Overview

overview

10

Static

static

329b98802d...03.exe

windows7-x64

10

329b98802d...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    46s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe

  • Size

    1.0MB

  • MD5

    fc6cd521af42d5423b8ce0e53ae67703

  • SHA1

    49a14b2ba77028b1dfb8167bdafdd2908c40f861

  • SHA256

    329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903

  • SHA512

    0de482d1f6ae53197da70045f84f2071e3a17b9cc90a4e3b7c68c1210590fe5f6eb4ec86d1c233e4c0c4662fb639c861bed0c869509ddf9cf53b9b3b4b841bab

  • SSDEEP

    24576:ucvkTM6qPOgKbORmiNbbAb21NUJ2k+U1kYC80Oy2dj08:pvkT9Q+4miNG217k9Z5x

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

rat94522.ddnsking.com:4000
Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    WIwQFd2V7FhUXFH7QX71

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe
    "C:\Users\Admin\AppData\Local\Temp\329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe"
    1⤵
    • Quasar RAT
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6FE5.tmp\6FE6.tmp\6FE7.bat C:\Users\Admin\AppData\Local\Temp\329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3776
      • C:\Windows\system32\timeout.exe
        timeout 2
        3⤵
        • Delays execution with timeout.exe
        PID:3028
      • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
        Crypted.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4216
        • C:\Users\Admin\AppData\Local\Temp\file1.exe
          C:\Users\Admin\AppData\Local\Temp\\file1.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Checks computer location settings
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1984
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4600
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VnBY34b18Da0.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4396
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                7⤵
                  PID:4392
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • Runs ping.exe
                  PID:4940
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1772
                6⤵
                • Program crash
                PID:1296
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell" Get-MpPreference -verbose
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4496
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1088
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
                6⤵
                  PID:4676
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 2092
                5⤵
                • Program crash
                PID:1356
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1984 -ip 1984
        1⤵
          PID:4612
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4600 -ip 4600
          1⤵
            PID:3628

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Modify Existing Service

          1
          T1031

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Disabling Security Tools

          2
          T1089

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\6FE5.tmp\6FE6.tmp\6FE7.bat
            Filesize

            72B

            MD5

            532fe973c7846cd45dd713eab9ccf5a2

            SHA1

            5c7ffe8a5f2ae88c6edc261e96dcdabbf9c357c6

            SHA256

            704862a14c3b03e464cde36c6dfff69bd6f835638a57ddcda697ccae2eaf620e

            SHA512

            fe3d666e611ab797fee9df860bf1719775d90e32d94b3b7d658c82e7e973790e360fb4294c76c169c4d26603b59347d9387bf0a16e143e69e9a34b7cfd6dfd27

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
            Filesize

            1.3MB

            MD5

            3f68906bde81e068affd2fde48438c09

            SHA1

            5a885c286a8fab03b7e473dff4b79c4da94bd6f3

            SHA256

            b476a1cc9ca8b3191d5058ec792ec598159bef8d344d3d3e16361ef8cf20da50

            SHA512

            73cf19f408f7a32948f0254fa3a4ef917a23a50c35a4b729181d76bbf4d2465b4d514ae52b30422e26d9804620847e17de50bdb2f541d36c0d6e612cf535f130

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
            Filesize

            1.3MB

            MD5

            3f68906bde81e068affd2fde48438c09

            SHA1

            5a885c286a8fab03b7e473dff4b79c4da94bd6f3

            SHA256

            b476a1cc9ca8b3191d5058ec792ec598159bef8d344d3d3e16361ef8cf20da50

            SHA512

            73cf19f408f7a32948f0254fa3a4ef917a23a50c35a4b729181d76bbf4d2465b4d514ae52b30422e26d9804620847e17de50bdb2f541d36c0d6e612cf535f130

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\LwbsULngAeXo.bat
            Filesize

            202B

            MD5

            67d692409bb7caf86445af4e220a754d

            SHA1

            9f6f9cadc1602e433fe09e9ac2ec92f11ec6b9e3

            SHA256

            eb782e06a22bcc04451c61769e23dfa6d5d70f57581649431a7e4c3e7c8e8502

            SHA512

            20a6b8be1e71211cf21a7af7e27ddd6a6d2ad30391b2ed1042da4d95c0ddfbfb72a60d668d7081a801eb55c52103cf8a332b39bc8b7d500358094e0f748078fb

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\VnBY34b18Da0.bat
            Filesize

            207B

            MD5

            885bbd48535252c30bea9d56f2c8fb0f

            SHA1

            0dddc12532da1279ca6b5fb5e73dd071de619e77

            SHA256

            8ae6fa29538680083453f94f83e80a22bfad9de80d0f3d3bd0f5a4372e8665eb

            SHA512

            8c02b21a1f122849760f23851109362bb77257c0b2a0b189dd3e422d0a7f59d0f670019cbba62329a5782f8ebdecec2fa7a8d4965c61aeb6b88f33a7abd1554d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\file1.exe
            Filesize

