Overview

overview

10

Static

static

3

estadodecu...co.exe

windows7-x64

10

estadodecu...co.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    estadodecuenta332652referenciaembargorentdawwwdiangovco.exe

  • Size

    798KB

  • MD5

    4c4dfb410229ae29494d7053d2e05d66

  • SHA1

    fb51f3d30ab1780cc93bb47aff9fae4fe92bc0a3

  • SHA256

    7b620a850f9af37d6abc81ef1a7a72da6b8ca2d696b9a83ebe8e4b8f99a77f23

  • SHA512

    cc5fde78dc8cb6032046e7fb302a561eda90e7dac1532f63d41e8efcf8c7cb077bb3da35e9755ac19da7a8cbe90a4a592a491bd49657f80288fb5ff071841029

  • SSDEEP

    24576:OxsgdEeOsRu/W+VRm0/CnUPjVwKHb94YMFniyyA:OxTdZOsRu/m6AUPCKHRMFnyA

Score
10/10
quasardefense_evasionevasionexecutionimpactpersistenceransomwarespywaretrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe
    "C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe
      "C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Modifies security service
      • UAC bypass
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2160
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2532
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /delete /tn "iceTelemetryLogtte" /f
        3⤵
          PID:3056
        • C:\Windows\SysWOW64\vssadmin.exe
          "vssadmin" delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2932
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2168
        • C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
          "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
            "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Modifies security service
            • UAC bypass
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:948
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe" /f
              5⤵
              • Creates scheduled task(s)
              PID:2128
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /delete /tn "iceTelemetryLogtte" /f
              5⤵
                PID:484
              • C:\Windows\SysWOW64\vssadmin.exe
                "vssadmin" delete shadows /all /quiet
                5⤵
                • Interacts with shadow copies
                PID:1296
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "powershell" Get-MpPreference -verbose
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:576
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2680

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      4
      T1562

      Disable or Modify Tools

      4
      T1562.001

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      8
      T1112

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\GPret\settings.xml
        Filesize

        84B

        MD5

        0670ea91a3ff99e765de101bacc1ce56

        SHA1

        3b83e99ae94105ffe78aab1b4e2dab1187b4b0f7

        SHA256

        7dc01c0f1c1d2aa56555d951562ebc455718d3ca7c8e25bd59d42ad5b46b2f2b

        SHA512

        4063b047638fd8cf8927bd360e2426416a6f154a986ad9f6b2c2d6278f7aab41f96c0c9e32c042d3d32fc6779d204012890f76e389681f6f63985b4f93a6d84d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\54AIQUR5MND4R7YUE5OV.temp
        Filesize

        7KB

        MD5

        3d3b6bcba212571c550380ba66a5ddeb

        SHA1

        da9838ce53a765f664b6f33812617c7ca1d697b5

        SHA256

        954bd2b58c0089bf384ce5e31de76e822a4b6e0ffe1c196961820b7ced00b0d4

        SHA512

        9cf3977aaa4dcf6d83c8e28ddfe96a60d60e6188acfc75a07aa205ba8976c7cd4841a81fcacf8326fd524a2cd62a2b3b485ae2bd8e9e7fae25cf9b6792c8b804

        Download Submit

      • \Users\Admin\AppData\Roaming\GPret\Vespre.exe
        Filesize

        798KB

        MD5

        4c4dfb410229ae29494d7053d2e05d66

        SHA1

        fb51f3d30ab1780cc93bb47aff9fae4fe92bc0a3

        SHA256

        7b620a850f9af37d6abc81ef1a7a72da6b8ca2d696b9a83ebe8e4b8f99a77f23

        SHA512

        cc5fde78dc8cb6032046e7fb302a561eda90e7dac1532f63d41e8efcf8c7cb077bb3da35e9755ac19da7a8cbe90a4a592a491bd49657f80288fb5ff071841029

        Download Submit

      • memory/948-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1972-54-0x00000000005C0000-0x00000000005D6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1972-52-0x0000000000EE0000-0x0000000000FAE000-memory.dmp

        Filesize

        824KB

        Download

      • memory/2160-20-0x0000000074B20000-0x000000007520E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2160-12-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2160-8-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2160-19-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2160-15-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2160-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2160-53-0x0000000074B20000-0x000000007520E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2160-17-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2160-22-0x0000000074B20000-0x000000007520E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2160-7-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2160-9-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2896-21-0x0000000074B20000-0x000000007520E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2896-6-0x0000000005270000-0x000000000530E000-memory.dmp

        Filesize

        632KB

        Download

      • memory/2896-5-0x0000000000680000-0x0000000000696000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2896-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2896-4-0x0000000000630000-0x0000000000640000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2896-3-0x0000000000610000-0x0000000000630000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2896-2-0x0000000074B20000-0x000000007520E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2896-1-0x0000000000FD0000-0x000000000109E000-memory.dmp

        Filesize

        824KB

        Download