Overview

overview

10

Static

static

3

4942e9c134...3c.exe

windows7-x64

10

4942e9c134...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2024 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4942e9c13479bc1a62bdb07b23474e3c.exe

  • Size

    639KB

  • MD5

    4942e9c13479bc1a62bdb07b23474e3c

  • SHA1

    d7a7283939a2fa4506b47fa809431b9cc4d2559e

  • SHA256

    5b11f30be6e3bfb808c25d07b492cfa12840fd0efa795d8af397feba045d1c59

  • SHA512

    8c8edd299922fcfa100e3e725d1b09259a86e41546361273c386177a3e2a765ffc76169a5b9d142efb4c5335bee3805c1f908c7f4edae0f0a33f2631a037eb59

  • SSDEEP

    12288:66bJhnrd2Qsm/+/dnGz7O0Y244sMYcoFMVyMg+Yy1Wcwemn58WgxWM:6kJhngpn9kNsMwbMgkK58WgQM

Score
10/10
quasarvenomratsep05evasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

SEP05

C2

23.105.131.187:7812

Mutex

VNM_MUTEX_ea14HLQ5adxyrFdD2X

Attributes
  • encryption_key

    jUWfdDb1toPE0KAlGJWH

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update Service

  • subdirectory

    Windows Security Update

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
    "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
      "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Loads dropped DLL
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2928
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
      • C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
        "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2876
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYBkfR5mTgJm.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
          "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2668
  • C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1692
  • C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    1⤵
      PID:2296
    • C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      1⤵
      • Runs ping.exe
      PID:324
    • C:\Windows\SysWOW64\chcp.com
      chcp 65001
      1⤵
        PID:2268
      • C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
        "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
        1⤵
          PID:1524
        • C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
          "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
          1⤵
            PID:308
          • C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
            "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
            1⤵
              PID:1612
            • C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
              "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
              1⤵
                PID:844
              • C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
                "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
                1⤵
                  PID:560

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\Cab4397.tmp
                  Filesize

                  65KB

                  MD5

                  ac05d27423a85adc1622c714f2cb6184

                  SHA1

                  b0fe2b1abddb97837ea0195be70ab2ff14d43198

                  SHA256

                  c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                  SHA512

                  6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TYBkfR5mTgJm.bat
                  Filesize

                  229B

                  MD5

                  d44b07e33c2286868964b63090640dd3

                  SHA1

                  a00ed7a650998a10a183b168cfbd2a7e98ad08aa

                  SHA256

                  b9e9ebcc3222a76d9d8695d54fefb4b7c53b7424decd88b57db61d6bf65e3369

                  SHA512

                  0d7ed908a23ce09fd1d7eb1e953b70c6d9e51f9cc5a3f4921506096afec57b4017d0beb9092b3751ea82ca05dae76b804c9baebe7970242584f3918eb4090ea8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
                  Filesize

                  639KB

                  MD5

                  4942e9c13479bc1a62bdb07b23474e3c

                  SHA1

                  d7a7283939a2fa4506b47fa809431b9cc4d2559e

                  SHA256

                  5b11f30be6e3bfb808c25d07b492cfa12840fd0efa795d8af397feba045d1c59

                  SHA512

                  8c8edd299922fcfa100e3e725d1b09259a86e41546361273c386177a3e2a765ffc76169a5b9d142efb4c5335bee3805c1f908c7f4edae0f0a33f2631a037eb59

                  Download Submit

                • \Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
                  Filesize

                  92KB

                  MD5

                  c97b20f1cc3a8ab3e76529906f8f388d

                  SHA1

                  343c673821211d822fcedd194e960a5b11107867

                  SHA256

                  6363ca8ceb755a223c5fc4b38a33a1259bcf7c8f1d4ac18a5eecaa88581a0184

                  SHA512

                  470dee73a6869330dcd346c9d4dbdbb37b755f5094ca62b2e3c66af4afc0b7d8a1532cfbc8b74f376cb3ddcf839d1a1f9c2ae6270aac26ec654e94af0891ff42

                  Download Submit

                • memory/1632-120-0x0000000000390000-0x00000000003D0000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/1632-118-0x0000000000220000-0x00000000002C6000-memory.dmp

                  Filesize

                  664KB

                  Download

                • memory/1632-119-0x00000000741C0000-0x00000000748AE000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/1632-121-0x00000000741C0000-0x00000000748AE000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2128-18-0x00000000748B0000-0x0000000074F9E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2128-0-0x00000000008B0000-0x0000000000956000-memory.dmp

                  Filesize

                  664KB

                  Download

                • memory/2128-4-0x0000000000530000-0x000000000053A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2128-1-0x00000000748B0000-0x0000000074F9E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2128-2-0x0000000004990000-0x00000000049D0000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2300-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2300-15-0x0000000000400000-0x000000000048C000-memory.dmp

                  Filesize

                  560KB

                  Download

                • memory/2300-7-0x0000000000400000-0x000000000048C000-memory.dmp

                  Filesize

                  560KB

                  Download

                • memory/2300-19-0x00000000741C0000-0x00000000748AE000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2300-5-0x0000000000400000-0x000000000048C000-memory.dmp

                  Filesize

                  560KB

                  Download

                • memory/2300-20-0x0000000004B80000-0x0000000004BC0000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2300-17-0x0000000000400000-0x000000000048C000-memory.dmp

                  Filesize

                  560KB

                  Download

                • memory/2300-116-0x00000000741C0000-0x00000000748AE000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2300-13-0x0000000000400000-0x000000000048C000-memory.dmp

                  Filesize

                  560KB

                  Download

                • memory/2300-10-0x0000000000400000-0x000000000048C000-memory.dmp

                  Filesize

                  560KB

                  Download

                • memory/2300-9-0x0000000000400000-0x000000000048C000-memory.dmp

                  Filesize

                  560KB

                  Download

                • memory/2632-50-0x0000000004B40000-0x0000000004B80000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2632-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2632-123-0x0000000004B40000-0x0000000004B80000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2632-122-0x00000000741C0000-0x00000000748AE000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2632-49-0x00000000741C0000-0x00000000748AE000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2708-54-0x000000006F210000-0x000000006F7BB000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2708-51-0x0000000002880000-0x00000000028C0000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2708-48-0x0000000002880000-0x00000000028C0000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2708-47-0x000000006F210000-0x000000006F7BB000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2708-53-0x000000006F210000-0x000000006F7BB000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/2708-52-0x0000000002880000-0x00000000028C0000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2876-28-0x0000000000100000-0x00000000001A6000-memory.dmp

                  Filesize

                  664KB

                  Download

                • memory/2876-30-0x00000000022D0000-0x0000000002310000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2876-43-0x00000000741C0000-0x00000000748AE000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2876-29-0x00000000741C0000-0x00000000748AE000-memory.dmp

                  Filesize

                  6.9MB

                  Download