Analysis

  • max time kernel
    134s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2023 23:53

General

  • Target

    OTP BOT CRACKED.exe

  • Size

    692KB

  • MD5

    57142dab96fabd2d6c9361ebf8a9b2b2

  • SHA1

    46d08ee2df6df25352ef2b310bff8e42e99e6166

  • SHA256

    3b2166067b82633f6773b3da714db496796054a315d6c870763e1a4641c6821c

  • SHA512

    215facd7e421647391055ac823d27d15f8d90e45e88002305c2028e2c29a4828fc05f69858d84c96dfa44cbb372a64a21d02c60c756941e48080925e7e8dd331

  • SSDEEP

    12288:FgHxLPNU1AoiCepLYI2UH92+JlAlB3GQrrCEvL6Dd6S7sQo:ilXoApNTH9eGQrrCE47s

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

FINAL

C2

192.253.245.243:7812

Mutex

VNM_MUTEX_qM9TbqrSltZ0u3P1Qz

Attributes
  • encryption_key

    KCyrElxCqTCYe4YGdIaR

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Windows Security Service

Signatures

  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 6 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OTP BOT CRACKED.exe
    "C:\Users\Admin\AppData\Local\Temp\OTP BOT CRACKED.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Users\Admin\AppData\Roaming\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of WriteProcessMemory
      PID:3576
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe' -Value '"C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:528
      • C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe
        "C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        PID:736
    • C:\Users\Admin\AppData\Roaming\Windows Security Service.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Checks computer location settings
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3000
      • C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe
        "C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:1544
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:4592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaN97jRRb6o3.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:2116
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:1548
            • C:\Users\Admin\AppData\Roaming\Windows Security Service.exe
              "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3968

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security Service.exe.log

        Filesize

        1KB

        MD5

        10eab9c2684febb5327b6976f2047587

        SHA1

        a12ed54146a7f5c4c580416aecb899549712449e

        SHA256

        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

        SHA512

        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security.exe.log

        Filesize

        1KB

        MD5

        7ebe314bf617dc3e48b995a6c352740c

        SHA1

        538f643b7b30f9231a3035c448607f767527a870

        SHA256

        48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

        SHA512

        0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        18KB

        MD5

        07705f6cd49f88e060a276d69d856dcb

        SHA1

        dc8f2950d855213167ec492e4d189e7cd6e3ce64

        SHA256

        d19601202f7a849f710e8936c1efb11d6c87d0202002f19591bcd24d91998798

        SHA512

        bd758aff392f4ab0ccf2de2363933455540d215b55f40e019b457c4b609c11f6925cf1b76c536b6f4d6b4afc9098f881a2c17f73b26bff110b56f703d26c88e6

      • C:\Users\Admin\AppData\Local\Temp\xaN97jRRb6o3.bat

        Filesize

        218B

        MD5

        aea6043af222be1bb9d146045e69c956

        SHA1

        160f0765550c15383199358413fa7b65e50349b6

        SHA256

        bfbfc578ec62af2b72321066259f2fc4838571355adff8c3c58cec9ab882e5aa

        SHA512

        c5210245ad4c2c5608dda8788411c467bf618954b424f9efd2f09113e255365e09e10c6644c52ef116af890fcca0a52ad7331915a1f6ed542d2af9a916de7a17

      • C:\Users\Admin\AppData\Roaming\Windows Security Service.exe

        Filesize

        534KB

        MD5

        cee83bcd736d132823307d0e64816eef

        SHA1

        814cf9852fd6a0c8daa5ce7f272e33a88382b901

        SHA256

        978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

        SHA512

        c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      • C:\Users\Admin\AppData\Roaming\Windows Security Service.exe

        Filesize

        534KB

        MD5

        cee83bcd736d132823307d0e64816eef

        SHA1

        814cf9852fd6a0c8daa5ce7f272e33a88382b901

        SHA256

        978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

        SHA512

        c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      • C:\Users\Admin\AppData\Roaming\Windows Security Service.exe

        Filesize

        534KB

        MD5

        cee83bcd736d132823307d0e64816eef

        SHA1

        814cf9852fd6a0c8daa5ce7f272e33a88382b901

        SHA256

        978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

        SHA512

        c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      • C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe

        Filesize

        534KB

        MD5

        cee83bcd736d132823307d0e64816eef

        SHA1

        814cf9852fd6a0c8daa5ce7f272e33a88382b901

        SHA256

        978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

        SHA512

        c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      • C:\Users\Admin\AppData\Roaming\Windows Security Service\Windows Security.exe

        Filesize

        534KB

        MD5

        cee83bcd736d132823307d0e64816eef

        SHA1

        814cf9852fd6a0c8daa5ce7f272e33a88382b901

        SHA256

        978d81b61bd4eabf7e0707b544f491f024a6d20411999f79c0da977456764c87

        SHA512

        c1744187b0c7d5a0eab75e72bf0b8b161b384fb0e94cb93b9f42a19ab4c00e80996bcc7a012a46c92ea83ad5b5e121022613de3949754535dd8e402cfff53e5a

