Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2023 23:53
Static task
static1
Behavioral task
behavioral1
Sample
OTP BOT CRACKED.exe
Resource
win7-20220812-en
General
-
Target
OTP BOT CRACKED.exe
-
Size
692KB
-
MD5
57142dab96fabd2d6c9361ebf8a9b2b2
-
SHA1
46d08ee2df6df25352ef2b310bff8e42e99e6166
-
SHA256
3b2166067b82633f6773b3da714db496796054a315d6c870763e1a4641c6821c
-
SHA512
215facd7e421647391055ac823d27d15f8d90e45e88002305c2028e2c29a4828fc05f69858d84c96dfa44cbb372a64a21d02c60c756941e48080925e7e8dd331
-
SSDEEP
12288:FgHxLPNU1AoiCepLYI2UH92+JlAlB3GQrrCEvL6Dd6S7sQo:ilXoApNTH9eGQrrCE47s
Malware Config
Extracted
quasar
2.1.0.0
FINAL
192.253.245.243:7812
VNM_MUTEX_qM9TbqrSltZ0u3P1Qz
-
encryption_key
KCyrElxCqTCYe4YGdIaR
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Security Service
Signatures
-
Contains code to disable Windows Defender 6 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x0002000000021b43-137.dat disable_win_def behavioral2/files/0x0002000000021b43-138.dat disable_win_def behavioral2/memory/408-141-0x0000000000D80000-0x0000000000E0C000-memory.dmp disable_win_def behavioral2/files/0x0007000000022e17-150.dat disable_win_def behavioral2/files/0x0007000000022e17-151.dat disable_win_def behavioral2/files/0x0002000000021b43-176.dat disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Windows Security Service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Windows Security Service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Windows Security Service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Windows Security Service.exe -
Quasar payload 6 IoCs
resource yara_rule behavioral2/files/0x0002000000021b43-137.dat family_quasar behavioral2/files/0x0002000000021b43-138.dat family_quasar behavioral2/memory/408-141-0x0000000000D80000-0x0000000000E0C000-memory.dmp family_quasar behavioral2/files/0x0007000000022e17-150.dat family_quasar behavioral2/files/0x0007000000022e17-151.dat family_quasar behavioral2/files/0x0002000000021b43-176.dat family_quasar -
Executes dropped EXE 5 IoCs
pid Process 3576 Windows Security.exe 408 Windows Security Service.exe 5004 Windows Security.exe 3968 Windows Security Service.exe 736 Windows Security.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Windows Security.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation OTP BOT CRACKED.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Windows Security Service.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features Windows Security Service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Windows Security Service.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chome_exe = "C:\\Users\\Admin\\AppData\\Roaming\\vlc\\Windows Security.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3000 schtasks.exe 1544 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1548 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3576 Windows Security.exe 736 Windows Security.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2232 powershell.exe 2232 powershell.exe 408 Windows Security Service.exe 408 Windows Security Service.exe 408 Windows Security Service.exe 408 Windows Security Service.exe 408 Windows Security Service.exe 408 Windows Security Service.exe 408 Windows Security Service.exe 3968 Windows Security Service.exe 528 powershell.exe 528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 408 Windows Security Service.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 5004 Windows Security.exe Token: SeDebugPrivilege 5004 Windows Security.exe Token: SeDebugPrivilege 3968 Windows Security Service.exe Token: SeDebugPrivilege 528 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5004 Windows Security.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4216 wrote to memory of 3576 4216 OTP BOT CRACKED.exe 80 PID 4216 wrote to memory of 3576 4216 OTP BOT CRACKED.exe 80 PID 4216 wrote to memory of 3576 4216 OTP BOT CRACKED.exe 80 PID 4216 wrote to memory of 408 4216 OTP BOT CRACKED.exe 81 PID 4216 wrote to memory of 408 4216 OTP BOT CRACKED.exe 81 PID 4216 wrote to memory of 408 4216 OTP BOT CRACKED.exe 81 PID 408 wrote to memory of 3000 408 Windows Security Service.exe 82 PID 408 wrote to memory of 3000 408 Windows Security Service.exe 82 PID 408 wrote to memory of 3000 408 Windows Security Service.exe 82 PID 408 wrote to memory of 5004 408 Windows Security Service.exe 84 PID 408 wrote to memory of 5004 408 Windows Security Service.exe 84 PID 408 wrote to memory of 5004 408 Windows Security Service.exe 84 PID 408 wrote to memory of 2232 408 Windows Security Service.exe 85 PID 408 wrote to memory of 2232 408 Windows Security Service.exe 85 PID 408 wrote to memory of 2232 408 Windows Security Service.exe 85 PID 5004 wrote to memory of 1544 5004 Windows Security.exe 87 PID 5004 wrote to memory of 1544 5004 Windows Security.exe 87 PID 5004 wrote to memory of 1544 5004 Windows Security.exe 87 PID 408 wrote to memory of 1108 408 Windows Security