233d813f9a085722295dca62ca726e291a
SHA2565a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870
SHA5129224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2
-
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
56KB
-
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
6.5MB
-
-
-
Filesize
40KB
-
-
-
-
-
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
560KB
-
Filesize
5.6MB
-