Overview

overview

10

Static

static

d5f6dbe3d6...7e.exe

windows7-x64

10

d5f6dbe3d6...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    70s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5f6dbe3d6f5644a77d7a3971d9dd17caec494ced43ffc535473b285b0f1507e.exe

  • Size

    1.0MB

  • MD5

    d7ddd317f0382a2200832312449a20cd

  • SHA1

    bd3710cff6322c6a372db549b637c32e383f05cc

  • SHA256

    d5f6dbe3d6f5644a77d7a3971d9dd17caec494ced43ffc535473b285b0f1507e

  • SHA512

    c3936a1943575b0bb9dfdf8fef0d9705fc08c275260ce8199b7ff13213b72173565e7c1a4dfd47bd4a5a592ce10749ff1dafe73ba0053c9bd8f7a8cee495407d

  • SSDEEP

    24576:WcvkT1s+3Z3aGWqKg0Ogj1OLHd+JwbMFdt6ATCRcaahwKHGaTKBupdl:hvkTq+3Z3ZWGsSHd+J+MFTsRcXnHGmKm

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

rat94522.ddnsking.com:4000
Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    WIwQFd2V7FhUXFH7QX71

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5f6dbe3d6f5644a77d7a3971d9dd17caec494ced43ffc535473b285b0f1507e.exe
    "C:\Users\Admin\AppData\Local\Temp\d5f6dbe3d6f5644a77d7a3971d9dd17caec494ced43ffc535473b285b0f1507e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8264.tmp\8265.tmp\8266.bat C:\Users\Admin\AppData\Local\Temp\d5f6dbe3d6f5644a77d7a3971d9dd17caec494ced43ffc535473b285b0f1507e.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\system32\timeout.exe
        timeout 2
        3⤵
        • Delays execution with timeout.exe
        PID:2420
      • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
        Crypted.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\Users\Admin\AppData\Local\Temp\file1.exe
          C:\Users\Admin\AppData\Local\Temp\\file1.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4156
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4040
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DjdyMgjbg41Z.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3108
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                7⤵
                  PID:3840
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • Runs ping.exe
                  PID:4564
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1968
                6⤵
                • Program crash
                PID:3196
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell" Get-MpPreference -verbose
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4040 -ip 4040
      1⤵
        PID:4488

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\8264.tmp\8265.tmp\8266.bat
        Filesize

        72B

        MD5

        532fe973c7846cd45dd713eab9ccf5a2

        SHA1

        5c7ffe8a5f2ae88c6edc261e96dcdabbf9c357c6

        SHA256

        704862a14c3b03e464cde36c6dfff69bd6f835638a57ddcda697ccae2eaf620e

        SHA512

        fe3d666e611ab797fee9df860bf1719775d90e32d94b3b7d658c82e7e973790e360fb4294c76c169c4d26603b59347d9387bf0a16e143e69e9a34b7cfd6dfd27

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
        Filesize

        1.3MB

        MD5

        bba9951ac1b09e948d1241d17ce26089

        SHA1

        9024729607388d44dff5c71892455d19a30dde49

        SHA256

        1d6a15c938c9fd1e0444ccf1d51b3de52ce59413b09d0c9fec77fb9b955a661d

        SHA512

        43c286f777832c3ce87d77393bc2a3f278cf9c788ccdae1b8794e583fd7360cad7bd1a720c3901af7ea953f8806cd6f59543850903719aea30cd711c8d55e492

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
        Filesize

        1.3MB

        MD5

        bba9951ac1b09e948d1241d17ce26089

        SHA1

        9024729607388d44dff5c71892455d19a30dde49

        SHA256

        1d6a15c938c9fd1e0444ccf1d51b3de52ce59413b09d0c9fec77fb9b955a661d

        SHA512

        43c286f777832c3ce87d77393bc2a3f278cf9c788ccdae1b8794e583fd7360cad7bd1a720c3901af7ea953f8806cd6f59543850903719aea30cd711c8d55e492

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DjdyMgjbg41Z.bat
        Filesize

