Overview

overview

10

Static

static

3

estadodecu...co.exe

windows7-x64

10

estadodecu...co.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    estadodecuenta332652referenciaembargorentdawwwdiangovco.LHA

  • Size

    774KB

  • Sample

    240517-seqf6sdc39

  • MD5

    0d048bd8c0a6bade3e21d834024001bc

  • SHA1

    cfb92fa872a6ac66552d2cc10ebcc7cf3eb59a06

  • SHA256

    a9855a152712675a87916aeb25ad5e0c296b251df5c124957cc4cac2f8394f50

  • SHA512

    3b4b5efde439f7a8f770a5aeeec8e63eb2a2fbdb8899183b80922093fd6d877022df1732579493318ac0957c9346b1a5a59d1375260acb7389e762f5d100a46e

  • SSDEEP

    24576:FEJi2+h5wTfU53A+Kj9uTeawekmcpWtsHKL2:FEj+huTOUuSawIcEuHa2

Score
10/10
quasardefense_evasionevasionexecutionimpactpersistenceransomwarespywaretrojan

Malware Config

Targets

    • Target

      estadodecuenta332652referenciaembargorentdawwwdiangovco.exe

    • Size

      798KB

    • MD5

      4c4dfb410229ae29494d7053d2e05d66

    • SHA1

      fb51f3d30ab1780cc93bb47aff9fae4fe92bc0a3

    • SHA256

      7b620a850f9af37d6abc81ef1a7a72da6b8ca2d696b9a83ebe8e4b8f99a77f23

    • SHA512

      cc5fde78dc8cb6032046e7fb302a561eda90e7dac1532f63d41e8efcf8c7cb077bb3da35e9755ac19da7a8cbe90a4a592a491bd49657f80288fb5ff071841029

    • SSDEEP

      24576:OxsgdEeOsRu/W+VRm0/CnUPjVwKHb94YMFniyyA:OxTdZOsRu/m6AUPCKHRMFnyA

    Score
    10/10
    quasardefense_evasionevasionexecutionimpactpersistenceransomwarespywaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies security service

      evasion

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify Tools

4
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

8
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks