Analysis
-
max time kernel
108s -
max time network
138s -
platform
windows10-1703_x64 -
resource
win10-20220718-en -
resource tags
-
submitted
26-07-2022 23:18
General
-
Target
c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b.exe
-
Size
879KB
-
MD5
3295138274c034c16522257d6c18f225
-
SHA1
6f93c0800221d86ec8de5636195383f91cb9a336
-
SHA256
c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b
-
SHA512
7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3
Malware Config
Extracted
quasar
2.1.0.0
Bomboclat
185.236.78.58:4782
VNM_MUTEX_mtYiaCcGzveD5dsvgE
-
encryption_key
1WEWg6889GqBWLC1XKxQ
-
install_name
WndowsSecurityUpdate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Wndows Dfender Update Startup
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b.exe"C:\Users\Admin\AppData\Local\Temp\c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b.exe"{path}"2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Wndows Dfender Update Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe"C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe"{path}"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Wndows Dfender Update Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B7835FV4VeOS.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b.exe"C:\Users\Admin\AppData\Local\Temp\c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b.exe"{path}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
Filesize
1KB
MD5c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
Filesize
261B
MD5671cfb124cf3c1b68becb68a35d1559d
SHA1409e3ba46c2421a500aa56bda3f6d5564d2fc25b
SHA2569fc44cc9cebc3fc1e2f936364c64ccbd3b8255da400e1bcd13b313cc073ca40e
SHA5128ea4f178a1791a19186a470b654604d3084b82f27518e01eb56cd7e7229e0545e0e256dff0e5906949686a6107fed90818ee271ec1fd5ae76acb1cb66eaeec5b
-
Filesize
879KB
MD53295138274c034c16522257d6c18f225
SHA16f93c0800221d86ec8de5636195383f91cb9a336
SHA256c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b
SHA5127fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3
-
Filesize
879KB
MD53295138274c034c16522257d6c18f225
SHA16f93c0800221d86ec8de5636195383f91cb9a336
SHA256c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b
SHA5127fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3
-
Filesize
879KB
MD53295138274c034c16522257d6c18f225
SHA16f93c0800221d86ec8de5636195383f91cb9a336
SHA256c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b
SHA5127fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3
-
-
-
Filesize
472KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
204KB
-
Filesize
592KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
660KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
104KB
-
-
Filesize
32KB
-
-
Filesize
1.6MB
-
Filesize
752KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
904KB
-
Filesize
5.0MB
-
Filesize
1.6MB
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
624KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
40KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
40KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
728KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
-
-
-
Filesize
728KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
-
-
-
-
-