Overview

overview

10

Static

static

10

fpsFIX.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-02-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fpsFIX.exe

  • Size

    534KB

  • MD5

    68e20c59e6398f9fe522cc509d440698

  • SHA1

    5259db943f684f654c66ca277b28c410877494ad

  • SHA256

    6542a4adb925c38ae9fd6ddd0d5f838ac60b90e2db1e71ed71916fd6a988feb6

  • SHA512

    c25860340c9fd2b60a61490837febbe87d7912487cf6fbed0d31bd943c561767302be89c0309bc6e19df391e25adff5c4f6186a1b7f7fd181732c95da9a1ad09

  • SSDEEP

    6144:N8fGtiZAjx7ZgCUODKULTMMkbKGofLPRU9BZIbHtZLLLK1hI8MjXOZ3y7z2Qnp3Q:yexVgCUU5/MMdKB0Z/G1hyW3ApRa

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

4.tcp.us-cal-1.ngrok.io:12688
Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    JuBNDSQCyglnSfq0cvJE

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fpsFIX.exe
    "C:\Users\Admin\AppData\Local\Temp\fpsFIX.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security modification
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\SysWOW64\SubDir\Client.exe
      "C:\Windows\SysWOW64\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5116
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3332
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:2432
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vY3Wj2jqdlG5.bat" "
        2⤵
          PID:2888

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Modify Registry

      2
      T1112

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1uonchhs.jj2.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\vY3Wj2jqdlG5.bat
        Filesize

        203B

        MD5

        d932327cae7312e343c3395bc75e3954

        SHA1

        290a502b3cba4b76858660ba63bdba5057afe47d

        SHA256

        984b93f8d1b5fbbeeea2d52b1184aedcbaba5b8e587bf1ff51b72cfa4b054b2c

        SHA512

        b9956815f9f4c3ecf3060a0e85f62b4f4ea5b9296082d64d66670d6488f1f30fce6b4b4630911924148fa5bec96c3511126307f39701aae4e14d421b6ba1b11c

        Download Submit
      • C:\Windows\SysWOW64\SubDir\Client.exe
        Filesize

        534KB

        MD5

        68e20c59e6398f9fe522cc509d440698

        SHA1

        5259db943f684f654c66ca277b28c410877494ad

        SHA256

        6542a4adb925c38ae9fd6ddd0d5f838ac60b90e2db1e71ed71916fd6a988feb6

        SHA512

        c25860340c9fd2b60a61490837febbe87d7912487cf6fbed0d31bd943c561767302be89c0309bc6e19df391e25adff5c4f6186a1b7f7fd181732c95da9a1ad09

        Download Submit
      • memory/308-0-0x0000000000010000-0x000000000009C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/308-2-0x0000000004E70000-0x000000000536E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/308-3-0x0000000004A60000-0x0000000004AF2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/308-4-0x0000000004A50000-0x0000000004A60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/308-5-0x0000000004970000-0x00000000049D6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/308-6-0x0000000004E40000-0x0000000004E52000-memory.dmp
        Filesize

        72KB

        Download
      • memory/308-7-0x0000000005980000-0x00000000059BE000-memory.dmp
        Filesize

        248KB

        Download
      • memory/308-274-0x00000000737A0000-0x0000000073E8E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/308-1-0x00000000737A0000-0x0000000073E8E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3332-52-0x0000000009310000-0x00000000093B5000-memory.dmp
        Filesize

        660KB

        Download
      • memory/3332-46-0x000000006FA60000-0x000000006FAAB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3332-19-0x0000000004700000-0x0000000004710000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3332-20-0x0000000007180000-0x00000000077A8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3332-21-0x0000000007050000-0x0000000007072000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3332-22-0x0000000007920000-0x0000000007986000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3332-23-0x0000000007990000-0x0000000007CE0000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3332-24-0x0000000007CE0000-0x0000000007CFC000-memory.dmp
        Filesize

        112KB

        Download
      • memory/3332-25-0x00000000082C0000-0x000000000830B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3332-268-0x00000000737A0000-0x0000000073E8E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3332-28-0x00000000080E0000-0x0000000008156000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3332-17-0x0000000004700000-0x0000000004710000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3332-45-0x00000000091E0000-0x0000000009213000-memory.dmp
        Filesize

        204KB

        Download
      • memory/3332-18-0x00000000045D0000-0x0000000004606000-memory.dmp
        Filesize

        216KB

        Download
      • memory/3332-47-0x00000000091A0000-0x00000000091BE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3332-16-0x00000000737A0000-0x0000000073E8E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3332-53-0x0000000004700000-0x0000000004710000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3332-54-0x0000000009530000-0x00000000095C4000-memory.dmp
        Filesize

        592KB

        Download
      • memory/3332-247-0x0000000009490000-0x00000000094AA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3332-252-0x0000000009470000-0x0000000009478000-memory.dmp
        Filesize

        32KB

        Download
      • memory/5116-27-0x0000000006330000-0x000000000633A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/5116-12-0x00000000737A0000-0x0000000073E8E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/5116-13-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5116-275-0x00000000737A0000-0x0000000073E8E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/5116-276-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
        Filesize

        64KB

        Download