Overview

overview

10

Static

static

b70af2ccc8...1c.exe

windows7-x64

10

b70af2ccc8...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe

  • Size

    630KB

  • MD5

    c45c3dbe62846a145d90077e4d64fe00

  • SHA1

    a9413e2aadb3d0fbf0168666c93c10a74fddcd8a

  • SHA256

    b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c

  • SHA512

    e7dd8538f223b2484c87cba7e1239d2c3ab85790a9ab5e9a31dfd3f8959982a39edcad838cb6aa5afe9348a344100ef1bc00c79d3a31d862726bbcfb098991ad

  • SSDEEP

    12288:2oF8GNlD5ZS/1WEJOAqRSEM3Sy21LVbK89elrrJ5:aGKIDAEQSy2TbKuKN

Score
10/10
quasarvenomratajithevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

ajith

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_NdVd2sPSSqFdo7I35g

Attributes
  • encryption_key

    jyerms3KOWmt3C9DBFuq

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe
    "C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe
      "C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe"
      2⤵
        PID:2728
      • C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe
        "C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe"
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • Checks computer location settings
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:1656
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1560
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3232
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:2300
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2192
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4888
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
            4⤵
              PID:2052
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYc3tToJtgv2.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4688
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              4⤵
                PID:4400
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                4⤵
                • Runs ping.exe
                PID:500
              • C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe
                "C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4276
                • C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe
                  "C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe"
                  5⤵
                    PID:3136
                  • C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe
                    "C:\Users\Admin\AppData\Local\Temp\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:888

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Modify Registry

          3
          T1112

          Disabling Security Tools

          2
          T1089

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Defender Security.exe.log
            Filesize

            507B

            MD5

            76ffb2f33cb32ade8fc862a67599e9d8

            SHA1

            920cc4ab75b36d2f9f6e979b74db568973c49130

            SHA256

            f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

            SHA512

            f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe.log
            Filesize

            507B

            MD5

            76ffb2f33cb32ade8fc862a67599e9d8

            SHA1

            920cc4ab75b36d2f9f6e979b74db568973c49130

            SHA256

            f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

            SHA512

            f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\gYc3tToJtgv2.bat
            Filesize

            261B

            MD5

            fe916fae21edb87a48e4056a2bddfafc

            SHA1

            61ad7effd1c8e7ff292fe995ce3a44b816dd3b2a

            SHA256

            9c6629ba45e1d3dfa76c62f3115a409e144f288bb127410cd6e8ba04df9475ef

            SHA512

            a29206e84e2441834f4279900c1c7fe402751a45189f0e86db7b858cb0c2b389ea07d06c904af272b79f9d07cbcc8aa4e4375cfb67df5c3c837968fafcc722de

            Download Submit
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
            Filesize

            630KB

            MD5

            c45c3dbe62846a145d90077e4d64fe00

            SHA1

            a9413e2aadb3d0fbf0168666c93c10a74fddcd8a

            SHA256

            b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c

            SHA512

            e7dd8538f223b2484c87cba7e1239d2c3ab85790a9ab5e9a31dfd3f8959982a39edcad838cb6aa5afe9348a344100ef1bc00c79d3a31d862726bbcfb098991ad

            Download Submit
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
            Filesize

            630KB

            MD5

            c45c3dbe62846a145d90077e4d64fe00

            SHA1

            a9413e2aadb3d0fbf0168666c93c10a74fddcd8a

            SHA256

            b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c

            SHA512

            e7dd8538f223b2484c87cba7e1239d2c3ab85790a9ab5e9a31dfd3f8959982a39edcad838cb6aa5afe9348a344100ef1bc00c79d3a31d862726bbcfb098991ad

            Download Submit
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
            Filesize

            630KB

            MD5

            c45c3dbe62846a145d90077e4d64fe00

            SHA1

            a9413e2aadb3d0fbf0168666c93c10a74fddcd8a

            SHA256

            b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c

            SHA512

            e7dd8538f223b2484c87cba7e1239d2c3ab85790a9ab5e9a31dfd3f8959982a39edcad838cb6aa5afe9348a344100ef1bc00c79d3a31d862726bbcfb098991ad

            Download Submit
          • memory/500-174-0x0000000000000000-mapping.dmp
            Download
          • memory/888-177-0x0000000000000000-mapping.dmp
            Download
          • memory/1560-144-0x0000000000000000-mapping.dmp
            Download
          • memory/1656-143-0x0000000000000000-mapping.dmp
            Download
          • memory/2052-168-0x0000000000000000-mapping.dmp
            Download
          • memory/2192-155-0x0000000005530000-0x0000000005596000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2192-161-0x0000000006F80000-0x0000000006F9A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/2192-166-0x00000000072A0000-0x00000000072A8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2192-165-0x00000000072C0000-0x00000000072DA000-memory.dmp
            Filesize

            104KB

            Download
          • memory/2192-147-0x0000000000000000-mapping.dmp
            Download
          • memory/2192-148-0x0000000004620000-0x0000000004656000-memory.dmp
            Filesize

            216KB

            Download
          • memory/2192-164-0x00000000071B0000-0x00000000071BE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2192-163-0x0000000007200000-0x0000000007296000-memory.dmp
            Filesize

            600KB

            Download
          • memory/2192-162-0x0000000006FF0000-0x0000000006FFA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2192-153-0x0000000004E50000-0x0000000005478000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/2192-154-0x0000000004C50000-0x0000000004C72000-memory.dmp
            Filesize

            136KB

            Download
          • memory/2192-160-0x00000000075C0000-0x0000000007C3A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/2192-156-0x0000000005C60000-0x0000000005C7E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/2192-157-0x0000000006230000-0x0000000006262000-memory.dmp
            Filesize

            200KB

            Download
          • memory/2192-158-0x000000006F970000-0x000000006F9BC000-memory.dmp
            Filesize

            304KB

            Download
          • memory/2192-159-0x0000000006210000-0x000000000622E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/2300-169-0x0000000000000000-mapping.dmp
            Download
          • memory/2728-136-0x0000000000000000-mapping.dmp
            Download
          • memory/3104-142-0x0000000006A70000-0x0000000006AAC000-memory.dmp
            Filesize

            240KB

            Download
          • memory/3104-137-0x0000000000000000-mapping.dmp
            Download
          • memory/3104-138-0x0000000000400000-0x000000000048C000-memory.dmp
            Filesize

            560KB

            Download
          • memory/3104-140-0x0000000005570000-0x00000000055D6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3104-141-0x0000000006510000-0x0000000006522000-memory.dmp
            Filesize

            72KB

            Download
          • memory/3136-176-0x0000000000000000-mapping.dmp
            Download
          • memory/3232-149-0x0000000000000000-mapping.dmp
            Download
          • memory/3232-170-0x0000000007470000-0x000000000747A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4276-175-0x0000000000000000-mapping.dmp
            Download
          • memory/4400-173-0x0000000000000000-mapping.dmp
            Download
          • memory/4688-171-0x0000000000000000-mapping.dmp
            Download
          • memory/4844-135-0x00000000058E0000-0x000000000597C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/4844-134-0x0000000005840000-0x00000000058D2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4844-132-0x0000000000D90000-0x0000000000E34000-memory.dmp
            Filesize

            656KB

            Download
          • memory/4844-133-0x0000000005D50000-0x00000000062F4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/4888-167-0x0000000000000000-mapping.dmp
            Download