      • C:\Users\Admin\AppData\Roaming\Windows Security.exe

        Filesize

        10KB

        MD5

        b295df144910fea1f181c9beb9dd823e

        SHA1

        5c1522f3cd9192af98d04460458b8c85f1537397

        SHA256

        b2d9e6529dfbefd5e4de4eeab37788a3f1338bed40b27b4af85dc3db926cc349

        SHA512

        733e30514d5c3efce419443d7f9e2e6735f8e52d8a2839e85157e8a19537628bef0cd3c01f3a7ac8693343c8b1143ca2f3736ced4b7c323536de159206b7cbb8

      • C:\Users\Admin\AppData\Roaming\Windows Security.exe

        Filesize

        10KB

        MD5

        b295df144910fea1f181c9beb9dd823e

        SHA1

        5c1522f3cd9192af98d04460458b8c85f1537397

        SHA256

        b2d9e6529dfbefd5e4de4eeab37788a3f1338bed40b27b4af85dc3db926cc349

        SHA512

        733e30514d5c3efce419443d7f9e2e6735f8e52d8a2839e85157e8a19537628bef0cd3c01f3a7ac8693343c8b1143ca2f3736ced4b7c323536de159206b7cbb8

      • C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe

        Filesize

        34.3MB

        MD5

        63b25176f0b6ab50617a3fc9d3d5783e

        SHA1

        3dac82c438a17768363a748672f55d06b9023dd1

        SHA256

        b693e946089b9943a0e3ed74840bd878989aa8b23cf2888f0de83e18b68ae931

        SHA512

        e5a1504f72b5841ff3fd6e5dac3648800cfd56de400c7f6172e979dfd183978637251c2bb1b54bee49bda5a6166ec2623e85f508ec9eb0c3245503f1f34c8de8

      • C:\Users\Admin\AppData\Roaming\vlc\Windows Security.exe

        Filesize

        34.3MB

        MD5

        63b25176f0b6ab50617a3fc9d3d5783e

        SHA1

        3dac82c438a17768363a748672f55d06b9023dd1

        SHA256

        b693e946089b9943a0e3ed74840bd878989aa8b23cf2888f0de83e18b68ae931

        SHA512

        e5a1504f72b5841ff3fd6e5dac3648800cfd56de400c7f6172e979dfd183978637251c2bb1b54bee49bda5a6166ec2623e85f508ec9eb0c3245503f1f34c8de8

      • memory/408-146-0x00000000064A0000-0x00000000064B2000-memory.dmp

        Filesize

        72KB

      • memory/408-147-0x00000000068D0000-0x000000000690C000-memory.dmp

        Filesize

        240KB

      • memory/408-141-0x0000000000D80000-0x0000000000E0C000-memory.dmp

        Filesize

        560KB

      • memory/408-142-0x0000000005BB0000-0x0000000006154000-memory.dmp

        Filesize

        5.6MB

      • memory/408-145-0x0000000005740000-0x00000000057A6000-memory.dmp

        Filesize

        408KB

      • memory/528-185-0x0000000006A80000-0x0000000006AA2000-memory.dmp

        Filesize

        136KB

      • memory/2232-157-0x0000000006390000-0x00000000063AE000-memory.dmp

        Filesize

        120KB

      • memory/2232-161-0x0000000006950000-0x000000000696E000-memory.dmp

        Filesize

        120KB

      • memory/2232-162-0x0000000007CE0000-0x000000000835A000-memory.dmp

        Filesize

        6.5MB

      • memory/2232-163-0x00000000076A0000-0x00000000076BA000-memory.dmp

        Filesize

        104KB

      • memory/2232-164-0x0000000007710000-0x000000000771A000-memory.dmp

        Filesize

        40KB

      • memory/2232-165-0x0000000007920000-0x00000000079B6000-memory.dmp

        Filesize

        600KB

      • memory/2232-166-0x00000000078D0000-0x00000000078DE000-memory.dmp

        Filesize

        56KB

      • memory/2232-167-0x00000000079E0000-0x00000000079FA000-memory.dmp

        Filesize

        104KB

      • memory/2232-168-0x00000000079C0000-0x00000000079C8000-memory.dmp

        Filesize

        32KB

      • memory/2232-159-0x0000000007560000-0x0000000007592000-memory.dmp

        Filesize

        200KB

      • memory/2232-160-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

        Filesize

        304KB

      • memory/2232-153-0x0000000002A80000-0x0000000002AB6000-memory.dmp

        Filesize

        216KB

      • memory/2232-154-0x00000000056D0000-0x0000000005CF8000-memory.dmp

        Filesize

        6.2MB

      • memory/2232-156-0x0000000005D00000-0x0000000005D66000-memory.dmp

        Filesize

        408KB

      • memory/2232-155-0x00000000054D0000-0x00000000054F2000-memory.dmp

        Filesize

        136KB

      • memory/3576-144-0x0000000004BC0000-0x0000000004BCA000-memory.dmp

        Filesize

        40KB

      • memory/3576-143-0x0000000004A00000-0x0000000004A92000-memory.dmp

        Filesize

        584KB

      • memory/3576-140-0x0000000000050000-0x0000000000058000-memory.dmp

        Filesize

        32KB

      • memory/4216-132-0x00000000750A0000-0x0000000075651000-memory.dmp

        Filesize

        5.7MB

      • memory/4216-139-0x00000000750A0000-0x0000000075651000-memory.dmp

        Filesize

        5.7MB