quasar | 3770792a40acb10bd5eefeaf0400f044f0e4b38f21bf339789e9a05f8b5fb358

General

Target

wwwramajudicialgovcoproceso000000700940300540.exe
Size

786KB
MD5

86b6376b986d74f2391da19a18ec2f22
SHA1

6e71c1cd1ee49d21ccfbbe635415c46198270caf
SHA256

fb1ff068b0e9bf403835b2087e476f00dd57d3d9e670f09351fac465374004d7
SHA512

6512c64c9eb46246b2998dca2e02c43bde6edb087104d16682f1cf4ae2be6c5f2ad2f0b99f17eb4ef894ad72249976f6ee0b2007785d6945191b8f70a326ab99
SSDEEP

24576:UMvhZRJsVhqaDVDS4CS+8GX26nGfUJVX2W:zQ/qaDVGrS3GXlnGmX2

Score

10^/10

quasar evasion persistence ransomware spyware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2780-9-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2780-10-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2780-13-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2780-17-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2780-15-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Verek.exewwwramajudicialgovcoproceso000000700940300540.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Verek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Verek.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

Verek.exewwwramajudicialgovcoproceso000000700940300540.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Verek.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-9-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2780-10-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2780-13-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2780-17-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2780-15-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Verek.exewwwramajudicialgovcoproceso000000700940300540.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Verek.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wwwramajudicialgovcoproceso000000700940300540.exeVerek.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	Verek.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

Verek.exeVerek.exe

pid process

1460 Verek.exe
2056 Verek.exe
Loads dropped DLL 1 IoCs

Processes:

wwwramajudicialgovcoproceso000000700940300540.exe

pid process

2780 wwwramajudicialgovcoproceso000000700940300540.exe

pid	process
1460	Verek.exe
2056	Verek.exe

pid	process
2780	wwwramajudicialgovcoproceso000000700940300540.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wwwramajudicialgovcoproceso000000700940300540.exeVerek.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Verek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	wwwramajudicialgovcoproceso000000700940300540.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wwwramajudicialgovcoproceso000000700940300540.exeVerek.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IlemetryLogtek = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wwwramajudicialgovcoproceso000000700940300540.exe\""	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IlemetryLogtek = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wwwramajudicialgovcoproceso000000700940300540.exe\""	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IlemetryLogtek = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gres\\Verek.exe\""	Verek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IlemetryLogtek = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gres\\Verek.exe\""	Verek.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Verek.exewwwramajudicialgovcoproceso000000700940300540.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Verek.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wwwramajudicialgovcoproceso000000700940300540.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com
11 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com

flow	ioc
4	pastebin.com
5	pastebin.com
11	pastebin.com

flow	ioc
8	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

wwwramajudicialgovcoproceso000000700940300540.exeVerek.exe

description	pid	process	target process
PID 2420 set thread context of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 1460 set thread context of 2056	1460	Verek.exe	Verek.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

796 schtasks.exe
832 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1792 vssadmin.exe
1800 vssadmin.exe

pid	process
796	schtasks.exe
832	schtasks.exe

pid	process
1792	vssadmin.exe
1800	vssadmin.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Verek.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Verek.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Verek.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Verek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Verek.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

wwwramajudicialgovcoproceso000000700940300540.exepowershell.exepowershell.exe

pid process

2420 wwwramajudicialgovcoproceso000000700940300540.exe
1440 powershell.exe
1604 powershell.exe

pid	process
2420	wwwramajudicialgovcoproceso000000700940300540.exe
1440	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

wwwramajudicialgovcoproceso000000700940300540.exewwwramajudicialgovcoproceso000000700940300540.exevssvc.exepowershell.exeVerek.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2420	wwwramajudicialgovcoproceso000000700940300540.exe
Token: SeDebugPrivilege	2780	wwwramajudicialgovcoproceso000000700940300540.exe
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2056	Verek.exe
Token: SeDebugPrivilege	1604	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Verek.exe

pid process

2056 Verek.exe

pid	process
2056	Verek.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

wwwramajudicialgovcoproceso000000700940300540.exewwwramajudicialgovcoproceso000000700940300540.exeVerek.exeVerek.exe

