Overview

overview

10

Static

static

3

estadodecu...co.exe

windows7-x64

10

estadodecu...co.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    estadodecuenta332652referenciaembargorentdawwwdiangovco.exe

  • Size

    798KB

  • MD5

    4c4dfb410229ae29494d7053d2e05d66

  • SHA1

    fb51f3d30ab1780cc93bb47aff9fae4fe92bc0a3

  • SHA256

    7b620a850f9af37d6abc81ef1a7a72da6b8ca2d696b9a83ebe8e4b8f99a77f23

  • SHA512

    cc5fde78dc8cb6032046e7fb302a561eda90e7dac1532f63d41e8efcf8c7cb077bb3da35e9755ac19da7a8cbe90a4a592a491bd49657f80288fb5ff071841029

  • SSDEEP

    24576:OxsgdEeOsRu/W+VRm0/CnUPjVwKHb94YMFniyyA:OxTdZOsRu/m6AUPCKHRMFnyA

Score
10/10
quasarevasionpersistencespywaretrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe
    "C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe
      "C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Modifies security service
      • UAC bypass
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2844
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:3020
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /delete /tn "iceTelemetryLogtte" /f
        3⤵
          PID:1164
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2244
        • C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
          "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1424
          • C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
            "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Modifies security service
            • UAC bypass
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3948
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe" /f
              5⤵
              • Creates scheduled task(s)
              PID:4216
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /delete /tn "iceTelemetryLogtte" /f
              5⤵
                PID:3660
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "powershell" Get-MpPreference -verbose
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4452

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      4
      T1562

      Disable or Modify Tools

      4
      T1562.001

      Modify Registry

      7
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\estadodecuenta332652referenciaembargorentdawwwdiangovco.exe.log
        Filesize

        1KB

        MD5

        8ec831f3e3a3f77e4a7b9cd32b48384c

        SHA1

        d83f09fd87c5bd86e045873c231c14836e76a05c

        SHA256

        7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

        SHA512

        26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        3d086a433708053f9bf9523e1d87a4e8

        SHA1

        b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

        SHA256

        6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

        SHA512

        931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        3d58e276c0f6e103538fde4b5c4d8554

        SHA1

        9d7ca4cfd64ee00cf64a93f8d9aefb82bcbf03bf

        SHA256

        44dbb2810305610a4c6859dc4f00e54a18fd06d17b7a4f14b6c3e7e589ac6feb

        SHA512

        2d61fda7acb89e9bc48d4aca6c3f7c89f55b54abdab8e7dcb3c3a850ac6640b8424053c83558a4f84c2544f38cca9ab154a6fb9b5345932ce9a72c3df1afc988

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvwhea2g.thx.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
        Filesize

        798KB

        MD5

        4c4dfb410229ae29494d7053d2e05d66

        SHA1

        fb51f3d30ab1780cc93bb47aff9fae4fe92bc0a3

        SHA256

        7b620a850f9af37d6abc81ef1a7a72da6b8ca2d696b9a83ebe8e4b8f99a77f23

        SHA512

        cc5fde78dc8cb6032046e7fb302a561eda90e7dac1532f63d41e8efcf8c7cb077bb3da35e9755ac19da7a8cbe90a4a592a491bd49657f80288fb5ff071841029

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GPret\settings.xml
        Filesize

        137B

        MD5

        35ae653da00f7ac6aee281aefa18212d

        SHA1

        3d220fa684c1dd2f9cb5403291c9a4ba7e7902e4

        SHA256

        0d0a2eed740207234505c6fb090716ff9924e251020f864776cee1d5b89e0b30

        SHA512

        7f57ba870278a724326e9b6e5485b465efaeb911c3e4ec4e3921d60a8a92962b16236c8e5f9516b873bac651996e72ae3df7a6fa068b2b83c2858ce21c3e9b3a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GPret\settings.xml
        Filesize

        84B

        MD5

        0670ea91a3ff99e765de101bacc1ce56

        SHA1

        3b83e99ae94105ffe78aab1b4e2dab1187b4b0f7

        SHA256

        7dc01c0f1c1d2aa56555d951562ebc455718d3ca7c8e25bd59d42ad5b46b2f2b

        SHA512

        4063b047638fd8cf8927bd360e2426416a6f154a986ad9f6b2c2d6278f7aab41f96c0c9e32c042d3d32fc6779d204012890f76e389681f6f63985b4f93a6d84d

        Download Submit

      • memory/2116-4-0x0000000005A40000-0x0000000005A4A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2116-8-0x0000000005B30000-0x0000000005B46000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2116-9-0x0000000006770000-0x000000000680E000-memory.dmp

        Filesize

        632KB

        Download

      • memory/2116-10-0x0000000008CC0000-0x0000000008D5C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2116-7-0x0000000005B20000-0x0000000005B30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2116-6-0x0000000005AE0000-0x0000000005B00000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2116-14-0x00000000745A0000-0x0000000074D50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2116-5-0x00000000745A0000-0x0000000074D50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2116-3-0x0000000005990000-0x0000000005A22000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2116-2-0x0000000005F40000-0x00000000064E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2116-1-0x0000000000DE0000-0x0000000000EAE000-memory.dmp

        Filesize

        824KB

        Download

      • memory/2116-0-0x00000000745AE000-0x00000000745AF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2244-41-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2244-60-0x0000000007200000-0x000000000720E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2244-34-0x00000000055C0000-0x0000000005626000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2244-33-0x0000000005520000-0x0000000005542000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2244-26-0x00000000046D0000-0x0000000004706000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2244-39-0x0000000005830000-0x0000000005B84000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2244-40-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2244-63-0x00000000072F0000-0x00000000072F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2244-42-0x0000000006260000-0x0000000006292000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2244-53-0x0000000006E80000-0x0000000006E9E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2244-43-0x000000006F990000-0x000000006F9DC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2244-54-0x0000000006EA0000-0x0000000006F43000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2244-56-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2244-55-0x0000000007610000-0x0000000007C8A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2244-57-0x0000000007040000-0x000000000704A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2244-58-0x0000000007250000-0x00000000072E6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2244-59-0x00000000071D0000-0x00000000071E1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2244-27-0x0000000004E90000-0x00000000054B8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2244-61-0x0000000007210000-0x0000000007224000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2244-62-0x0000000007310000-0x000000000732A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2844-15-0x00000000745A0000-0x0000000074D50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2844-23-0x0000000006970000-0x0000000006982000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2844-71-0x00000000745A0000-0x0000000074D50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2844-22-0x0000000006670000-0x00000000066D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2844-16-0x00000000745A0000-0x0000000074D50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2844-24-0x00000000069D0000-0x0000000006A0C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2844-11-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/4452-91-0x0000000005A80000-0x0000000005DD4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4452-93-0x00000000064B0000-0x00000000064FC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4452-94-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4452-104-0x0000000007190000-0x0000000007233000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4452-105-0x00000000074A0000-0x00000000074B1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4452-106-0x00000000074E0000-0x00000000074F4000-memory.dmp

        Filesize

        80KB

        Download