Overview

overview

10

Static

static

10

4ef1927705...f6.exe

windows7-x64

10

4ef1927705...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2024 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ef1927705d28faf8456c200397d0af6.exe

  • Size

    792KB

  • MD5

    4ef1927705d28faf8456c200397d0af6

  • SHA1

    b92ab805e7c2884abcf371179b0d8989c4f90025

  • SHA256

    cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc

  • SHA512

    fe7f2405a8beb2bd70cfc689ce5ea3fc2cc4e03c72c925db698ea0e56b269b3e66c20f88afc382ea734e39b25cf66b0bcf24d72dab12d1b791ef91c690af17ac

  • SSDEEP

    6144:K8fGABIgrx8kFYLTiMkbmM28mA04ykdBbDqIJluHLmRZXqavbvmGaGy3V8/GV0j1:LPx7FYPiMq2fkdZ9JamPaaDvreg7

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

192.168.1.154:4782

Mutex

VNM_MUTEX_ph9lkMeWS6xgznetvP

Attributes
  • encryption_key

    2ABr09PX2FCCobHek8sv

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ef1927705d28faf8456c200397d0af6.exe
    "C:\Users\Admin\AppData\Local\Temp\4ef1927705d28faf8456c200397d0af6.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4ef1927705d28faf8456c200397d0af6.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1916
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:224
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:2460
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TlIea1i3zqmj.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3560
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:2232
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:3988
          • C:\Users\Admin\AppData\Local\Temp\4ef1927705d28faf8456c200397d0af6.exe
            "C:\Users\Admin\AppData\Local\Temp\4ef1927705d28faf8456c200397d0af6.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3944

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4ef1927705d28faf8456c200397d0af6.exe.log
        Filesize

        1KB

        MD5

        10eab9c2684febb5327b6976f2047587

        SHA1

        a12ed54146a7f5c4c580416aecb899549712449e

        SHA256

        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

        SHA512

        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TlIea1i3zqmj.bat
        Filesize

        229B

        MD5

        19c459d65488ec49c7c4d274ca367d0f

        SHA1

        54b368182867049a5728390f9552c24e93589f91

        SHA256

        742d7bd46ea59f96002a7be15badd02d0919d537696741074c0d355a4b1ea4c6

        SHA512

        f49e6d84cf85baa9e447dfe3837e5b567e1b785665fbfd2ef69b315ce0d16c7cef5e5b7cdb6a7066dee16600db7a01bd00934655bad9a9728b98c173654b1aa2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwul0ibe.kh3.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        792KB

        MD5

        4ef1927705d28faf8456c200397d0af6

        SHA1

        b92ab805e7c2884abcf371179b0d8989c4f90025

        SHA256

        cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc

        SHA512

        fe7f2405a8beb2bd70cfc689ce5ea3fc2cc4e03c72c925db698ea0e56b269b3e66c20f88afc382ea734e39b25cf66b0bcf24d72dab12d1b791ef91c690af17ac

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        667KB

        MD5

        6a10889832a6917cf9baa6b14df3de90

        SHA1

        db36d84e1a4f5b16ecfc32eff70cc01ee93775d4

        SHA256

        662e74eb9261bc074fab192fc0a6a3db27ef9a88ea8dae318b9d463d18781d30

        SHA512

        bba62a5d1e5bc3b65eea4117c7ad6073b7b381bddec4bb0b08444d4ae6e368fa517028f88ab5e66276be293a900a62da7ec348d61164bc32c9c71f418e102c43

        Download Submit

      • memory/2068-6-0x00000000064F0000-0x0000000006502000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2068-3-0x00000000053F0000-0x0000000005482000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2068-7-0x0000000006930000-0x000000000696C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2068-5-0x0000000005490000-0x00000000054F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2068-4-0x0000000005540000-0x0000000005550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2068-0-0x00000000750C0000-0x0000000075870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2068-62-0x00000000750C0000-0x0000000075870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2068-63-0x0000000005540000-0x0000000005550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2068-1-0x00000000008D0000-0x000000000099C000-memory.dmp

        Filesize

        816KB

        Download

      • memory/2068-2-0x0000000005900000-0x0000000005EA4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2068-71-0x00000000750C0000-0x0000000075870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3944-74-0x0000000004F30000-0x0000000004F40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3944-73-0x00000000750C0000-0x0000000075870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3944-75-0x00000000750C0000-0x0000000075870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3944-76-0x0000000004F30000-0x0000000004F40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4800-49-0x00000000065F0000-0x00000000065FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4800-66-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4800-64-0x00000000750C0000-0x0000000075870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4800-16-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4800-12-0x00000000750C0000-0x0000000075870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4804-46-0x0000000006950000-0x000000000696E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4804-58-0x00000000079F0000-0x00000000079F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4804-35-0x0000000006970000-0x00000000069A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4804-34-0x000000007F820000-0x000000007F830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4804-36-0x00000000704C0000-0x000000007050C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4804-50-0x0000000007D10000-0x000000000838A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4804-51-0x00000000076D0000-0x00000000076EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4804-52-0x0000000007740000-0x000000000774A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4804-53-0x0000000007950000-0x00000000079E6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4804-54-0x00000000078D0000-0x00000000078E1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4804-55-0x0000000007900000-0x000000000790E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4804-56-0x0000000007910000-0x0000000007924000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4804-57-0x0000000007A10000-0x0000000007A2A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4804-47-0x0000000006A00000-0x0000000006AA3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4804-61-0x00000000750C0000-0x0000000075870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4804-33-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4804-32-0x0000000006400000-0x000000000644C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4804-31-0x00000000063C0000-0x00000000063DE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4804-30-0x0000000005D40000-0x0000000006094000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4804-20-0x0000000005BB0000-0x0000000005C16000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4804-19-0x0000000005A90000-0x0000000005AB2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4804-18-0x0000000005430000-0x0000000005A58000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4804-14-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4804-17-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4804-15-0x0000000004DC0000-0x0000000004DF6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4804-13-0x00000000750C0000-0x0000000075870000-memory.dmp

        Filesize

        7.7MB

        Download