description	pid	process	target process
PID 2420 wrote to memory of 2844	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2844	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2844	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2844	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2420 wrote to memory of 2780	2420	wwwramajudicialgovcoproceso000000700940300540.exe	wwwramajudicialgovcoproceso000000700940300540.exe
PID 2780 wrote to memory of 796	2780	wwwramajudicialgovcoproceso000000700940300540.exe	schtasks.exe
PID 2780 wrote to memory of 796	2780	wwwramajudicialgovcoproceso000000700940300540.exe	schtasks.exe
PID 2780 wrote to memory of 796	2780	wwwramajudicialgovcoproceso000000700940300540.exe	schtasks.exe
PID 2780 wrote to memory of 796	2780	wwwramajudicialgovcoproceso000000700940300540.exe	schtasks.exe
PID 2780 wrote to memory of 2504	2780	wwwramajudicialgovcoproceso000000700940300540.exe	schtasks.exe
PID 2780 wrote to memory of 2504	2780	wwwramajudicialgovcoproceso000000700940300540.exe	schtasks.exe
PID 2780 wrote to memory of 2504	2780	wwwramajudicialgovcoproceso000000700940300540.exe	schtasks.exe
PID 2780 wrote to memory of 2504	2780	wwwramajudicialgovcoproceso000000700940300540.exe	schtasks.exe
PID 2780 wrote to memory of 1792	2780	wwwramajudicialgovcoproceso000000700940300540.exe	vssadmin.exe
PID 2780 wrote to memory of 1792	2780	wwwramajudicialgovcoproceso000000700940300540.exe	vssadmin.exe
PID 2780 wrote to memory of 1792	2780	wwwramajudicialgovcoproceso000000700940300540.exe	vssadmin.exe
PID 2780 wrote to memory of 1792	2780	wwwramajudicialgovcoproceso000000700940300540.exe	vssadmin.exe
PID 2780 wrote to memory of 1440	2780	wwwramajudicialgovcoproceso000000700940300540.exe	powershell.exe
PID 2780 wrote to memory of 1440	2780	wwwramajudicialgovcoproceso000000700940300540.exe	powershell.exe
PID 2780 wrote to memory of 1440	2780	wwwramajudicialgovcoproceso000000700940300540.exe	powershell.exe
PID 2780 wrote to memory of 1440	2780	wwwramajudicialgovcoproceso000000700940300540.exe	powershell.exe
PID 2780 wrote to memory of 1460	2780	wwwramajudicialgovcoproceso000000700940300540.exe	Verek.exe
PID 2780 wrote to memory of 1460	2780	wwwramajudicialgovcoproceso000000700940300540.exe	Verek.exe
PID 2780 wrote to memory of 1460	2780	wwwramajudicialgovcoproceso000000700940300540.exe	Verek.exe
PID 2780 wrote to memory of 1460	2780	wwwramajudicialgovcoproceso000000700940300540.exe	Verek.exe
PID 1460 wrote to memory of 2056	1460	Verek.exe	Verek.exe
PID 1460 wrote to memory of 2056	1460	Verek.exe	Verek.exe
PID 1460 wrote to memory of 2056	1460	Verek.exe	Verek.exe
PID 1460 wrote to memory of 2056	1460	Verek.exe	Verek.exe
PID 1460 wrote to memory of 2056	1460	Verek.exe	Verek.exe
PID 1460 wrote to memory of 2056	1460	Verek.exe	Verek.exe
PID 1460 wrote to memory of 2056	1460	Verek.exe	Verek.exe
PID 1460 wrote to memory of 2056	1460	Verek.exe	Verek.exe
PID 1460 wrote to memory of 2056	1460	Verek.exe	Verek.exe
PID 2056 wrote to memory of 832	2056	Verek.exe	schtasks.exe
PID 2056 wrote to memory of 832	2056	Verek.exe	schtasks.exe
PID 2056 wrote to memory of 832	2056	Verek.exe	schtasks.exe
PID 2056 wrote to memory of 832	2056	Verek.exe	schtasks.exe
PID 2056 wrote to memory of 1884	2056	Verek.exe	schtasks.exe
PID 2056 wrote to memory of 1884	2056	Verek.exe	schtasks.exe
PID 2056 wrote to memory of 1884	2056	Verek.exe	schtasks.exe
PID 2056 wrote to memory of 1884	2056	Verek.exe	schtasks.exe
PID 2056 wrote to memory of 1800	2056	Verek.exe	vssadmin.exe
PID 2056 wrote to memory of 1800	2056	Verek.exe	vssadmin.exe
PID 2056 wrote to memory of 1800	2056	Verek.exe	vssadmin.exe
PID 2056 wrote to memory of 1800	2056	Verek.exe	vssadmin.exe
PID 2056 wrote to memory of 1604	2056	Verek.exe	powershell.exe
PID 2056 wrote to memory of 1604	2056	Verek.exe	powershell.exe
PID 2056 wrote to memory of 1604	2056	Verek.exe	powershell.exe
PID 2056 wrote to memory of 1604	2056	Verek.exe	powershell.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

wwwramajudicialgovcoproceso000000700940300540.exeVerek.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wwwramajudicialgovcoproceso000000700940300540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wwwramajudicialgovcoproceso000000700940300540.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\wwwramajudicialgovcoproceso000000700940300540.exe
"C:\Users\Admin\AppData\Local\Temp\wwwramajudicialgovcoproceso000000700940300540.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\wwwramajudicialgovcoproceso000000700940300540.exe
"C:\Users\Admin\AppData\Local\Temp\wwwramajudicialgovcoproceso000000700940300540.exe"
2⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\wwwramajudicialgovcoproceso000000700940300540.exe
"C:\Users\Admin\AppData\Local\Temp\wwwramajudicialgovcoproceso000000700940300540.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2780