        207B

        MD5

        9840d14d6005d5c59b4818f2949be16d

        SHA1

        a1c46d798e47fe8df828904fda8a9448fec421a4

        SHA256

        ce49018a180bcf96162d3f690ab18cc066fe70112f9b84358275b135388d0587

        SHA512

        ba4c6d341e06041e75ddae5384176eba0321ee041c1c964bdc0ecbb122b08edce2b0c5b3933f6056428f96f9c51e3aef44ba95493fa06a6ac94394240781c3bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\file1.exe
        Filesize

        534KB

        MD5

        c3e9d09f741548288dae2d21cdd8d05a

        SHA1

        79245cec78e2793ba75cbadc88b30aebd13cf9d9

        SHA256

        0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

        SHA512

        cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\file1.exe
        Filesize

        534KB

        MD5

        c3e9d09f741548288dae2d21cdd8d05a

        SHA1

        79245cec78e2793ba75cbadc88b30aebd13cf9d9

        SHA256

        0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

        SHA512

        cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\version.html
        Filesize

        19B

        MD5

        0aced8c91d43523ad097145bfbe021a1

        SHA1

        9d391623826590b6fa22b4257fcb5d760009faec

        SHA256

        03f309831b047eaace14ccb7d2ba00bf6279a2dbb0794f81f8d80c9df48ccbeb

        SHA512

        e06d01a8e19a1ac6e9e92967329ec8722af0d9f38d04585b87da905a473fe785aa4bb509416b39afa63b3d4ef35148f05a07dd5fb382b01e4a586e1a581a46a1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        534KB

        MD5

        c3e9d09f741548288dae2d21cdd8d05a

        SHA1

        79245cec78e2793ba75cbadc88b30aebd13cf9d9

        SHA256

        0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

        SHA512

        cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        534KB

        MD5

        c3e9d09f741548288dae2d21cdd8d05a

        SHA1

        79245cec78e2793ba75cbadc88b30aebd13cf9d9

        SHA256

        0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

        SHA512

        cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

        Download Submit

      • memory/664-139-0x0000000005540000-0x00000000055DC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/664-140-0x0000000005BD0000-0x0000000006174000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/664-141-0x00000000056C0000-0x0000000005752000-memory.dmp

        Filesize

        584KB

        Download

      • memory/664-142-0x0000000005630000-0x000000000563A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/664-143-0x0000000005760000-0x00000000057B6000-memory.dmp

        Filesize

        344KB

        Download

      • memory/664-138-0x0000000000B90000-0x0000000000BEE000-memory.dmp

        Filesize

        376KB

        Download

      • memory/664-135-0x0000000000000000-mapping.dmp

        Download

      • memory/1556-162-0x0000000070C00000-0x0000000070C4C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1556-161-0x0000000006AB0000-0x0000000006AE2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1556-174-0x0000000007B10000-0x0000000007B18000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1556-173-0x0000000007B30000-0x0000000007B4A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1556-172-0x0000000007A20000-0x0000000007A2E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1556-167-0x0000000007A70000-0x0000000007B06000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1556-166-0x0000000007860000-0x000000000786A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1556-155-0x0000000000000000-mapping.dmp

        Download

      • memory/1556-156-0x0000000004F30000-0x0000000004F66000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1556-157-0x00000000055A0000-0x0000000005BC8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1556-158-0x0000000005510000-0x0000000005532000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1556-159-0x0000000005D80000-0x0000000005DE6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1556-160-0x00000000064E0000-0x00000000064FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1556-165-0x0000000006910000-0x000000000692A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1556-164-0x0000000007E30000-0x00000000084AA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1556-163-0x0000000006A80000-0x0000000006A9E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2100-132-0x0000000000000000-mapping.dmp

        Download

      • memory/2420-134-0x0000000000000000-mapping.dmp

        Download

      • memory/3108-168-0x0000000000000000-mapping.dmp

        Download

      • memory/3840-170-0x0000000000000000-mapping.dmp

        Download

      • memory/4040-152-0x0000000000000000-mapping.dmp

        Download

      • memory/4156-149-0x0000000004B40000-0x0000000004BA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4156-145-0x0000000000000000-mapping.dmp

        Download

      • memory/4156-148-0x00000000001F0000-0x000000000027C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/4156-151-0x0000000005F40000-0x0000000005F7C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4156-150-0x0000000005B10000-0x0000000005B22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4564-171-0x0000000000000000-mapping.dmp

        Download