Overview

overview

10

Static

static

3

ItroublveTSC.exe

windows7-x64

10

ItroublveTSC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    11s
  • max time network
    7s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-04-2024 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ItroublveTSC.exe

  • Size

    2.0MB

  • MD5

    7c2da2ae36228b8b66ec5e5029e90d08

  • SHA1

    d636baf89fd305a1f694611097ac6e7bcb1f244c

  • SHA256

    c6820f426b28b93295ca3b768780e8b372424fb72e94b5d0c094b030f53d4721

  • SHA512

    93cbc698211b0ab0f96ab3f0eb8d393bcd04580418e08fc6df9b935a7cdd091b619a0edab4771b4c887264b0eef6846e6e08a7be24a8681848a1885206a29960

  • SSDEEP

    49152:DL+qgtiXBVLcHD/QmJqRsVEzCeePMAnUD:OzcBVYHDjcyVMukAUD

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

zaidtheboii-50153.portmap.host:50153

Mutex

VNM_MUTEX_fNWmZ9wa8oprRXUo73

Attributes
  • encryption_key

    PJRTtGrfOi1c09c0GCYT

  • install_name

    OneDrive.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft One Drive

  • subdirectory

    Microsoft One Drive

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe
    "C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Roaming\ItroublveTSC.exe
      "C:\Users\Admin\AppData\Roaming\ItroublveTSC.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2156
    • C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:312
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Microsoft One Drive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2596
      • C:\Windows\SysWOW64\Microsoft One Drive\OneDrive.exe
        "C:\Windows\SysWOW64\Microsoft One Drive\OneDrive.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Microsoft One Drive" /sc ONLOGON /tr "C:\Windows\SysWOW64\Microsoft One Drive\OneDrive.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:3024
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\U6cmLAh6gM4t.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1744
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
              PID:1808
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              5⤵
              • Runs ping.exe
              PID:2488
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1468
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:2316
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2460
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2412
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
            4⤵
            • Deletes itself
            PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\2qSZxzJ0B9BK.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1152
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:1380
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:1472

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2qSZxzJ0B9BK.bat
        Filesize

        215B

        MD5

        73a70c5d71f5e38ef9ffabc4f65bd58a

        SHA1

        ae8cf70033be83bd8746ab281eef0b7bf0929092

        SHA256

        51fd8ceda251bbbd471e609fd7721427e8638b7d1f9e9352c94395cf8b35a7a3

        SHA512

        bc5feee6324123d6307ba2d7b64e28a553738ffe63abf000073fe511edeaa5d97e5da20d7ee4bee9406a8127a32389f6623b2e9bb8d7512867e15cc120cdbcca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar2B4C.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\U6cmLAh6gM4t.bat
        Filesize

        211B

        MD5

        1cb757389c1406b0ea5e5bb37ee49aa6

        SHA1

        a45d45d1e92e16de523552970fcb3a132bf9f74c

        SHA256

        b117520b277cb41ade7db9177b1c8bdb095bf74004c356022a9fd95fae53bcf0

        SHA512

        eb27b7f9ef823b9d16e182700fd7ce9805c6dacd995068f1a292d47ae2eb4f7f098918b14eb120623520f19a85b4b18eab38dcd264ae2003c8debeaa690c5734

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe
        Filesize

        550KB

        MD5

        3fce051fde9fbd1302b4ee16f604553b

        SHA1

        e137d2e6fa0007ddd0bf3a1215a68b37ef2ed653

        SHA256

        a34954a87d0f4354a21e40ea0e9a9eee4420f47987d40be854ea7b98d6d36226

        SHA512

        cb07f753043b7705b0e32bbf4e1ae8ddf6176851562dea567e75a4715b1beb4031d35a43b6bf0bc45d5b2da7430be0d87b6ae61b5b2e07c7c8950bb0247e4a5c

        Download Submit

      • \Users\Admin\AppData\Roaming\ItroublveTSC.exe
        Filesize

        3.9MB

        MD5

        53f43b1e9d99d6a356a332d9073b4736

        SHA1

        71e6c5a216a66b2b523b1b022d44c10b276c6195

        SHA256

        584bf67e7c8e93629e175733fe42907e60916047e68f1b4973d4cbf3dd2c22d6

        SHA512

        e7c5e4b26309e38dd1dd52b4f509c94fb9f50453e4d5c2ba895b02c48457a15c384866fdeb57185b628f10873ed6a6e6936ad170827f4855c9c5eca15ab8f959

        Download Submit

      • memory/312-21-0x00000000724D0000-0x0000000072BBE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/312-19-0x0000000000310000-0x00000000003A0000-memory.dmp

        Filesize

        576KB

        Download

      • memory/312-22-0x0000000004AF0000-0x0000000004B30000-memory.dmp

        Filesize

        256KB

        Download

      • memory/312-120-0x00000000724D0000-0x0000000072BBE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2156-20-0x00000000724D0000-0x0000000072BBE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2156-37-0x00000000724D0000-0x0000000072BBE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2156-23-0x00000000050B0000-0x00000000050F0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2156-18-0x0000000000D90000-0x0000000001176000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2428-30-0x00000000724D0000-0x0000000072BBE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2428-32-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2428-31-0x00000000012F0000-0x0000000001380000-memory.dmp

        Filesize

        576KB

        Download

      • memory/2460-35-0x000000006ED50000-0x000000006F2FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2460-36-0x0000000002A70000-0x0000000002AB0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2460-38-0x000000006ED50000-0x000000006F2FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2924-1-0x0000000000810000-0x0000000000850000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2924-17-0x00000000745B0000-0x0000000074B5B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2924-2-0x00000000745B0000-0x0000000074B5B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2924-0-0x00000000745B0000-0x0000000074B5B000-memory.dmp

        Filesize

        5.7MB

        Download