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "\Microsoft\Windows\System\Pev44\Files\IlemetryLogtek" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\wwwramajudicialgovcoproceso000000700940300540.exe" /f
3⤵
- Creates scheduled task(s)
PID:796

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "IlemetryLogtek" /f
3⤵
PID:2504

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Roaming\Gres\Verek.exe
"C:\Users\Admin\AppData\Roaming\Gres\Verek.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\Gres\Verek.exe
"C:\Users\Admin\AppData\Roaming\Gres\Verek.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "\Microsoft\Windows\System\Pev44\Files\IlemetryLogtek" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Gres\Verek.exe" /f
5⤵
- Creates scheduled task(s)
PID:832

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "IlemetryLogtek" /f
5⤵
PID:1884

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin" delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

4

T1562

Disable or Modify Tools

4

T1562.001

Indicator Removal

2

T1070

File Deletion

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab8A86.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8AC7.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Gres\settings.xml
Filesize
64B

MD5
cf4d033219f987c0a057da5f64d74fae

SHA1
a5605c0ea0193022cd71190e2dc794381f416d94

SHA256
127a80bd33231ee856a83eddfeaabb22a202a369fe429c8ff5430038fd132876

SHA512
601cf72b779711e420ae0e0292bd3834e8ccc34661f930db5cdc94a2d788147404447cc4ead19a5c74a930fd3a11a415dabe882b0033d167546f395f59383008

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
12a0c9a8b7625dc44a53ffc3b90422b1

SHA1
f74928c549623f8f3b43df3474787b2d1851f5e2

SHA256
08a04c686643a9644d4fe9e58d9ea7a9c57f521a4f6071b8560e1b60e324f986

SHA512
15c4c67aa533142f535814c424a87c93a7f73fa25e7308460bd986a06d00359604509b4fc4c707da4945e579aa8ba97e397102d2b95305bb21b363d39ca30129

Download Submit
\Users\Admin\AppData\Roaming\Gres\Verek.exe
Filesize
786KB

MD5
86b6376b986d74f2391da19a18ec2f22

SHA1
6e71c1cd1ee49d21ccfbbe635415c46198270caf

SHA256
fb1ff068b0e9bf403835b2087e476f00dd57d3d9e670f09351fac465374004d7

SHA512
6512c64c9eb46246b2998dca2e02c43bde6edb087104d16682f1cf4ae2be6c5f2ad2f0b99f17eb4ef894ad72249976f6ee0b2007785d6945191b8f70a326ab99

Download Submit
memory/1440-63-0x000000006EE40000-0x000000006F3EB000-memory.dmp

Filesize
5.7MB

Download
memory/1440-65-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1440-64-0x000000006EE40000-0x000000006F3EB000-memory.dmp

Filesize
5.7MB

Download
memory/1440-66-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1440-67-0x000000006EE40000-0x000000006F3EB000-memory.dmp

Filesize
5.7MB

Download
memory/1460-93-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1460-75-0x0000000000140000-0x000000000020A000-memory.dmp

Filesize
808KB

Download
memory/1460-77-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1460-78-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/1604-107-0x000000006EE70000-0x000000006F41B000-memory.dmp

Filesize
5.7MB

Download
memory/1604-108-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1604-109-0x000000006EE70000-0x000000006F41B000-memory.dmp

Filesize
5.7MB

Download
memory/1604-110-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1604-111-0x000000006EE70000-0x000000006F41B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-96-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2056-115-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2056-114-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-95-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-0-0x00000000000C0000-0x000000000018A000-memory.dmp

Filesize
808KB

Download
memory/2420-18-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2420-3-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/2420-4-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2420-5-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2420-6-0x00000000051D0000-0x0000000005266000-memory.dmp

Filesize
600KB

Download
memory/2780-76-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-8-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2780-9-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2780-7-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2780-79-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-10-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2780-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-20-0x00000000048D0000-0x0000000004910000-memory.dmp

Filesize
256KB

Download
memory/2780-13-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2780-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2780-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2780-19-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads