Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
19-01-2023 09:19
General
-
Target
75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8.exe
-
Size
536KB
-
MD5
8c274dad5fd77b0692ca5c299ffb0d26
-
SHA1
5dda42516b5f3b65093dae4b55506e9c8813d745
-
SHA256
75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8
-
SHA512
370c2b2f4a2342b1d3281e2b8d2a426606e0e828b4342981bcd42b16f78dd071d419d646e3c94292cf11e287347b48f2231de91a21ff2856ea08e2085da335b9
-
SSDEEP
12288:k04p+yRb8qXeSCTQVpyQJPiDZOjVYXRTyyss:k0M8qXzCTQ/yQWRyq
Malware Config
Extracted
quasar
2.1.0.0
Office01
172.81.131.113:4782
VNM_MUTEX_OFUOtYdHQP7Y7fAk1P
-
encryption_key
xufMEowCMSpdPlEx87tq
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
mvscs
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 5 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8.exe"C:\Users\Admin\AppData\Local\Temp\75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnmtub.exe"C:\Users\Admin\AppData\Local\Temp\vnmtub.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "mvscs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\vnmtub.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "mvscs" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p7vbd2SWQgm6.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\p7vbd2SWQgm6.batFilesize
203B
MD509b61a4f440fb2d3af75b4fa3687d3e0
SHA1a6ae202c59c34a76fc89631fdba3874b7d1a6ed7
SHA256bd4a6bef809a2e0fd7a484d9b5ef7c794fb18c38dd473702ab5941d1ba4b7fd4
SHA512bfd760f39d9f31d21db2d0614c4818160ac763f6cf66c70d9a947f681b5a66d2c84abc7afe89b625857dff7586f4cc812bccd4a008fe84de4c2bdb9fdd01b62e
-
C:\Users\Admin\AppData\Local\Temp\vnmtub.exeFilesize
534KB
MD52785b4bbb80b75836c685ac8a1a24f27
SHA132dcef1d5f8e45655478c3dd960e6f9422af691c
SHA2567a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
SHA512fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
-
C:\Users\Admin\AppData\Local\Temp\vnmtub.exeFilesize
534KB
MD52785b4bbb80b75836c685ac8a1a24f27
SHA132dcef1d5f8e45655478c3dd960e6f9422af691c
SHA2567a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
SHA512fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
534KB
MD52785b4bbb80b75836c685ac8a1a24f27
SHA132dcef1d5f8e45655478c3dd960e6f9422af691c
SHA2567a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
SHA512fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
534KB
MD52785b4bbb80b75836c685ac8a1a24f27
SHA132dcef1d5f8e45655478c3dd960e6f9422af691c
SHA2567a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
SHA512fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
-
memory/908-747-0x0000000000000000-mapping.dmp
-
memory/1788-755-0x0000000000000000-mapping.dmp
-
memory/1828-753-0x0000000000000000-mapping.dmp
-
memory/2836-456-0x0000000000000000-mapping.dmp
-
memory/4020-308-0x0000000000000000-mapping.dmp
-
memory/4020-580-0x0000000006600000-0x000000000660A000-memory.dmpFilesize
40KB
-
memory/4124-160-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-148-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-124-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-125-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-126-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-127-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-128-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-129-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-130-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-131-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-132-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-133-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-134-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-135-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-136-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-137-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-138-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-166-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-140-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-141-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-142-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-143-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-144-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-145-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-146-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-147-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-165-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-149-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-150-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-151-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-152-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-153-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-154-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-155-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-156-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-157-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-158-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-122-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-159-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-161-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-162-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-163-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-172-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-123-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-139-0x0000000000400000-0x0000000000489000-memory.dmpFilesize
548KB
-
memory/4124-167-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-168-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-169-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-171-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-173-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-170-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-174-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-164-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-175-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-176-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-177-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-178-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-179-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-116-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-117-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-118-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-119-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-120-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4124-121-0x0000000077480000-0x000000007760E000-memory.dmpFilesize
1.6MB
-
memory/4240-192-0x0000000000000000-mapping.dmp
-
memory/4240-239-0x00000000001F0000-0x000000000027C000-memory.dmpFilesize
560KB
-
memory/4240-244-0x0000000004BC0000-0x0000000004C52000-memory.dmpFilesize
584KB
-
memory/4240-255-0x0000000004B20000-0x0000000004B86000-memory.dmpFilesize
408KB
-
memory/4240-286-0x0000000005E10000-0x0000000005E4E000-memory.dmpFilesize
248KB
-
memory/4240-265-0x0000000005A40000-0x0000000005A52000-memory.dmpFilesize
72KB
-
memory/4240-242-0x0000000005020000-0x000000000551E000-memory.dmpFilesize
5.0MB
-
memory/4876-288-0x0000000000000000-mapping.dmp
-
memory/5076-421-0x0000000006DC0000-0x0000000006DE2000-memory.dmpFilesize
136KB
-
memory/5076-502-0x0000000009210000-0x00000000092A4000-memory.dmpFilesize
592KB
-
memory/5076-427-0x0000000007740000-0x0000000007A90000-memory.dmpFilesize
3.3MB
-
memory/5076-489-0x0000000008ED0000-0x0000000008EEE000-memory.dmpFilesize
120KB
-
memory/5076-488-0x0000000008F10000-0x0000000008F43000-memory.dmpFilesize
204KB
-
memory/5076-424-0x00000000076D0000-0x0000000007736000-memory.dmpFilesize
408KB
-
memory/5076-498-0x0000000009040000-0x00000000090E5000-memory.dmpFilesize
660KB
-
memory/5076-440-0x00000000075A0000-0x00000000075BC000-memory.dmpFilesize
112KB
-
memory/5076-396-0x0000000006E90000-0x00000000074B8000-memory.dmpFilesize
6.2MB
-
memory/5076-708-0x00000000069A0000-0x00000000069BA000-memory.dmpFilesize
104KB
-
memory/5076-713-0x0000000006990000-0x0000000006998000-memory.dmpFilesize
32KB
-
memory/5076-391-0x0000000004350000-0x0000000004386000-memory.dmpFilesize
216KB
-
memory/5076-455-0x0000000007E10000-0x0000000007E86000-memory.dmpFilesize
472KB
-
memory/5076-311-0x0000000000000000-mapping.dmp
-
memory/5076-443-0x0000000008050000-0x000000000809B000-memory.dmpFilesize
300KB