Service.exe 92 PID 408 wrote to memory of 1108 408 Windows Security Service.exe 92 PID 408 wrote to memory of 1108 408 Windows Security Service.exe 92 PID 1108 wrote to memory of 4592 1108 cmd.exe 94 PID 1108 wrote to memory of 4592 1108 cmd.exe 94 PID 1108 wrote to memory of 4592 1108 cmd.exe 94 PID 408 wrote to memory of 2724 408 Windows Security Service.exe 95 PID 408 wrote to memory of 2724 408 Windows Security Service.exe 95 PID 408 wrote to memory of 2724 408 Windows Security Service.exe 95 PID 2724 wrote to memory of 2116 2724 cmd.exe 97 PID 2724 wrote to memory of 2116 2724 cmd.exe 97 PID 2724 wrote to memory of 2116 2724 cmd.exe 97 PID 2724 wrote to memory of 1548 2724 cmd.exe 98 PID 2724 wrote to memory of 1548 2724 cmd.exe 98 PID 2724 wrote to memory of 1548 2724 cmd.exe 98 PID 2724 wrote to memory of 3968 2724 cmd.exe 102 PID 2724 wrote to memory of 3968 2724 cmd.exe 102 PID 2724 wrote to memory of 3968 2724 cmd.exe 102 PID 3576 wrote to memory of 528 3576 Windows Security.exe 104 PID 3576 wrote to memory of 528 3576 Windows Security.exe 104 PID 3576 wrote to memory of 528 3576 Windows Security.exe 104 PID 3576 wrote to memory of 736 3576 Windows Security.exe 106 PID 3576 wrote to memory of 736 3576 Windows Security.exe 106 PID 3576 wrote to memory of 736 3576 Windows Security.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\OTP BOT CRACKED.exe"C:\Users\Admin\AppData\Local\Temp\OTP BOT CRACKED.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe' -Value '"C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe"C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:736
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3000
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:1544
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵PID:4592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaN97jRRb6o3.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2116
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1548
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD507705f6cd49f88e060a276d69d856dcb
SHA1dc8f2950d855213167ec492e4d189e7cd6e3ce64
SHA256d19601202f7a849f710e8936c1efb11d6c87d0202002f19591bcd24d91998798
SHA512bd758aff392f4ab0ccf2de2363933455540d215b55f40e019b457c4b609c11f6925cf1b76c536b6f4d6b4afc9098f881a2c17f73b26bff110b56f703d26c88e6
-
Filesize
218B
MD5aea6043af222be1bb9d146045e69c956
SHA1160f0765550c15383199358413fa7b65e50349b6
SHA256bfbfc578ec62af2b72321066259f2fc4838571355adff8c3c58cec9ab882e5aa
SHA512c5210245ad4c2c5608dda8788411c467bf618954b424f9efd2f09113e255365e09e10c6644c52ef116af890fcca0a52ad7331915a1f6ed542d2af9a916de7a17
-
Filesize
534KB
MD5cee83bcd736d132823307d0e64816eef
SHA1814cf9852fd6a0c8daa5ce7f272e33a88382b901
SHA256978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87
SHA512c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a
-
Filesize
534KB
MD5cee83bcd736d132823307d0e64816eef
SHA1814cf9852fd6a0c8daa5ce7f272e33a88382b901
SHA256978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87
SHA512c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a
-
Filesize
534KB
MD5cee83bcd736d132823307d0e64816eef
SHA1814cf9852fd6a0c8daa5ce7f272e33a88382b901
SHA256978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87
SHA512c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a
-
Filesize
534KB
MD5cee83bcd736d132823307d0e64816eef
SHA1814cf9852fd6a0c8daa5ce7f272e33a88382b901
SHA256978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87
SHA512c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a
-
Filesize
534KB
MD5cee83bcd736d132823307d0e64816eef
SHA1814cf9852fd6a0c8daa5ce7f272e33a88382b901
SHA256978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87
SHA512c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a
-
Filesize
10KB
MD5b295df144910fea1f181c9beb9dd823e
SHA15c1522f3cd9192af98d04460458b8c85f1537397
SHA256b2d9e6529dfbefd5e4de4eeab37788a3f1338bed40b27b4af85dc3db926cc349
SHA512733e30514d5c3efce419443d7f9e2e6735f8e52d8a2839e85157e8a19537628bef0cd3c01f3a7ac8693343c8b1143ca2f3736ced4b7c323536de159206b7cbb8
-
Filesize
10KB
MD5b295df144910fea1f181c9beb9dd823e
SHA15c1522f3cd9192af98d04460458b8c85f1537397
SHA256b2d9e6529dfbefd5e4de4eeab37788a3f1338bed40b27b4af85dc3db926cc349
SHA512733e30514d5c3efce419443d7f9e2e6735f8e52d8a2839e85157e8a19537628bef0cd3c01f3a7ac8693343c8b1143ca2f3736ced4b7c323536de159206b7cbb8
-
Filesize
34.3MB
MD563b25176f0b6ab50617a3fc9d3d5783e
SHA13dac82c438a17768363a748672f55d06b9023dd1
SHA256b693e946089b9943a0e3ed74840bd878989aa8b23cf2888f0de83e18b68ae931
SHA512e5a1504f72b5841ff3fd6e5dac3648800cfd56de400c7f6172e979dfd183978637251c2bb1b54bee49bda5a6166ec2623e85f508ec9eb0c3245503f1f34c8de8
-
Filesize
34.3MB
MD563b25176f0b6ab50617a3fc9d3d5783e
SHA13dac82c438a17768363a748672f55d06b9023dd1
SHA256b693e946089b9943a0e3ed74840bd878989aa8b23cf2888f0de83e18b68ae931
SHA512e5a1504f72b5841ff3fd6e5dac3648800cfd56de400c7f6172e979dfd183978637251c2bb1b54bee49bda5a6166ec2623e85f508ec9eb0c3245503f1f34c8de8