Analysis
-
max time kernel
130s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
13-02-2024 13:20
General
-
Target
99862073a5f3df00516a49e3b78057b1.exe
-
Size
635KB
-
MD5
99862073a5f3df00516a49e3b78057b1
-
SHA1
46ac6d3ec2cb7d90d946a1470b5dff98eecee011
-
SHA256
bb1956f934dfbebe914a54e3445b5fbafac60e2672794a5e14ed4d1999d5aed2
-
SHA512
d0d248502db680f17ed2e8d750d809796320c41395284df0df9967fac852f6b39a05df33f5054cc8e45ba116c61eb2c112e3038a26b3fada34056e36f1400629
-
SSDEEP
12288:Z+ifBbFriWGl7gO03m4sRqJ2IOEEVR/7r+pKnoqsxWbvoyF3db6e0Rqs+8s7b:csBxrd4lA7OvR/fqKoqsxsvoyFtbsqsK
Malware Config
Extracted
quasar
2.1.0.0
Windows firewall
23.105.131.187:7812
VNM_MUTEX_zGeT5SjdI1pYgFyiav
-
encryption_key
3kpwI2tkVNrXY2Mm5wlR
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Firewall Updates
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\99862073a5f3df00516a49e3b78057b1.exe"C:\Users\Admin\AppData\Local\Temp\99862073a5f3df00516a49e3b78057b1.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99862073a5f3df00516a49e3b78057b1.exe"C:\Users\Admin\AppData\Local\Temp\99862073a5f3df00516a49e3b78057b1.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\99862073a5f3df00516a49e3b78057b1.exe"C:\Users\Admin\AppData\Local\Temp\99862073a5f3df00516a49e3b78057b1.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\99862073a5f3df00516a49e3b78057b1.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2x6w33cRv9qt.bat" "3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507B
MD58cf94b5356be60247d331660005941ec
SHA1fdedb361f40f22cb6a086c808fc0056d4e421131
SHA25652a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0
SHA512b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651
-
Filesize
229B
MD5555767beac6f0ed9366a415e11c21ab8
SHA11ad51e6c18fd78b48f9f5325e2437fc1a9db880f
SHA256f904a8079a3e4f847b12266fe40bd3c1751858a78bcc6ebee8e510723a957329
SHA512f654e0d0064c4fbb7d0e091a1611fc7da2ecde6910d90563804a136ac7dddf06bd22e196959876b9aa1e0aa0d2f02dd08b6229e273c386548912ab17b623e088
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
635KB
MD599862073a5f3df00516a49e3b78057b1
SHA146ac6d3ec2cb7d90d946a1470b5dff98eecee011
SHA256bb1956f934dfbebe914a54e3445b5fbafac60e2672794a5e14ed4d1999d5aed2
SHA512d0d248502db680f17ed2e8d750d809796320c41395284df0df9967fac852f6b39a05df33f5054cc8e45ba116c61eb2c112e3038a26b3fada34056e36f1400629
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
656KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
240KB
-
Filesize
560KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB