Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
13-03-2024 01:04
General
-
Target
c4931e69ad579b38cec44aa9edb8059c.exe
-
Size
638KB
-
MD5
c4931e69ad579b38cec44aa9edb8059c
-
SHA1
95421f27626920e4ec0427c0b5c2d4e10a6a4e87
-
SHA256
a6accf62cd5ec2b1fdd5da1a8611913453f129a96c495ca5a8d7fcc1a6a47061
-
SHA512
0f7d46742941ac4890f2c4521843b9c2f037fcb60dfaba1c76f7a5cb55ce88c3a0936d1f99195e59e418dc89b1bd2c06395c54d237b348b0f77605ac85b365de
-
SSDEEP
12288:a+BbFriWGl7gO03m4sRqJ2IOEEVR/7r+pKnoqsxWbvoyF3db6e0RqsT79:a+Bxrd4lA7OvR/fqKoqsxsvoyFtbsqsd
Malware Config
Extracted
quasar
2.1.0.0
Windows firewall
23.105.131.187:7812
VNM_MUTEX_zGeT5SjdI1pYgFyiav
-
encryption_key
3kpwI2tkVNrXY2Mm5wlR
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Firewall Updates
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4931e69ad579b38cec44aa9edb8059c.exe"C:\Users\Admin\AppData\Local\Temp\c4931e69ad579b38cec44aa9edb8059c.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c4931e69ad579b38cec44aa9edb8059c.exe"C:\Users\Admin\AppData\Local\Temp\c4931e69ad579b38cec44aa9edb8059c.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\c4931e69ad579b38cec44aa9edb8059c.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 16283⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5084 -ip 50841⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507B
MD58cf94b5356be60247d331660005941ec
SHA1fdedb361f40f22cb6a086c808fc0056d4e421131
SHA25652a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0
SHA512b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
229B
MD53b3df7f9c6e1cd68a346cc8272230f25
SHA188555fe17fade445e3885629c280bde047057c84
SHA256be724fae4a3743c8379d2b3179b188190f860ca1cd393236dd674885a50d00ce
SHA5121ebb56fd007a9fd1aa16df8ae6d006595516be1132ecc224aa994db0fa79269cf0c2e9a686bc2423a8261774e237d53a52da17e26dca6d9af3fc9423bb2a00f3
-
Filesize
638KB
MD5c4931e69ad579b38cec44aa9edb8059c
SHA195421f27626920e4ec0427c0b5c2d4e10a6a4e87
SHA256a6accf62cd5ec2b1fdd5da1a8611913453f129a96c495ca5a8d7fcc1a6a47061
SHA5120f7d46742941ac4890f2c4521843b9c2f037fcb60dfaba1c76f7a5cb55ce88c3a0936d1f99195e59e418dc89b1bd2c06395c54d237b348b0f77605ac85b365de
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
664KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
560KB
-
Filesize
7.7MB