Overview

overview

10

Static

static

OTP BOT CRACKED.exe

windows7-x64

10

OTP BOT CRACKED.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2023 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OTP BOT CRACKED.exe

  • Size

    692KB

  • MD5

    57142dab96fabd2d6c9361ebf8a9b2b2

  • SHA1

    46d08ee2df6df25352ef2b310bff8e42e99e6166

  • SHA256

    3b2166067b82633f6773b3da714db496796054a315d6c870763e1a4641c6821c

  • SHA512

    215facd7e421647391055ac823d27d15f8d90e45e88002305c2028e2c29a4828fc05f69858d84c96dfa44cbb372a64a21d02c60c756941e48080925e7e8dd331

  • SSDEEP

    12288:FgHxLPNU1AoiCepLYI2UH92+JlAlB3GQrrCEvL6Dd6S7sQo:ilXoApNTH9eGQrrCE47s

Score
10/10
quasarvenomratfinalevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

FINAL

C2

192.253.245.243:7812

Mutex

VNM_MUTEX_qM9TbqrSltZ0u3P1Qz

Attributes
  • encryption_key

    KCyrElxCqTCYe4YGdIaR

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Windows Security Service

Signatures

  • Contains code to disable Windows Defender 8 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 8 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 4 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OTP BOT CRACKED.exe
    "C:\Users\Admin\AppData\Local\Temp\OTP BOT CRACKED.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Users\Admin\AppData\Roaming\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe' -Value '"C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:940
      • C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe
        "C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        PID:744
    • C:\Users\Admin\AppData\Roaming\Windows Security Service.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:380
      • C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe
        "C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:676
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
          • Deletes itself
          PID:1124
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NljoJW92O22g.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:896
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:1684

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\NljoJW92O22g.bat
      Filesize

      218B

      MD5

      88e2eeb83c4ac5573d5da3cfa7546144

      SHA1

      2794b161ccc4c2d6bb6dd8a7a6402b681abebbe5

      SHA256

      ae26d405af7f32f584370423e314da630cbc6e4f8aa50dfd969798704aaa04e5

      SHA512

      55cd2e3a03f5c3b56167f18890c92c84073b6c555a7ba037dd7fc89bd5991e0567ec12a9c656003988317831f8349ecfe0579c1cdc59321e4f9bcd3e605f420f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      1b31daf971e9738e3f84711d1618fba1

      SHA1

      19c91a03d1ed3e991417c3c1bb9cafe26770ffd5

      SHA256

      d1f29204d1a7f8d5466edf18bc492e25c8b15f271af61063fe4f0a2c6aebd9a5

      SHA512

      ba9b649fe16843e15636e77735a85009741dab751b441b6da8fec1eb982dd87ac352e5eb72d1f2a60d78119cebe0017ec7c7263321530b45545c5959031c51d8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows Security Service.exe
      Filesize

      534KB

      MD5

      cee83bcd736d132823307d0e64816eef

      SHA1

      814cf9852fd6a0c8daa5ce7f272e33a88382b901

      SHA256

      978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

      SHA512

      c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows Security Service.exe
      Filesize

      534KB

      MD5

      cee83bcd736d132823307d0e64816eef

      SHA1

      814cf9852fd6a0c8daa5ce7f272e33a88382b901

      SHA256

      978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

      SHA512

      c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe
      Filesize

      534KB

      MD5

      cee83bcd736d132823307d0e64816eef

      SHA1

      814cf9852fd6a0c8daa5ce7f272e33a88382b901

      SHA256

      978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

      SHA512

      c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe
      Filesize

      534KB

      MD5

      cee83bcd736d132823307d0e64816eef

      SHA1

      814cf9852fd6a0c8daa5ce7f272e33a88382b901

      SHA256

      978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

      SHA512

      c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows Security.exe
      Filesize

      10KB

      MD5

      b295df144910fea1f181c9beb9dd823e

      SHA1

      5c1522f3cd9192af98d04460458b8c85f1537397

      SHA256

      b2d9e6529dfbefd5e4de4eeab37788a3f1338bed40b27b4af85dc3db926cc349

      SHA512

      733e30514d5c3efce419443d7f9e2e6735f8e52d8a2839e85157e8a19537628bef0cd3c01f3a7ac8693343c8b1143ca2f3736ced4b7c323536de159206b7cbb8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows Security.exe
      Filesize

      10KB

      MD5

      b295df144910fea1f181c9beb9dd823e

      SHA1

      5c1522f3cd9192af98d04460458b8c85f1537397

      SHA256

      b2d9e6529dfbefd5e4de4eeab37788a3f1338bed40b27b4af85dc3db926cc349

      SHA512

      733e30514d5c3efce419443d7f9e2e6735f8e52d8a2839e85157e8a19537628bef0cd3c01f3a7ac8693343c8b1143ca2f3736ced4b7c323536de159206b7cbb8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe
      Filesize

      36.9MB

      MD5

      d1db07799438f66503dd795cea74e54f

      SHA1

      91cb46f9bbd66fb1e316620e9aa2429cadd4c8dd

      SHA256

      7d554724daff8b6f0302376f305b989b59ace25adb9a87915d15fd2919b3d3ae

      SHA512

      9cdc5e7ec8533579d371462f5ec6005e017ed718dd6afa3fb91428d371b39dcffffb25738ad3a7f04a3b94f40d59848b1608e809b37c6cc6c9ee229c5ab5374b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe
      Filesize

      36.9MB

      MD5

      d1db07799438f66503dd795cea74e54f

      SHA1

      91cb46f9bbd66fb1e316620e9aa2429cadd4c8dd

      SHA256

      7d554724daff8b6f0302376f305b989b59ace25adb9a87915d15fd2919b3d3ae

      SHA512

      9cdc5e7ec8533579d371462f5ec6005e017ed718dd6afa3fb91428d371b39dcffffb25738ad3a7f04a3b94f40d59848b1608e809b37c6cc6c9ee229c5ab5374b

      Download Submit

    • \Users\Admin\AppData\Roaming\Windows Security Service.exe
      Filesize

      534KB

      MD5

      cee83bcd736d132823307d0e64816eef

      SHA1

      814cf9852fd6a0c8daa5ce7f272e33a88382b901

      SHA256

      978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

      SHA512

      c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      Download Submit

    • \Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe
      Filesize

      534KB

      MD5

      cee83bcd736d132823307d0e64816eef

      SHA1

      814cf9852fd6a0c8daa5ce7f272e33a88382b901

      SHA256

      978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

      SHA512

      c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      Download Submit

    • \Users\Admin\AppData\Roaming\Windows Security.exe
      Filesize

      10KB

      MD5

      b295df144910fea1f181c9beb9dd823e

      SHA1

      5c1522f3cd9192af98d04460458b8c85f1537397

      SHA256

      b2d9e6529dfbefd5e4de4eeab37788a3f1338bed40b27b4af85dc3db926cc349

      SHA512

      733e30514d5c3efce419443d7f9e2e6735f8e52d8a2839e85157e8a19537628bef0cd3c01f3a7ac8693343c8b1143ca2f3736ced4b7c323536de159206b7cbb8

      Download Submit

    • \Users\Admin\AppData\Roaming\vlc\Windows Security.exe
      Filesize

      36.9MB

      MD5

      d1db07799438f66503dd795cea74e54f

      SHA1

      91cb46f9bbd66fb1e316620e9aa2429cadd4c8dd

      SHA256

      7d554724daff8b6f0302376f305b989b59ace25adb9a87915d15fd2919b3d3ae

      SHA512

      9cdc5e7ec8533579d371462f5ec6005e017ed718dd6afa3fb91428d371b39dcffffb25738ad3a7f04a3b94f40d59848b1608e809b37c6cc6c9ee229c5ab5374b

      Download Submit

    • memory/516-80-0x000000006E930000-0x000000006EEDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/516-78-0x000000006E930000-0x000000006EEDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/744-93-0x0000000000290000-0x0000000000298000-memory.dmp

      Filesize

      32KB

      Download

    • memory/904-65-0x0000000000E80000-0x0000000000E88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/940-95-0x000000006E900000-0x000000006EEAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/940-96-0x000000006E900000-0x000000006EEAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1420-66-0x0000000001280000-0x000000000130C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1712-74-0x0000000000CD0000-0x0000000000D5C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1952-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1952-64-0x0000000074290000-0x000000007483B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1952-55-0x0000000074290000-0x000000007483B000-memory.dmp

      Filesize

      5.7MB

      Download