Overview

overview

10

Static

static

d76aafee2e...dc.exe

windows7-x64

10

d76aafee2e...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

  • Size

    655KB

  • MD5

    c6b8dff8c0e4204c318dc7e349d5f531

  • SHA1

    af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

  • SHA256

    d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

  • SHA512

    6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

  • SSDEEP

    12288:QNlD5ZS/1WEJOAqRSEM3Sy21LVbK89elrrJ56m:QKIDAEQSy2TbKuKN

Score
10/10
quasarvenomratajithevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

ajith

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_NdVd2sPSSqFdo7I35g

Attributes
  • encryption_key

    jyerms3KOWmt3C9DBFuq

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
    "C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
      "C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Checks computer location settings
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2292
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3424
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3784
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:4244
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:4764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIGiZgIZ3blg.bat" "
          3⤵
            PID:3900

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Defender Security.exe.log
        Filesize

        507B

        MD5

        8cf94b5356be60247d331660005941ec

        SHA1

        fdedb361f40f22cb6a086c808fc0056d4e421131

        SHA256

        52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

        SHA512

        b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe.log
        Filesize

        507B

        MD5

        8cf94b5356be60247d331660005941ec

        SHA1

        fdedb361f40f22cb6a086c808fc0056d4e421131

        SHA256

        52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

        SHA512

        b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\LIGiZgIZ3blg.bat
        Filesize

        261B

        MD5

        db275445f09d1e2e93c579028a1e6ba6

        SHA1

        365bd4bbd87811bfd015e9dc940853eafbdb0f06

        SHA256

        b67bd770c7f7062478c7cc1cf3a6e0d30609ef537514c4d79cc840295348aa05

        SHA512

        83b0d80cadc45b08bdbad08535bc20a484f26dd1a2af17e6e4506739dbc4ab931b439640e5774ceead35290fb0c407c8a17640868ecfdb659571c0b5c028c2ff

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        655KB

        MD5

        c6b8dff8c0e4204c318dc7e349d5f531

        SHA1

        af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

        SHA256

        d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

        SHA512

        6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        655KB

        MD5

        c6b8dff8c0e4204c318dc7e349d5f531

        SHA1

        af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

        SHA256

        d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

        SHA512

        6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
        Filesize

        655KB

        MD5

        c6b8dff8c0e4204c318dc7e349d5f531

        SHA1

        af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

        SHA256

        d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

        SHA512

        6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

        Download Submit
      • memory/1748-160-0x0000000007A90000-0x000000000810A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/1748-166-0x0000000007770000-0x0000000007778000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1748-162-0x00000000074B0000-0x00000000074BA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1748-161-0x0000000007440000-0x000000000745A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1748-164-0x0000000007680000-0x000000000768E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1748-159-0x00000000066F0000-0x000000000670E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1748-158-0x000000006FD70000-0x000000006FDBC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1748-145-0x0000000000000000-mapping.dmp
        Download
      • memory/1748-146-0x0000000002790000-0x00000000027C6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1748-157-0x0000000007100000-0x0000000007132000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1748-165-0x0000000007780000-0x000000000779A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1748-150-0x0000000005340000-0x0000000005968000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1748-163-0x00000000076C0000-0x0000000007756000-memory.dmp
        Filesize

        600KB

        Download
      • memory/1748-152-0x0000000005100000-0x0000000005122000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1748-153-0x0000000005A10000-0x0000000005A76000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1748-154-0x0000000006140000-0x000000000615E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2292-141-0x0000000000000000-mapping.dmp
        Download
      • memory/3124-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3124-139-0x00000000061D0000-0x00000000061E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3124-137-0x0000000000400000-0x000000000048C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/3124-138-0x00000000055B0000-0x0000000005616000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3124-140-0x0000000006740000-0x000000000677C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3424-142-0x0000000000000000-mapping.dmp
        Download
      • memory/3652-167-0x0000000000000000-mapping.dmp
        Download
      • memory/3784-147-0x0000000000000000-mapping.dmp
        Download
      • memory/3784-156-0x0000000007150000-0x000000000715A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3900-169-0x0000000000000000-mapping.dmp
        Download
      • memory/4244-155-0x0000000000000000-mapping.dmp
        Download
      • memory/4764-168-0x0000000000000000-mapping.dmp
        Download
      • memory/5064-132-0x00000000003A0000-0x000000000044A000-memory.dmp
        Filesize

        680KB

        Download
      • memory/5064-135-0x0000000004EE0000-0x0000000004F7C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/5064-134-0x0000000004E40000-0x0000000004ED2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/5064-133-0x0000000005580000-0x0000000005B24000-memory.dmp
        Filesize

        5.6MB

        Download