Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-05-2023 01:32
Behavioral task
behavioral1
Sample
d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe
Resource
win10v2004-20230220-en
General
-
Target
d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe
-
Size
1.0MB
-
MD5
7a98ca652a682ae96bc3f9ac6d554d82
-
SHA1
dbb6b1d490b64e9b1260d0ad55cd2fe1d776586f
-
SHA256
d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16
-
SHA512
6fd10b572f7c39fc2b33d57957f1c36102da158a22a5b4d855736dd5ed92a3ba5d945662d11ad2b69f845f16c48a9875258fa2cdc80089cd5863c7980d21ce9f
-
SSDEEP
24576:t+ynkc1ZzBvtrZHFjMKY2naU8elKA9eaZYZg+ryTh:4ynkc1ZzBvtrZHFjMKY2nb8elKAgaZXN
Malware Config
Extracted
quasar
2.7.0.0
Venom Client
markphoto.casacam.net:5000
JlYM51eW4iZoFyLa2X
-
encryption_key
BL7lZzIkUckEp2RCh8Q6
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1704-54-0x00000000010A0000-0x00000000011B0000-memory.dmp family_quasar -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Venom Client Startup = "C:\\Users\\Admin\\AppData\\Roaming\\Venom.exe" WScript.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exedescription pid process Token: SeDebugPrivilege 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exeexplorer.exedescription pid process target process PID 1704 wrote to memory of 672 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe schtasks.exe PID 1704 wrote to memory of 672 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe schtasks.exe PID 1704 wrote to memory of 672 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe schtasks.exe PID 1704 wrote to memory of 672 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe schtasks.exe PID 1704 wrote to memory of 1884 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe explorer.exe PID 1704 wrote to memory of 1884 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe explorer.exe PID 1704 wrote to memory of 1884 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe explorer.exe PID 1704 wrote to memory of 1884 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe explorer.exe PID 656 wrote to memory of 1424 656 explorer.exe WScript.exe PID 656 wrote to memory of 1424 656 explorer.exe WScript.exe PID 656 wrote to memory of 1424 656 explorer.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe"C:\Users\Admin\AppData\Local\Temp\d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Venom.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"2⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Execution.vbsFilesize
487B
MD50bd2a48a7ea7bb9c3c6052f8689224d5
SHA1f50e7e305926794d8b06b41037b824aacec8f19f
SHA256c0d72c6c63c1db6caec20189d79fc208bc3891bd0a9e54fb62c272826a78f257
SHA512a98c9eef6421002c14b3241173c9224db1826683b82fafcd4b0891d6b5dee4cfac0d2c47206d682c04bb83361d99da04eb6a6919d51f8142195bfc4030f4765e
-
memory/1704-54-0x00000000010A0000-0x00000000011B0000-memory.dmpFilesize
1.1MB
-
memory/1704-55-0x0000000004B50000-0x0000000004B90000-memory.dmpFilesize
256KB
-
memory/1704-59-0x0000000004B50000-0x0000000004B90000-memory.dmpFilesize
256KB