Overview

overview

10

Static

static

7cbcebf57f...7d.exe

windows7-x64

10

7cbcebf57f...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    20s
  • max time network
    26s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7cbcebf57f666bc42f8e6b3bba459cf968d19690e7d983e943b77fb97acb487d.exe

  • Size

    1.0MB

  • MD5

    1def40ae6fbb8b8f438b7370a6f4ab2d

  • SHA1

    0f59d0792f223b54901e109f5ae98a3ec4acc049

  • SHA256

    7cbcebf57f666bc42f8e6b3bba459cf968d19690e7d983e943b77fb97acb487d

  • SHA512

    f3554bf9d7ba8bd1fbe137c4da19b99a2f486456b3e61e909b3b13af724244d9fe0cf421678d247ceb3934d1c928d203847a4e487f3fcf797cdc45a86ffd599d

  • SSDEEP

    24576:+cvkTLn+3Z3dwNTY8wKxHCtAxlSPU5JpoLww2A716yGGMaYnHfGZgj9h1i:ZvkTD+3Z3ypYNKBIAzSPwD8EQ/q/qgI

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

rat94522.ddnsking.com:4000
Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    WIwQFd2V7FhUXFH7QX71

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7cbcebf57f666bc42f8e6b3bba459cf968d19690e7d983e943b77fb97acb487d.exe
    "C:\Users\Admin\AppData\Local\Temp\7cbcebf57f666bc42f8e6b3bba459cf968d19690e7d983e943b77fb97acb487d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C950.tmp\C951.tmp\C952.bat C:\Users\Admin\AppData\Local\Temp\7cbcebf57f666bc42f8e6b3bba459cf968d19690e7d983e943b77fb97acb487d.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Windows\system32\timeout.exe
        timeout 2
        3⤵
        • Delays execution with timeout.exe
        PID:5048
      • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
        Crypted.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Users\Admin\AppData\Local\Temp\file1.exe
          C:\Users\Admin\AppData\Local\Temp\\file1.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Checks computer location settings
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1844
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5056
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O8j1oGiR7QL9.bat" "
              6⤵
                PID:4128
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 2236
                6⤵
                • Program crash
                PID:2704
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell" Get-MpPreference -verbose
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1396
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1988
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
                6⤵
                  PID:1820
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NdVis7bJuWdq.bat" "
                5⤵
                  PID:4704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5056 -ip 5056
          1⤵
            PID:1664

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Modify Existing Service

          1
          T1031

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Disabling Security Tools

          2
          T1089

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\C950.tmp\C951.tmp\C952.bat
            Filesize

            72B

            MD5

            532fe973c7846cd45dd713eab9ccf5a2

            SHA1

            5c7ffe8a5f2ae88c6edc261e96dcdabbf9c357c6

            SHA256

            704862a14c3b03e464cde36c6dfff69bd6f835638a57ddcda697ccae2eaf620e

            SHA512

            fe3d666e611ab797fee9df860bf1719775d90e32d94b3b7d658c82e7e973790e360fb4294c76c169c4d26603b59347d9387bf0a16e143e69e9a34b7cfd6dfd27

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
            Filesize

            1.3MB

            MD5

            83a4b7e779273cdd46484d8729de3f60

            SHA1

            379d4fbc70f9c60be123df0625c91d33cdf96b03

            SHA256

            6db7af352ce10f844fb03b03a7caa443bde6bff14bdfc2fc2ee14b67b5700217

            SHA512

            8c0488edd77155c12aaa6529c7eadcd2e9894edb3c50430208e7f8f9bc68c834831c8be14e3a97942d81db8a78347b02bfb99f04a076fdeebb3d943e2e590d71

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
            Filesize

            1.3MB

            MD5

            83a4b7e779273cdd46484d8729de3f60

            SHA1

            379d4fbc70f9c60be123df0625c91d33cdf96b03

            SHA256

            6db7af352ce10f844fb03b03a7caa443bde6bff14bdfc2fc2ee14b67b5700217

            SHA512

            8c0488edd77155c12aaa6529c7eadcd2e9894edb3c50430208e7f8f9bc68c834831c8be14e3a97942d81db8a78347b02bfb99f04a076fdeebb3d943e2e590d71

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\NdVis7bJuWdq.bat
            Filesize

            202B

            MD5

            1beba150f8280009f3bb3befaa7f155c

            SHA1

            38c5df1e9468322f7c61e9af8d86b62d12bbe0df

            SHA256

            f0a8d9f0f615531032e899e7789d52a1531e1cbba7cef885bc0f34a13afc8b8a

            SHA512

            e9561a88ec4d56c7f393f62d52cf797751ef256add76d63a86805d706472617aa84643d172db8fad49b54c14012b6c6ac1e0b45fb90a8e7671c0710afc665d74

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\O8j1oGiR7QL9.bat
            Filesize

            207B

            MD5

            e267935396186cba2bb9679b3bfcf307

            SHA1

            391f3b284b27096ce1fe72685ae202828caadc29

            SHA256

            a85207337846608806a575d81590492d389945a0c0e8ce9d80e881257d536a61

            SHA512

            6fd886ed3974bb066e7314cfe146e86f6c9244390265224850c71adb8ff255d734736ec07f862757f7bd4a600f1e943e590f730404cf2c93afc578a920915c8d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\file1.exe
            Filesize

