Overview

overview

10

Static

static

3295138274...25.exe

windows7-x64

10

3295138274...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2022, 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3295138274c034c16522257d6c18f225.exe

  • Size

    879KB

  • MD5

    3295138274c034c16522257d6c18f225

  • SHA1

    6f93c0800221d86ec8de5636195383f91cb9a336

  • SHA256

    c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

  • SHA512

    7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

Score
10/10
quasarvenomratbomboclatevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Bomboclat

C2

185.236.78.58:4782

Mutex

VNM_MUTEX_mtYiaCcGzveD5dsvgE

Attributes
  • encryption_key

    1WEWg6889GqBWLC1XKxQ

  • install_name

    WndowsSecurityUpdate.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Wndows Dfender Update Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe
    "C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe
      "{path}"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Checks computer location settings
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Wndows Dfender Update Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4752
      • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4544
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Wndows Dfender Update Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1500
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:4192
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqyhUkUyNU4S.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1888
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:432
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:2228
            • C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe
              "C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe"
              4⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4012
              • C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe
                "{path}"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:852

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3295138274c034c16522257d6c18f225.exe.log
        Filesize

        1KB

        MD5

        84e77a587d94307c0ac1357eb4d3d46f

        SHA1

        83cc900f9401f43d181207d64c5adba7a85edc1e

        SHA256

        e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

        SHA512

        aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WndowsSecurityUpdate.exe.log
        Filesize

        1KB

        MD5

        84e77a587d94307c0ac1357eb4d3d46f

        SHA1

        83cc900f9401f43d181207d64c5adba7a85edc1e

        SHA256

        e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

        SHA512

        aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JqyhUkUyNU4S.bat
        Filesize

        229B

        MD5

        45ec7ce75c944ecab4ce42bb9cbc28ea

        SHA1

        d081dd0659ac3c6162e8b35f08d6b7489eedf2cb

        SHA256

        31af96e79971f51f22321f7fb1c9e99dbb37be7db2a9e97934a303542b693c3c

        SHA512

        8e6f16ab1af6fd143d452cc4eda4ed6821582e1caad7828cc82201d441d06cbc3788537d88317f2aafa4c8030948495c7726b936410ad42988fbd6d530f38821

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        Filesize

        879KB

        MD5

        3295138274c034c16522257d6c18f225

        SHA1

        6f93c0800221d86ec8de5636195383f91cb9a336

        SHA256

        c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

        SHA512

        7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        Filesize

        879KB

        MD5

        3295138274c034c16522257d6c18f225

        SHA1

        6f93c0800221d86ec8de5636195383f91cb9a336

        SHA256

        c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

        SHA512

        7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        Filesize

        879KB

        MD5

        3295138274c034c16522257d6c18f225

        SHA1

        6f93c0800221d86ec8de5636195383f91cb9a336

        SHA256

        c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

        SHA512

        7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

        Download Submit

      • memory/532-138-0x0000000005720000-0x0000000005786000-memory.dmp

        Filesize

        408KB

        Download

      • memory/532-139-0x0000000006370000-0x0000000006382000-memory.dmp

        Filesize

        72KB

        Download

      • memory/532-140-0x00000000068E0000-0x000000000691C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/532-136-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/908-130-0x0000000000850000-0x0000000000932000-memory.dmp

        Filesize

        904KB

        Download

      • memory/908-134-0x00000000052D0000-0x00000000052DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/908-133-0x0000000005410000-0x00000000054AC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/908-132-0x0000000005330000-0x00000000053C2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/908-131-0x00000000059C0000-0x0000000005F64000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1688-150-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1688-160-0x00000000071D0000-0x00000000071D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1688-151-0x0000000006190000-0x00000000061C2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1688-152-0x0000000070070000-0x00000000700BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1688-153-0x0000000006170000-0x000000000618E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1688-154-0x0000000007500000-0x0000000007B7A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1688-155-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1688-156-0x0000000006F20000-0x0000000006F2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1688-157-0x0000000007130000-0x00000000071C6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1688-158-0x00000000070E0000-0x00000000070EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1688-159-0x00000000071F0000-0x000000000720A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1688-149-0x0000000004C90000-0x0000000004CF6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1688-146-0x00000000022B0000-0x00000000022E6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1688-147-0x0000000004DF0000-0x0000000005418000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1688-148-0x0000000004BF0000-0x0000000004C12000-memory.dmp

        Filesize

        136KB

        Download