Overview

overview

10

Static

static

10

2785b4bbb8...27.exe

windows7-x64

10

2785b4bbb8...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2023, 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2785b4bbb80b75836c685ac8a1a24f27.exe

  • Size

    534KB

  • MD5

    2785b4bbb80b75836c685ac8a1a24f27

  • SHA1

    32dcef1d5f8e45655478c3dd960e6f9422af691c

  • SHA256

    7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647

  • SHA512

    fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c

  • SSDEEP

    6144:s8fGLJngzxsoIasFzFMkbcWV3Nce0/4obc4hpqEpZccKHBIAUYpnxVlGy3V8/GVX:WkxfIayFMPzf/m4hp7ncxKRYpn7Em

Score
10/10
quasarvenomratoffice01evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office01

C2

172.81.131.113:4782

Mutex

VNM_MUTEX_OFUOtYdHQP7Y7fAk1P

Attributes
  • encryption_key

    xufMEowCMSpdPlEx87tq

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    mvscs

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2785b4bbb80b75836c685ac8a1a24f27.exe
    "C:\Users\Admin\AppData\Local\Temp\2785b4bbb80b75836c685ac8a1a24f27.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "mvscs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\2785b4bbb80b75836c685ac8a1a24f27.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1260
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "mvscs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:5084
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAcMK8lzge05.bat" "
        2⤵
          PID:928

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\uAcMK8lzge05.bat
        Filesize

        229B

        MD5

        4210f7b707b3885acce64ed29e762d88

        SHA1

        eb6779e62cc8fe427e4c6d40e7a8d144a6a72f01

        SHA256

        82127dde8df0ea47acf2b8486405aae8c1bc28a77be1b5efc88bba797711db96

        SHA512

        62c4ca00c746f452d8131ea362c2fe86402b2596290abf137c60c29626be447ca9bd014f5ded03760fd34aff9a35f9d602c2e4e5bb55cbe608ba6bfb9bb2b0d1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        534KB

        MD5

        2785b4bbb80b75836c685ac8a1a24f27

        SHA1

        32dcef1d5f8e45655478c3dd960e6f9422af691c

        SHA256

        7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647

        SHA512

        fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        534KB

        MD5

        2785b4bbb80b75836c685ac8a1a24f27

        SHA1

        32dcef1d5f8e45655478c3dd960e6f9422af691c

        SHA256

        7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647

        SHA512

        fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c

        Download Submit

      • memory/4252-137-0x0000000006250000-0x000000000628C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4252-136-0x0000000005E20000-0x0000000005E32000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4252-135-0x00000000051D0000-0x0000000005236000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4252-134-0x0000000005030000-0x00000000050C2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4252-132-0x0000000000700000-0x000000000078C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/4252-133-0x00000000054F0000-0x0000000005A94000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4520-151-0x0000000006450000-0x000000000646E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4520-152-0x0000000007800000-0x0000000007E7A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4520-153-0x00000000071B0000-0x00000000071CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4520-144-0x00000000052F0000-0x0000000005918000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4520-149-0x0000000006470000-0x00000000064A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4520-150-0x00000000701C0000-0x000000007020C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4520-146-0x0000000005180000-0x00000000051E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4520-145-0x0000000004FE0000-0x0000000005002000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4520-147-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4520-154-0x0000000007220000-0x000000000722A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4520-155-0x0000000007430000-0x00000000074C6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4520-143-0x0000000002580000-0x00000000025B6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4520-157-0x00000000073E0000-0x00000000073EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4520-158-0x00000000074F0000-0x000000000750A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4520-159-0x00000000074D0000-0x00000000074D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4700-156-0x0000000006B60000-0x0000000006B6A000-memory.dmp

        Filesize

        40KB

        Download