Overview

overview

10

Static

static

14dc1c330f...6a.exe

windows7-x64

10

14dc1c330f...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    231s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe

  • Size

    601KB

  • MD5

    ac916695fe810d70b17bf78c9474aa4e

  • SHA1

    36d871bd8f2bbd050f5218ad994fbe04d1cfe759

  • SHA256

    14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

  • SHA512

    21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f

  • SSDEEP

    12288:wgxy4jZZ8vDc6h3iUhFbAsUMdzxP0V2t5fI44FPTZFyd:1xy4jZ+vDc05hFXxxEIfhe7yd

Score
10/10
quasarvenomrathackedevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

hacked

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_0Ae9WwC7TPO9smz3BJ

Attributes
  • encryption_key

    jCEkwlvO5Scyan0S8vZo

  • install_name

    Windows Security Health Service.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Microsoft

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
    "C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe
      "C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3532
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:484
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4536
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe.log
    Filesize

    507B

    MD5

    76ffb2f33cb32ade8fc862a67599e9d8

    SHA1

    920cc4ab75b36d2f9f6e979b74db568973c49130

    SHA256

    f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

    SHA512

    f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
    Filesize

    601KB

    MD5

    ac916695fe810d70b17bf78c9474aa4e

    SHA1

    36d871bd8f2bbd050f5218ad994fbe04d1cfe759

    SHA256

    14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

    SHA512

    21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
    Filesize

    601KB

    MD5

    ac916695fe810d70b17bf78c9474aa4e

    SHA1

    36d871bd8f2bbd050f5218ad994fbe04d1cfe759

    SHA256

    14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

    SHA512

    21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Security Health Service.exe
    Filesize

    601KB

    MD5

    ac916695fe810d70b17bf78c9474aa4e

    SHA1

    36d871bd8f2bbd050f5218ad994fbe04d1cfe759

    SHA256

    14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a

    SHA512

    21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f

    Download Submit

  • memory/1556-137-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1556-139-0x0000000005200000-0x0000000005266000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1556-140-0x0000000006220000-0x0000000006232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4524-135-0x00000000057E0000-0x000000000587C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4524-132-0x0000000000CE0000-0x0000000000D7E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/4524-134-0x0000000005600000-0x0000000005692000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4524-133-0x0000000005BB0000-0x0000000006154000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4556-149-0x0000000002B60000-0x0000000002B96000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4556-150-0x0000000005810000-0x0000000005E38000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4556-151-0x00000000056B0000-0x00000000056D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4556-152-0x0000000005F40000-0x0000000005FA6000-memory.dmp

    Filesize

    408KB

    Download