Analysis
-
max time kernel
274s -
max time network
287s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
21-01-2023 16:54
General
-
Target
BitcoinFakeTransaction/BitcoinFakeTransaction.exe
-
Size
997KB
-
MD5
4fe10e794eb25820b63890cfa0abca42
-
SHA1
321ecd39644a864a47cc3d431be53c8035acf59f
-
SHA256
5cc80ef8d5cd9c1fffb5660dd739177ae9043cc13a022a8e8e2c696fa5fcf59e
-
SHA512
728e83d4782347f8959c528579e504ec38fb8c5c18ebacceb106c46d5462ed731a685be3db0450d0dc5eb08f3f9ead13d5080ce244408e3d371e760dd159d70e
-
SSDEEP
12288:1UTyp3ZXSXsy8p4pymXXOZ4z2im3eyOYZ/w4FGVIa9A30xT5uUPDP:1UTSo/Bpu4qim3nZ/wB9+wT5fP
Malware Config
Extracted
quasar
2.1.0.0
windows securityy
192.253.245.243:7812
VNM_MUTEX_Lwt9GYx0ZlES09069Z
-
encryption_key
AhFntNS40ejah7Nv2cWL
-
install_name
Window Security Health Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
window update
-
subdirectory
windows Service32
Signatures
-
Contains code to disable Windows Defender 8 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 8 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE 10 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BitcoinFakeTransaction\BitcoinFakeTransaction.exe"C:\Users\Admin\AppData\Local\Temp\BitcoinFakeTransaction\BitcoinFakeTransaction.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Mvjdejeez.exe"C:\Users\Admin\AppData\Local\Temp\Mvjdejeez.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Mvjdejeez.exe"C:\Users\Admin\AppData\Local\Temp\Mvjdejeez.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "window update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\windows Service32\Window Security Health Service.exe"C:\Users\Admin\AppData\Roaming\windows Service32\Window Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windows Service32\Window Security Health Service.exe"C:\Users\Admin\AppData\Roaming\windows Service32\Window Security Health Service.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "window update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows Service32\Window Security Health Service.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*5⤵
- Deletes itself
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\d59EM6nNJaRx.bat" "4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"C:\Users\Admin\AppData\Local\Temp\Aimtxznnlqlhr.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
206KB
MD501af6f42da188981c1a00494199fdfbc
SHA13147729b4e4df80628e658ae173bb6b8c7fd4479
SHA2564b128169df80bba5f09ca7fb7aefdc03ccca3b7c4ef3f5af5af582af217f3b50
SHA512d73233fde28540b5203484e5303453322cdeaadfec1373745d3c6d9569d511387ddcb882f261f76825673ce5608d628432ea5066da384bac8d2c2e4a067222e0
-
Filesize
206KB
MD501af6f42da188981c1a00494199fdfbc
SHA13147729b4e4df80628e658ae173bb6b8c7fd4479
SHA2564b128169df80bba5f09ca7fb7aefdc03ccca3b7c4ef3f5af5af582af217f3b50
SHA512d73233fde28540b5203484e5303453322cdeaadfec1373745d3c6d9569d511387ddcb882f261f76825673ce5608d628432ea5066da384bac8d2c2e4a067222e0
-
Filesize
206KB
MD501af6f42da188981c1a00494199fdfbc
SHA13147729b4e4df80628e658ae173bb6b8c7fd4479
SHA2564b128169df80bba5f09ca7fb7aefdc03ccca3b7c4ef3f5af5af582af217f3b50
SHA512d73233fde28540b5203484e5303453322cdeaadfec1373745d3c6d9569d511387ddcb882f261f76825673ce5608d628432ea5066da384bac8d2c2e4a067222e0
-
Filesize
210B
MD55d7de00bbf1c5916eabcea0e8c062fad
SHA18cd6e10e019e099fb352bee547ea9b20f2568958
SHA256d7460522046f4c5c27777f26ef621f6faf392a790f0a86df5f9a159aacaa5d13
SHA51235203ea5896e7432db082d63bc6525f80a47ef698d969c24a170f559868af921d7e49bd74db6d4bc8d4922aaf5a936b9c79194a8edcd4d4f12dfc406c92b84bf
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
Filesize
206KB
MD501af6f42da188981c1a00494199fdfbc
SHA13147729b4e4df80628e658ae173bb6b8c7fd4479
SHA2564b128169df80bba5f09ca7fb7aefdc03ccca3b7c4ef3f5af5af582af217f3b50
SHA512d73233fde28540b5203484e5303453322cdeaadfec1373745d3c6d9569d511387ddcb882f261f76825673ce5608d628432ea5066da384bac8d2c2e4a067222e0
-
Filesize
665KB
MD5a9a1e7fecf84681f351d9d84c9a0b93d
SHA1b82971b2c422e29a3062d42d38151926a84b2d50
SHA2568172ce0605bb35ab5d7e2fab3f9dd3918e246e782797f9e7439527fd197623da
SHA512ad1c5efac370054da119f85d4aae453df26673fe4b28a8e0157166d233659ce5690270731ac482a8948b82c908dbf7dfde3d46cf3c547272567063379531a435
-
-
Filesize
688KB
-
-
-
-
-
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
-
Filesize
96KB
-
Filesize
232KB
-
Filesize
8KB
-
Filesize
40KB
-
-
-
Filesize
1024KB
-
Filesize
8KB
-
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
-
Filesize
688KB
-
-
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
-
Filesize
688KB