            534KB

            MD5

            c3e9d09f741548288dae2d21cdd8d05a

            SHA1

            79245cec78e2793ba75cbadc88b30aebd13cf9d9

            SHA256

            0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

            SHA512

            cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\file1.exe
            Filesize

            534KB

            MD5

            c3e9d09f741548288dae2d21cdd8d05a

            SHA1

            79245cec78e2793ba75cbadc88b30aebd13cf9d9

            SHA256

            0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

            SHA512

            cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\version.html
            Filesize

            7B

            MD5

            c3e5db9ee69e08ea7c1d3606e792f395

            SHA1

            fef456f1a4a7bfdbb8c8fc5d4dbe784953640889

            SHA256

            2fb033ae057446c19dbab9b9f9b54351f7d0f28f975d22560124eae402ac21f8

            SHA512

            ede02f77273374298455f437455cbb15f1b71cd15a0345647693bb5cf0fe46b670fc862105e91362a755d51243205011e5463cdd95cddec6996d9c8b92b5337c

            Download Submit
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            Filesize

            534KB

            MD5

            c3e9d09f741548288dae2d21cdd8d05a

            SHA1

            79245cec78e2793ba75cbadc88b30aebd13cf9d9

            SHA256

            0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

            SHA512

            cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

            Download Submit
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            Filesize

            534KB

            MD5

            c3e9d09f741548288dae2d21cdd8d05a

            SHA1

            79245cec78e2793ba75cbadc88b30aebd13cf9d9

            SHA256

            0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

            SHA512

            cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

            Download Submit
          • memory/1088-171-0x0000000000000000-mapping.dmp
            Download
          • memory/1984-151-0x00000000060D0000-0x000000000610C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/1984-150-0x0000000005CA0000-0x0000000005CB2000-memory.dmp
            Filesize

            72KB

            Download
          • memory/1984-145-0x0000000000000000-mapping.dmp
            Download
          • memory/1984-148-0x0000000000380000-0x000000000040C000-memory.dmp
            Filesize

            560KB

            Download
          • memory/1984-149-0x0000000005050000-0x00000000050B6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3028-134-0x0000000000000000-mapping.dmp
            Download
          • memory/3776-132-0x0000000000000000-mapping.dmp
            Download
          • memory/4216-143-0x0000000005690000-0x00000000056E6000-memory.dmp
            Filesize

            344KB

            Download
          • memory/4216-142-0x00000000053A0000-0x00000000053AA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4216-141-0x0000000005460000-0x00000000054F2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4216-140-0x0000000005A10000-0x0000000005FB4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/4216-135-0x0000000000000000-mapping.dmp
            Download
          • memory/4216-138-0x00000000009A0000-0x00000000009FE000-memory.dmp
            Filesize

            376KB

            Download
          • memory/4216-139-0x00000000053C0000-0x000000000545C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/4392-176-0x0000000000000000-mapping.dmp
            Download
          • memory/4396-174-0x0000000000000000-mapping.dmp
            Download
          • memory/4496-163-0x0000000006520000-0x000000000653E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/4496-168-0x0000000007590000-0x000000000759E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/4496-161-0x0000000006540000-0x0000000006572000-memory.dmp
            Filesize

            200KB

            Download
          • memory/4496-162-0x00000000701C0000-0x000000007020C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/4496-159-0x0000000005120000-0x0000000005186000-memory.dmp
            Filesize

            408KB

            Download
          • memory/4496-164-0x00000000079B0000-0x000000000802A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/4496-165-0x0000000007350000-0x000000000736A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/4496-166-0x00000000073E0000-0x00000000073EA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4496-167-0x00000000075E0000-0x0000000007676000-memory.dmp
            Filesize

            600KB

            Download
          • memory/4496-160-0x0000000005F40000-0x0000000005F5E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/4496-169-0x00000000076A0000-0x00000000076BA000-memory.dmp
            Filesize

            104KB

            Download
          • memory/4496-170-0x0000000007680000-0x0000000007688000-memory.dmp
            Filesize

            32KB

            Download
          • memory/4496-158-0x0000000005080000-0x00000000050A2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/4496-155-0x0000000000000000-mapping.dmp
            Download
          • memory/4496-157-0x0000000005320000-0x0000000005948000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/4496-156-0x0000000002770000-0x00000000027A6000-memory.dmp
            Filesize

            216KB

            Download
          • memory/4600-152-0x0000000000000000-mapping.dmp
            Download
          • memory/4676-172-0x0000000000000000-mapping.dmp
            Download
          • memory/4940-177-0x0000000000000000-mapping.dmp
            Download