Overview

overview

10

Static

static

079f023a20...f3.exe

windows7-x64

10

079f023a20...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe

  • Size

    659KB

  • MD5

    426930b11ed1690067b11e518ea7f821

  • SHA1

    d5dc533365b757ec442ab28b96602dc9f505e876

  • SHA256

    079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3

  • SHA512

    8a913006aa89eb4f3da5727ddece1185d3fdf8032f575f053b410d99752b9f497c629c68e4253b788e18dc5abb43295ff39bd7e3fd626ab0e7a4684169996231

  • SSDEEP

    12288:NlGTddXPvxy4jZZ8vDc6h3iUhFbAsUMdzxP0V2t5fI44FPTZFyd:vwdtvxy4jZ+vDc05hFXxxEIfhe7yd

Score
10/10
quasarvenomrathackedevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

hacked

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_0Ae9WwC7TPO9smz3BJ

Attributes
  • encryption_key

    jCEkwlvO5Scyan0S8vZo

  • install_name

    Windows Security Health Service.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Microsoft

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe
    "C:\Users\Admin\AppData\Local\Temp\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Local\Temp\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe
      "C:\Users\Admin\AppData\Local\Temp\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Checks computer location settings
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4844
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:428
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:3904
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:4188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3iOoEgWF2nhh.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4216
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:3596
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:1340
            • C:\Users\Admin\AppData\Local\Temp\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe
              "C:\Users\Admin\AppData\Local\Temp\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe"
              4⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1928
              • C:\Users\Admin\AppData\Local\Temp\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe
                "C:\Users\Admin\AppData\Local\Temp\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1516

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3.exe.log
        Filesize

        507B

        MD5

        76ffb2f33cb32ade8fc862a67599e9d8

        SHA1

        920cc4ab75b36d2f9f6e979b74db568973c49130

        SHA256

        f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

        SHA512

        f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security Health Service.exe.log
        Filesize

        507B

        MD5

        76ffb2f33cb32ade8fc862a67599e9d8

        SHA1

        920cc4ab75b36d2f9f6e979b74db568973c49130

        SHA256

        f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

        SHA512

        f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3iOoEgWF2nhh.bat
        Filesize

        261B

        MD5

        f0c11cf6cb281f11a66fe95e5d4eedc8

        SHA1

        4c2956b691c3e6759972d81906dd17b44fad7f43

        SHA256

        83edb088646398bd2eca5fcefdbf40a3e478f0c2523ecba868a1c164788bca8a

        SHA512

        3553da79f2e87263e6a0f4f90b0c03ac349036bc8b015ee424e954daa0783bf586f3dbc5037b2e7e1484921c5f2fb5c416a6b82a9a692ac3751dc71a0a8ece4b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
        Filesize

        659KB

        MD5

        426930b11ed1690067b11e518ea7f821

        SHA1

        d5dc533365b757ec442ab28b96602dc9f505e876

        SHA256

        079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3

        SHA512

        8a913006aa89eb4f3da5727ddece1185d3fdf8032f575f053b410d99752b9f497c629c68e4253b788e18dc5abb43295ff39bd7e3fd626ab0e7a4684169996231

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
        Filesize

        659KB

        MD5

        426930b11ed1690067b11e518ea7f821

        SHA1

        d5dc533365b757ec442ab28b96602dc9f505e876

        SHA256

        079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3

        SHA512

        8a913006aa89eb4f3da5727ddece1185d3fdf8032f575f053b410d99752b9f497c629c68e4253b788e18dc5abb43295ff39bd7e3fd626ab0e7a4684169996231

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
        Filesize

        659KB

        MD5

        426930b11ed1690067b11e518ea7f821

        SHA1

        d5dc533365b757ec442ab28b96602dc9f505e876

        SHA256

        079f023a20cad36a950144e47b5667949285675703312cf8bf0faf22cb25baf3

        SHA512

        8a913006aa89eb4f3da5727ddece1185d3fdf8032f575f053b410d99752b9f497c629c68e4253b788e18dc5abb43295ff39bd7e3fd626ab0e7a4684169996231

        Download Submit

      • memory/428-165-0x0000000006C60000-0x0000000006C6A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1300-133-0x0000000005520000-0x0000000005AC4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1300-134-0x0000000005010000-0x00000000050A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1300-135-0x0000000005150000-0x00000000051EC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1300-132-0x00000000006B0000-0x000000000075C000-memory.dmp

        Filesize

        688KB

        Download

      • memory/3164-153-0x0000000006600000-0x000000000661E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3164-163-0x0000000007C20000-0x0000000007C28000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3164-152-0x0000000005850000-0x00000000058B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3164-150-0x00000000059A0000-0x0000000005FC8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3164-154-0x0000000006BF0000-0x0000000006C22000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3164-155-0x00000000700F0000-0x000000007013C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3164-156-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3164-158-0x0000000007900000-0x000000000791A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3164-157-0x0000000007F50000-0x00000000085CA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3164-159-0x0000000007980000-0x000000000798A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3164-160-0x0000000007B80000-0x0000000007C16000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3164-161-0x0000000007B30000-0x0000000007B3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3164-162-0x0000000007C40000-0x0000000007C5A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3164-151-0x00000000055B0000-0x00000000055D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3164-147-0x0000000002C40000-0x0000000002C76000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4588-139-0x0000000006820000-0x0000000006832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4588-138-0x0000000005C00000-0x0000000005C66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4588-137-0x0000000000400000-0x000000000048C000-memory.dmp

        Filesize

        560KB

        Download