Overview

overview

10

Static

static

94dc30c7b0...33.exe

windows7-x64

10

94dc30c7b0...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94dc30c7b03813bb558ec30577f0761dc2bfcedd3aa0dea665a88ab84f08aa33.exe

  • Size

    680KB

  • MD5

    4f99850bfde0c6703b4f2c8420b9dc8f

  • SHA1

    c60d92f1e0529b2e770858e180906bf9fae631a9

  • SHA256

    94dc30c7b03813bb558ec30577f0761dc2bfcedd3aa0dea665a88ab84f08aa33

  • SHA512

    0d311592bc2dc5ececb3afae6dee5842b9f6a37710d29f5f1a3fe8a27d3e43a625a57039bef92044744d8a0225c52260cc9757b148deb9e0c4e72781e1a89aec

  • SSDEEP

    12288:75393whFOBbQVXQsI6f9fqAPzzEeEZchCBywRiaxJDj8DkIonQmP0Ove/diuHc:753uhF7VAibzzEe9wRiaLSkI8QhOQ18

Score
10/10
quasarvenomratajithevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

ajith

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_NdVd2sPSSqFdo7I35g

Attributes
  • encryption_key

    jyerms3KOWmt3C9DBFuq

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 8 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94dc30c7b03813bb558ec30577f0761dc2bfcedd3aa0dea665a88ab84f08aa33.exe
    "C:\Users\Admin\AppData\Local\Temp\94dc30c7b03813bb558ec30577f0761dc2bfcedd3aa0dea665a88ab84f08aa33.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe"
        3⤵
        • Executes dropped EXE
        PID:4576
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe"
        3⤵
        • Executes dropped EXE
        PID:4276
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Checks computer location settings
        • Windows security modification
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:3244
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
            5⤵
            • Executes dropped EXE
            PID:2360
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
            5⤵
            • Executes dropped EXE
            PID:1892
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1300
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:2132
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2208
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
            5⤵
              PID:2572
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ERrRCqTbkeRT.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3740
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:1832

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Defender Security.exe.log
        Filesize

        507B

        MD5

        8cf94b5356be60247d331660005941ec

        SHA1

        fdedb361f40f22cb6a086c808fc0056d4e421131

        SHA256

        52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

        SHA512

        b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security.exe_protected.exe.log
        Filesize

        507B

        MD5

        8cf94b5356be60247d331660005941ec

        SHA1

        fdedb361f40f22cb6a086c808fc0056d4e421131

        SHA256

        52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

        SHA512

        b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Windows Security.exe_protected.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ERrRCqTbkeRT.bat
        Filesize

        239B

        MD5

        b3aebd1975030d652d785cdbf0782daf

        SHA1

        042cbe6ddff517e66a55c6fa732971c9eab7cd18

        SHA256

        13f9d6127f34c460dc375eb2869f6fe73d7cde12bb7c8b7b7931b96b54c13ba3

        SHA512

        80932fd143cea0cb9b828f4139ce7faa2929b2bb93c9787bf2df79fd8a6540b4c9d020a10779c48209d150651acee0eba65d73a132e889443e90af8fd331d383

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        648KB

        MD5

        763dd9b7f2a5183a1380bee36889f936

        SHA1

        cdc7f9911a853973fc83d0e1a51ee5e82da347c9

        SHA256

        4be9a02e54e86920ed2bcaef3d28253ad0f4f3b005a14c656d74966589ca2039

        SHA512

        7ce621d758a7e12d026d669a5a9827e4dbec130baf05c51e8937227b9f35f5ef7ecfc4e60202f1e3d2f7aa67d665f612bfa0db92cd1ec3d2420a8207b152e37c

        Download Submit
      • memory/1300-169-0x0000000006B90000-0x0000000006B9A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1300-166-0x0000000006700000-0x000000000673C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/1300-158-0x0000000000000000-mapping.dmp
        Download
      • memory/1812-150-0x0000000000000000-mapping.dmp
        Download
      • memory/1832-184-0x0000000000000000-mapping.dmp
        Download
      • memory/1868-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1868-147-0x0000000005300000-0x0000000005366000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1868-148-0x0000000005F70000-0x0000000005F82000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1868-144-0x0000000000400000-0x000000000048C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/1892-156-0x0000000000000000-mapping.dmp
        Download
      • memory/2132-167-0x0000000000000000-mapping.dmp
        Download
      • memory/2208-173-0x00000000077D0000-0x0000000007E4A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/2208-170-0x0000000007040000-0x0000000007072000-memory.dmp
        Filesize

        200KB

        Download
      • memory/2208-179-0x0000000005EA0000-0x0000000005EA8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2208-178-0x00000000074C0000-0x00000000074DA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2208-177-0x0000000005E70000-0x0000000005E7E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2208-162-0x0000000004A00000-0x0000000004A36000-memory.dmp
        Filesize

        216KB

        Download
      • memory/2208-163-0x0000000005090000-0x00000000056B8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/2208-164-0x00000000056F0000-0x0000000005712000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2208-165-0x0000000005890000-0x00000000058F6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2208-176-0x0000000007400000-0x0000000007496000-memory.dmp
        Filesize

        600KB

        Download
      • memory/2208-153-0x0000000000000000-mapping.dmp
        Download
      • memory/2208-168-0x0000000004D10000-0x0000000004D2E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2208-175-0x00000000071F0000-0x00000000071FA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2208-174-0x0000000007180000-0x000000000719A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2208-171-0x0000000070120000-0x000000007016C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2208-172-0x0000000006440000-0x000000000645E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2360-154-0x0000000000000000-mapping.dmp
        Download
      • memory/2572-181-0x0000000000000000-mapping.dmp
        Download
      • memory/2696-137-0x0000000005170000-0x0000000005202000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2696-136-0x0000000005680000-0x0000000005C24000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2696-132-0x0000000000000000-mapping.dmp
        Download
      • memory/2696-138-0x0000000005210000-0x00000000052AC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2696-135-0x0000000000680000-0x0000000000728000-memory.dmp
        Filesize

        672KB

        Download
      • memory/3244-149-0x0000000000000000-mapping.dmp
        Download
      • memory/3624-180-0x0000000000000000-mapping.dmp
        Download
      • memory/3740-182-0x0000000000000000-mapping.dmp
        Download
      • memory/4276-141-0x0000000000000000-mapping.dmp
        Download
      • memory/4576-139-0x0000000000000000-mapping.dmp
        Download