Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 16:03
Behavioral task
behavioral1
Sample
Vanta-Fn.exe
Resource
win7-20230220-en
General
-
Target
Vanta-Fn.exe
-
Size
3.1MB
-
MD5
d41852e4e97ade129efe94cf773d10ff
-
SHA1
f999477106a8ea6506905abe6effe054c8e3db3b
-
SHA256
996afa4a4194a60b56825e8589b8cd028cb593f6a619370c15ec04fa2659e500
-
SHA512
4862f158153d25647901195e6f294bdb1c13ad8ffcaebe000f702f5c1fa49e631b04830baa27e172acf58b1bacbbefb3f99bf6a5d44d90ec21e3b8d9a20ee8cf
-
SSDEEP
49152:iv4hBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaGRepECs+k/iLkoGdQTHHB72eh2NT:ivqt2d5aKCuVPzlEmVQ0wvwfGReNg
Malware Config
Extracted
quasar
1.4.1
Office04
connorb839-25244.portmap.host:25244
f2898513-d005-492e-9b72-aa39b77b1a27
-
encryption_key
8CC861C5A1B05D3DCE95956911FE36B8D1042D36
-
install_name
Epic web repair tool.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Epic web repair
-
subdirectory
Epicwebservicesltd
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1744-54-0x0000000000E60000-0x0000000001184000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Epicwebservicesltd\Epic web repair tool.exe family_quasar C:\Users\Admin\AppData\Roaming\Epicwebservicesltd\Epic web repair tool.exe family_quasar behavioral1/memory/584-61-0x0000000000810000-0x0000000000B34000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Epic web repair tool.exepid process 584 Epic web repair tool.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Vanta-Fn.exeEpic web repair tool.exedescription pid process Token: SeDebugPrivilege 1744 Vanta-Fn.exe Token: SeDebugPrivilege 584 Epic web repair tool.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Epic web repair tool.exepid process 584 Epic web repair tool.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Epic web repair tool.exepid process 584 Epic web repair tool.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Epic web repair tool.exepid process 584 Epic web repair tool.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Vanta-Fn.exeEpic web repair tool.exedescription pid process target process PID 1744 wrote to memory of 1368 1744 Vanta-Fn.exe schtasks.exe PID 1744 wrote to memory of 1368 1744 Vanta-Fn.exe schtasks.exe PID 1744 wrote to memory of 1368 1744 Vanta-Fn.exe schtasks.exe PID 1744 wrote to memory of 584 1744 Vanta-Fn.exe Epic web repair tool.exe PID 1744 wrote to memory of 584 1744 Vanta-Fn.exe Epic web repair tool.exe PID 1744 wrote to memory of 584 1744 Vanta-Fn.exe Epic web repair tool.exe PID 584 wrote to memory of 268 584 Epic web repair tool.exe schtasks.exe PID 584 wrote to memory of 268 584 Epic web repair tool.exe schtasks.exe PID 584 wrote to memory of 268 584 Epic web repair tool.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vanta-Fn.exe"C:\Users\Admin\AppData\Local\Temp\Vanta-Fn.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Epic web repair" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Epicwebservicesltd\Epic web repair tool.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Epicwebservicesltd\Epic web repair tool.exe"C:\Users\Admin\AppData\Roaming\Epicwebservicesltd\Epic web repair tool.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Epic web repair" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Epicwebservicesltd\Epic web repair tool.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Epicwebservicesltd\Epic web repair tool.exeFilesize
3.1MB
MD5d41852e4e97ade129efe94cf773d10ff
SHA1f999477106a8ea6506905abe6effe054c8e3db3b
SHA256996afa4a4194a60b56825e8589b8cd028cb593f6a619370c15ec04fa2659e500
SHA5124862f158153d25647901195e6f294bdb1c13ad8ffcaebe000f702f5c1fa49e631b04830baa27e172acf58b1bacbbefb3f99bf6a5d44d90ec21e3b8d9a20ee8cf
-
C:\Users\Admin\AppData\Roaming\Epicwebservicesltd\Epic web repair tool.exeFilesize
3.1MB
MD5d41852e4e97ade129efe94cf773d10ff
SHA1f999477106a8ea6506905abe6effe054c8e3db3b
SHA256996afa4a4194a60b56825e8589b8cd028cb593f6a619370c15ec04fa2659e500
SHA5124862f158153d25647901195e6f294bdb1c13ad8ffcaebe000f702f5c1fa49e631b04830baa27e172acf58b1bacbbefb3f99bf6a5d44d90ec21e3b8d9a20ee8cf
-
memory/584-61-0x0000000000810000-0x0000000000B34000-memory.dmpFilesize
3.1MB
-
memory/584-62-0x000000001B1F0000-0x000000001B270000-memory.dmpFilesize
512KB
-
memory/584-63-0x000000001B1F0000-0x000000001B270000-memory.dmpFilesize
512KB
-
memory/1744-54-0x0000000000E60000-0x0000000001184000-memory.dmpFilesize
3.1MB
-
memory/1744-55-0x000000001B340000-0x000000001B3C0000-memory.dmpFilesize
512KB