            534KB

            MD5

            c3e9d09f741548288dae2d21cdd8d05a

            SHA1

            79245cec78e2793ba75cbadc88b30aebd13cf9d9

            SHA256

            0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

            SHA512

            cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\file1.exe
            Filesize

            534KB

            MD5

            c3e9d09f741548288dae2d21cdd8d05a

            SHA1

            79245cec78e2793ba75cbadc88b30aebd13cf9d9

            SHA256

            0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

            SHA512

            cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\version.html
            Filesize

            19B

            MD5

            6d2eb7ff01d1c70656ab0f3869fac94f

            SHA1

            04fe25b56e129532d8fabe557901e39f2977306b

            SHA256

            e8541e5141dfc37099209e4fbdb3c527ba4c8bd81b10fa111a66d2d1bc81c2e2

            SHA512

            1b9fa8b039acd2c84ecd2088470b02857e9b1810f3f55d258f0152513fb33dfdc6758e46fe6ed3e9cabad62015d537d6f7acbf06ee35089e75d3aaff4127e555

            Download Submit
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            Filesize

            534KB

            MD5

            c3e9d09f741548288dae2d21cdd8d05a

            SHA1

            79245cec78e2793ba75cbadc88b30aebd13cf9d9

            SHA256

            0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

            SHA512

            cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

            Download Submit
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            Filesize

            534KB

            MD5

            c3e9d09f741548288dae2d21cdd8d05a

            SHA1

            79245cec78e2793ba75cbadc88b30aebd13cf9d9

            SHA256

            0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

            SHA512

            cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

            Download Submit
          • memory/1156-142-0x0000000004CB0000-0x0000000004CBA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/1156-139-0x0000000004CD0000-0x0000000004D6C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/1156-143-0x0000000004E90000-0x0000000004EE6000-memory.dmp
            Filesize

            344KB

            Download
          • memory/1156-141-0x0000000004D70000-0x0000000004E02000-memory.dmp
            Filesize

            584KB

            Download
          • memory/1156-140-0x00000000053E0000-0x0000000005984000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/1156-135-0x0000000000000000-mapping.dmp
            Download
          • memory/1156-138-0x0000000000400000-0x000000000045E000-memory.dmp
            Filesize

            376KB

            Download
          • memory/1396-167-0x0000000007D70000-0x0000000007E06000-memory.dmp
            Filesize

            600KB

            Download
          • memory/1396-162-0x00000000704C0000-0x000000007050C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/1396-170-0x0000000007E10000-0x0000000007E18000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1396-155-0x0000000000000000-mapping.dmp
            Download
          • memory/1396-169-0x0000000007E30000-0x0000000007E4A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/1396-168-0x0000000007D20000-0x0000000007D2E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/1396-166-0x0000000007B60000-0x0000000007B6A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/1396-156-0x0000000005210000-0x0000000005246000-memory.dmp
            Filesize

            216KB

            Download
          • memory/1396-157-0x00000000059B0000-0x0000000005FD8000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/1396-158-0x0000000005940000-0x0000000005962000-memory.dmp
            Filesize

            136KB

            Download
          • memory/1396-159-0x0000000006110000-0x0000000006176000-memory.dmp
            Filesize

            408KB

            Download
          • memory/1396-160-0x00000000067D0000-0x00000000067EE000-memory.dmp
            Filesize

            120KB

            Download
          • memory/1396-161-0x0000000007980000-0x00000000079B2000-memory.dmp
            Filesize

            200KB

            Download
          • memory/1396-165-0x0000000007AE0000-0x0000000007AFA000-memory.dmp
            Filesize

            104KB

            Download
          • memory/1396-163-0x0000000006D90000-0x0000000006DAE000-memory.dmp
            Filesize

            120KB

            Download
          • memory/1396-164-0x0000000008120000-0x000000000879A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/1820-173-0x0000000000000000-mapping.dmp
            Download
          • memory/1844-150-0x00000000069E0000-0x00000000069F2000-memory.dmp
            Filesize

            72KB

            Download
          • memory/1844-148-0x0000000000FA0000-0x000000000102C000-memory.dmp
            Filesize

            560KB

            Download
          • memory/1844-149-0x0000000005900000-0x0000000005966000-memory.dmp
            Filesize

            408KB

            Download
          • memory/1844-151-0x0000000006E00000-0x0000000006E3C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/1844-145-0x0000000000000000-mapping.dmp
            Download
          • memory/1988-171-0x0000000000000000-mapping.dmp
            Download
          • memory/3784-132-0x0000000000000000-mapping.dmp
            Download
          • memory/4128-176-0x0000000000000000-mapping.dmp
            Download
          • memory/4704-172-0x0000000000000000-mapping.dmp
            Download
          • memory/5048-134-0x0000000000000000-mapping.dmp
            Download
          • memory/5056-152-0x0000000000000000-mapping.dmp
            Download