Overview

overview

10

Static

static

f1946c208e...12.exe

windows7-x64

10

f1946c208e...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe

  • Size

    12.8MB

  • MD5

    1c1cd3ee6e73a4e599c7c32bae300b05

  • SHA1

    dd22b9c9531efdecd80d37b01254e96728ef26c3

  • SHA256

    f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12

  • SHA512

    484ab45694f4789a8f385dd6346c2711d8b79368760819065592163f763a8724c91993fbc0bfbf58ce0c1d0f7d9132f9b59a99645790e4e68ece6650b99cd037

  • SSDEEP

    393216:IY/d0T2My8oDotr3LItcM4epPOgmYQbml1ay:IYeqvE1Sd/WmSy

Score
10/10
quasarvenomratgreedensevasionratrootkitspywarestealerthemidatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

greedens

C2

127.0.0.1:4782

Mutex

VNM_MUTEX_7DOOh0yZCLxX4Y4Ltu

Attributes
  • encryption_key

    ZSBFYPSY9jJS688RgNV6

  • install_name

    $77setup.exe

  • log_directory

    gameboard

  • reconnect_delay

    3000

  • startup_key

    drivers

  • subdirectory

    $77

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
    "C:\Users\Admin\AppData\Local\Temp\f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\photo_protected.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Windows security modification
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "drivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\photo_protected.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4136
      • C:\Windows\SysWOW64\$77\$77setup.exe
        "C:\Windows\SysWOW64\$77\$77setup.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2704
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "drivers" /sc ONLOGON /tr "C:\Windows\SysWOW64\$77\$77setup.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:836
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2shrzu6T7s4q.bat" "
          4⤵
            PID:3640
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:4536
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:5076
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1660
              4⤵
              • Program crash
              PID:1660
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4260
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2704 -ip 2704
        1⤵
          PID:4044

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Modify Existing Service

        1
        T1031

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Modify Registry

        2
        T1112

        Disabling Security Tools

        2
        T1089

        Virtualization/Sandbox Evasion

        1
        T1497

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        Virtualization/Sandbox Evasion

        1
        T1497

        System Information Discovery

        4
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2shrzu6T7s4q.bat
          Filesize

          195B

          MD5

          7eb062638881d191c191a06fe0a73d62

          SHA1

          d1336dfedb3343faaf78d5bf77003cd576602383

          SHA256

          b4d8845781bce88d6573a3c70bb3f8f335f26c1f656b202b1ceb301e94d5d3b0

          SHA512

          331b054a7c21e75b3d4851daeb7a7ceaae9e5b041fa7aad3e0ab32b906266ae0f0e29cceeda4aa21f217a996f553bf69dac4bc1f095320a0f740a99309db4eda

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
          Filesize

          12.6MB

          MD5

          61ca2ad2572a94b36652120f72678cdc

          SHA1

          a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

          SHA256

          36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

          SHA512

          8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
          Filesize

          12.6MB

          MD5

          61ca2ad2572a94b36652120f72678cdc

          SHA1

          a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

          SHA256

          36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

          SHA512

          8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

          Download Submit
        • C:\Windows\SysWOW64\$77\$77setup.exe
          Filesize

          12.6MB

          MD5

          61ca2ad2572a94b36652120f72678cdc

          SHA1

          a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

          SHA256

          36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

          SHA512

          8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

          Download Submit
        • C:\Windows\SysWOW64\$77\$77setup.exe
          Filesize

          9.6MB

          MD5

          5b80795099ecd413c2377932481fd64b

          SHA1

          8ee253c52da995b82695adf79251ad468b685e30

          SHA256

          634dc2c9aad14829cd28acdba562aef343069870097434568d1ae1085e361f5a

          SHA512

          778e4918a2c3def0b41fd6aae6898f2ecdc602a97f705e728316361651c41aaace5b20aab437befef75ff141874f47b39613b07703ab794a9ba0e3b1d2b258f4

          Download Submit
        • memory/836-165-0x0000000000000000-mapping.dmp
          Download
        • memory/1676-139-0x0000000000820000-0x00000000028EA000-memory.dmp
          Filesize

          32.8MB

          Download
        • memory/1676-142-0x00000000073E0000-0x0000000007472000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1676-143-0x00000000075B0000-0x0000000007616000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1676-144-0x0000000007A20000-0x0000000007A32000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1676-145-0x0000000008610000-0x000000000864C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/1676-141-0x0000000007A60000-0x0000000008004000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/1676-140-0x0000000000820000-0x00000000028EA000-memory.dmp
          Filesize

          32.8MB

          Download
        • memory/1676-156-0x0000000000820000-0x00000000028EA000-memory.dmp
          Filesize

          32.8MB

          Download
        • memory/1676-138-0x0000000077B50000-0x0000000077CF3000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1676-134-0x0000000000820000-0x00000000028EA000-memory.dmp
          Filesize

          32.8MB

          Download
        • memory/1676-163-0x0000000077B50000-0x0000000077CF3000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1676-132-0x0000000000000000-mapping.dmp
          Download
        • memory/2704-158-0x0000000000F20000-0x0000000002FEA000-memory.dmp
          Filesize

          32.8MB

          Download
        • memory/2704-167-0x0000000008460000-0x000000000846A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2704-148-0x0000000000000000-mapping.dmp
          Download
        • memory/2704-162-0x0000000077B50000-0x0000000077CF3000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/2704-159-0x0000000000F20000-0x0000000002FEA000-memory.dmp
          Filesize

          32.8MB

          Download
        • memory/2704-161-0x0000000000F20000-0x0000000002FEA000-memory.dmp
          Filesize

          32.8MB

          Download
        • memory/3640-168-0x0000000000000000-mapping.dmp
          Download
        • memory/4136-147-0x0000000000000000-mapping.dmp
          Download
        • memory/4260-150-0x0000000000000000-mapping.dmp
          Download
        • memory/4260-177-0x0000000007850000-0x000000000785A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4260-152-0x0000000005670000-0x0000000005C98000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/4260-157-0x0000000005600000-0x0000000005622000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4260-164-0x0000000005240000-0x000000000525E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/4260-151-0x0000000002BA0000-0x0000000002BD6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/4260-160-0x0000000005E10000-0x0000000005E76000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4260-171-0x0000000006AA0000-0x0000000006AD2000-memory.dmp
          Filesize

          200KB

          Download
        • memory/4260-172-0x0000000070580000-0x00000000705CC000-memory.dmp
          Filesize

          304KB

          Download
        • memory/4260-173-0x0000000006A80000-0x0000000006A9E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/4260-178-0x0000000007A40000-0x0000000007AD6000-memory.dmp
          Filesize

          600KB

          Download
        • memory/4260-175-0x0000000007E30000-0x00000000084AA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/4260-176-0x00000000077E0000-0x00000000077FA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/4536-170-0x0000000000000000-mapping.dmp
          Download
        • memory/5076-174-0x0000000000000000-mapping.dmp
          Download