Analysis
-
max time kernel
63s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2022 06:20
Static task
static1
Behavioral task
behavioral1
Sample
dac30ab400ec6be2daa29718ea6d0a3e.exe
Resource
win7-20220812-en
General
-
Target
dac30ab400ec6be2daa29718ea6d0a3e.exe
-
Size
867KB
-
MD5
dac30ab400ec6be2daa29718ea6d0a3e
-
SHA1
06320ebc648623885645657fd2a72a728f2441cd
-
SHA256
93361aea837c73c75f9067700572262e69d1cfbfa6634e7ea8f249701e1fdebb
-
SHA512
67f360d49625822199c133981c4077d88d9ec2347386858f33d08d6b6f37c15af0c56cf9772e0fb819072ab4b63b13eb334237ccd727ce91cad9b68ab47ec58c
-
SSDEEP
12288:3ARp0gFW4q6AD9/Gz8hQOFPA/OcMowPzQvEXpqCctQHNM:2igFW4qbx/GY7Y/jw7tICct4a
Malware Config
Extracted
quasar
2.1.0.0
asdf
checkme12.freeddns.org:1604
VNM_MUTEX_yidaALoSEROfTPWHwX
-
encryption_key
TbfVFQWqb0uiZoBjJ9E9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
UPX
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/4628-134-0x0000000000000000-mapping.dmp disable_win_def behavioral2/memory/4628-135-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection RegSvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" RegSvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" RegSvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" RegSvcs.exe -
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4628-134-0x0000000000000000-mapping.dmp family_quasar behavioral2/memory/4628-135-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 884 Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 696 set thread context of 4628 696 dac30ab400ec6be2daa29718ea6d0a3e.exe 81 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4576 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1360 PING.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3192 powershell.exe 3192 powershell.exe 4628 RegSvcs.exe 4628 RegSvcs.exe 4628 RegSvcs.exe 4628 RegSvcs.exe 4628 RegSvcs.exe 4628 RegSvcs.exe 4628 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4628 RegSvcs.exe Token: SeDebugPrivilege 3192 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 696 dac30ab400ec6be2daa29718ea6d0a3e.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 696 wrote to memory of 4628 696 dac30ab400ec6be2daa29718ea6d0a3e.exe 81 PID 696 wrote to memory of 4628 696 dac30ab400ec6be2daa29718ea6d0a3e.exe 81 PID 696 wrote to memory of 4628 696 dac30ab400ec6be2daa29718ea6d0a3e.exe 81 PID 696 wrote to memory of 4628 696 dac30ab400ec6be2daa29718ea6d0a3e.exe 81 PID 696 wrote to memory of 4628 696 dac30ab400ec6be2daa29718ea6d0a3e.exe 81 PID 696 wrote to memory of 4628 696 dac30ab400ec6be2daa29718ea6d0a3e.exe 81 PID 696 wrote to memory of 4628 696 dac30ab400ec6be2daa29718ea6d0a3e.exe 81 PID 696 wrote to memory of 4628 696 dac30ab400ec6be2daa29718ea6d0a3e.exe 81 PID 4628 wrote to memory of 4576 4628 RegSvcs.exe 85 PID 4628 wrote to memory of 4576 4628 RegSvcs.exe 85 PID 4628 wrote to memory of 4576 4628 RegSvcs.exe 85 PID 4628 wrote to memory of 884 4628 RegSvcs.exe 87 PID 4628 wrote to memory of 884 4628 RegSvcs.exe 87 PID 4628 wrote to memory of 884 4628 RegSvcs.exe 87 PID 4628 wrote to memory of 3192 4628 RegSvcs.exe 89 PID 4628 wrote to memory of 3192 4628 RegSvcs.exe 89 PID 4628 wrote to memory of 3192 4628 RegSvcs.exe 89 PID 4628 wrote to memory of 4300 4628 RegSvcs.exe 94 PID 4628 wrote to memory of 4300 4628 RegSvcs.exe 94 PID 4628 wrote to memory of 4300 4628 RegSvcs.exe 94 PID 4300 wrote to memory of 1960 4300 cmd.exe 96 PID 4300 wrote to memory of 1960 4300 cmd.exe 96 PID 4300 wrote to memory of 1960 4300 cmd.exe 96 PID 4628 wrote to memory of 4784 4628 RegSvcs.exe 98 PID 4628 wrote to memory of 4784 4628 RegSvcs.exe 98 PID 4628 wrote to memory of 4784 4628 RegSvcs.exe 98 PID 4784 wrote to memory of 820 4784 cmd.exe 100 PID 4784 wrote to memory of 820 4784 cmd.exe 100 PID 4784 wrote to memory of 820 4784 cmd.exe 100 PID 4784 wrote to memory of 1360 4784 cmd.exe 101 PID 4784 wrote to memory of 1360 4784 cmd.exe 101 PID 4784 wrote to memory of 1360 4784 cmd.exe 101 PID 4784 wrote to memory of 1696 4784 cmd.exe 102 PID 4784 wrote to memory of 1696 4784 cmd.exe 102 PID 4784 wrote to memory of 1696 4784 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\dac30ab400ec6be2daa29718ea6d0a3e.exe"C:\Users\Admin\AppData\Local\Temp\dac30ab400ec6be2daa29718ea6d0a3e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4576
-
-
C:\Users\Admin\AppData\Roaming\UPX\Client.exe"C:\Users\Admin\AppData\Roaming\UPX\Client.exe"3⤵
- Executes dropped EXE
PID:884
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v8mvSo8j2hYg.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:820
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:1696
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
216B
MD57ad57d45ccea056eada4e5199eb69c8b
SHA1fd0654a529df5f1e4519163d3552165d16be38d3
SHA256f66a53af94370927ffad4d564e3e61dda37839cd48f9ab5bbfb5cef7e76cae24
SHA51235a33200429a29f8a6ff9a99df69c754cb2b52fa6bd84c02a026d18184ecd62d461e1405bea2eeea47fa2fc432f2002115c9c6cf06663964aad2761917144049
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b