Overview

overview

10

Static

static

e14fe9800b...a8.exe

windows7-x64

10

e14fe9800b...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe

  • Size

    590KB

  • MD5

    f7d70adb404cf63562d6541fce16ee94

  • SHA1

    7c855ae562c54c6747c682f9403ff902308deeb1

  • SHA256

    e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8

  • SHA512

    aed0a69aa45018197f04eec259ab4954f0ecd6f0e309a745346282cc46efd4e6567f920a3cfa39326082abff40de6ad932150ae5f6207e1a580d87343410d519

  • SSDEEP

    6144:kU9/iRCAm9wyitWVSIyIXQR3YQJrjYPUotecWo7vMyYp5lQj64cmX3Hrv9Otawza:i3ynm3RsPj7WYUxp+TvotLzAFLBz8LS

Score
10/10
quasarvenomratratevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_gdy9bWxR0te3WgTRnI

Attributes
  • encryption_key

    MDXzdQumRqZGIeya7nG9

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Microsoft

Signatures

  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 6 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe
    "C:\Users\Admin\AppData\Local\Temp\e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Checks computer location settings
      • Windows security modification
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:5056
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:2284
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:3908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YdfsId1tC3AT.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3456
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:4448
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:1848
            • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
              "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3944

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Defender Security.exe.log
        Filesize

        1KB

        MD5

        10eab9c2684febb5327b6976f2047587

        SHA1

        a12ed54146a7f5c4c580416aecb899549712449e

        SHA256

        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

        SHA512

        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\YdfsId1tC3AT.bat
        Filesize

        219B

        MD5

        fd2df7149a0c1f23863fa4b80149505c

        SHA1

        9e9188b329109d95349bc3d2dac40867aa9148c9

        SHA256

        87ffad653aca52daf9bfd37828e5135d246213dc790a7301178c50485e875912

        SHA512

        b30263a00f9ad641baee456b7c1cb9daa06a5caf2e8bbf2499bc63431858c60f91e7b640f60822c52e161cdb8a60f22c4260c7eb93fc2258a494871e87199c89

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
        Filesize

        535KB

        MD5

        6f3b107a20b18244efb6473bae2544b1

        SHA1

        dc02ec107547c515bffeadcd87e6308c3bdfd390

        SHA256

        2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

        SHA512

        318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
        Filesize

        535KB

        MD5

        6f3b107a20b18244efb6473bae2544b1

        SHA1

        dc02ec107547c515bffeadcd87e6308c3bdfd390

        SHA256

        2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

        SHA512

        318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
        Filesize

        535KB

        MD5

        6f3b107a20b18244efb6473bae2544b1

        SHA1

        dc02ec107547c515bffeadcd87e6308c3bdfd390

        SHA256

        2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

        SHA512

        318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
        Filesize

        535KB

        MD5

        6f3b107a20b18244efb6473bae2544b1

        SHA1

        dc02ec107547c515bffeadcd87e6308c3bdfd390

        SHA256

        2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

        SHA512

        318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
        Filesize

        535KB

        MD5

        6f3b107a20b18244efb6473bae2544b1

        SHA1

        dc02ec107547c515bffeadcd87e6308c3bdfd390

        SHA256

        2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

        SHA512

        318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

        Download Submit
      • memory/116-165-0x0000000000000000-mapping.dmp
        Download
      • memory/1476-136-0x0000000074880000-0x0000000074E31000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1476-132-0x0000000074880000-0x0000000074E31000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1848-170-0x0000000000000000-mapping.dmp
        Download
      • memory/2284-153-0x0000000000000000-mapping.dmp
        Download
      • memory/3016-142-0x0000000006140000-0x000000000617C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3016-141-0x0000000005D20000-0x0000000005D32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3016-140-0x00000000050D0000-0x0000000005136000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3016-139-0x0000000004FC0000-0x0000000005052000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3016-138-0x0000000005570000-0x0000000005B14000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3016-137-0x00000000004A0000-0x000000000052C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/3016-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3456-167-0x0000000000000000-mapping.dmp
        Download
      • memory/3908-166-0x0000000000000000-mapping.dmp
        Download
      • memory/3944-171-0x0000000000000000-mapping.dmp
        Download
      • memory/4448-169-0x0000000000000000-mapping.dmp
        Download
      • memory/4800-152-0x0000000005F10000-0x0000000005F2E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4800-164-0x0000000007B30000-0x0000000007B38000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4800-157-0x0000000006BB0000-0x0000000006BCE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4800-158-0x0000000007F70000-0x00000000085EA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/4800-159-0x0000000007920000-0x000000000793A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4800-160-0x0000000001190000-0x000000000119A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4800-161-0x0000000007B40000-0x0000000007BD6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/4800-162-0x0000000007AF0000-0x0000000007AFE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4800-163-0x0000000007BE0000-0x0000000007BFA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4800-156-0x000000006FB30000-0x000000006FB7C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4800-155-0x0000000006BD0000-0x0000000006C02000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4800-147-0x0000000000000000-mapping.dmp
        Download
      • memory/4800-151-0x0000000005F50000-0x0000000005FB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4800-150-0x0000000005750000-0x0000000005772000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4800-149-0x0000000005830000-0x0000000005E58000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4800-148-0x0000000002CF0000-0x0000000002D26000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4840-154-0x00000000069D0000-0x00000000069DA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4840-144-0x0000000000000000-mapping.dmp
        Download
      • memory/5056-143-0x0000000000000000-mapping.dmp
        Download