Overview

overview

10

Static

static

10

dec50393eb...f3.exe

windows7-x64

10

dec50393eb...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe

  • Size

    968KB

  • MD5

    c82a3da38e0debb9a378f1dc3777c33e

  • SHA1

    aa6c7428f186d9498ca705b9c0d58736757a632e

  • SHA256

    dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

  • SHA512

    628cda89421e6327ba5a274d28386faf0b56c35f52dc237bbc310aef2a20ec5d5b7fb1bc4f22d610981ce5c6a9733bfc16568f473eb23b43094637b1db969cc1

  • SSDEEP

    24576:FmtpMM4Qevjz8fSEhQKQWxUg9RzZtNMiTRqfLj:EpviIOYxUQRzZtNyj

Score
10/10
asyncratquasarstormkittyvenomratwindows securityevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security

C2

37.0.14.203:7812

Mutex

VNM_MUTEX_2r4e6JnVsMyKl6Aod6

Attributes
  • encryption_key

    7m3r0pz1Q0GDX0J3KjKp

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Updated

  • subdirectory

    Win32

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Async RAT payload 1 IoCs
    rat
  • Detects Windows executables referencing non-Windows User-Agents 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 1 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 2 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs
  • Detects executables referencing Discord tokens regular expressions 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing credit card regular expressions 1 IoCs
  • Detects executables referencing many VPN software clients. Observed in infosteslers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables using Telegram Chat Bot 1 IoCs
  • Detects executables with interest in wireless interface using netsh 1 IoCs
  • Detects file containing reversed ASEP Autorun registry keys 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe
    "C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Updated" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2908
    • C:\Users\Admin\AppData\Roaming\Win32\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Win32\Windows Security.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Updated" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Win32\Windows Security.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2172
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:2844
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BZHS1jtf6ZIY.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:2772
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:3324
          • C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe
            "C:\Users\Admin\AppData\Local\Temp\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:956
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
        1⤵
          PID:4308

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        Modify Registry

        2
        T1112

        Impair Defenses

        2
        T1562

        Disable or Modify Tools

        2
        T1562.001

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3.exe.log
          Filesize

          1KB

          MD5

          10eab9c2684febb5327b6976f2047587

          SHA1

          a12ed54146a7f5c4c580416aecb899549712449e

          SHA256

          f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

          SHA512

          7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\BZHS1jtf6ZIY.bat
          Filesize

          261B

          MD5

          8887fe53971121aa779c1d8867d38c2b

          SHA1

          230cc34c01e21e1aff999fbc9c384bca6cccd9b1

          SHA256

          6f0977bbdf09d7940a1cc6f34c05f1a0d1da8f0010738b8bd354977c63af6336

          SHA512

          ed06d62e135157d4e7245b93e887c066ec9576caba225801e3eb2ead0c6d0bfdd318a7f3398865b740a9f02182daee0941c987c26df8519da0c15a5c40c058c3

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kqykf3ob.el2.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Win32\Windows Security.exe
          Filesize

          968KB

          MD5

          c82a3da38e0debb9a378f1dc3777c33e

          SHA1

          aa6c7428f186d9498ca705b9c0d58736757a632e

          SHA256

          dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

          SHA512

          628cda89421e6327ba5a274d28386faf0b56c35f52dc237bbc310aef2a20ec5d5b7fb1bc4f22d610981ce5c6a9733bfc16568f473eb23b43094637b1db969cc1

          Download Submit
        • memory/2772-52-0x00000000073F0000-0x0000000007401000-memory.dmp
          Filesize

          68KB

          Download
        • memory/2772-54-0x0000000007430000-0x0000000007444000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2772-36-0x000000006FA20000-0x000000006FA6C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/2772-46-0x0000000006E50000-0x0000000006E6E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2772-59-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2772-56-0x0000000007510000-0x0000000007518000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2772-55-0x0000000007530000-0x000000000754A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/2772-15-0x0000000004940000-0x0000000004976000-memory.dmp
          Filesize

          216KB

          Download
        • memory/2772-16-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2772-17-0x0000000004FB0000-0x00000000055D8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/2772-18-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2772-20-0x00000000057E0000-0x0000000005846000-memory.dmp
          Filesize

          408KB

          Download
        • memory/2772-19-0x0000000005740000-0x0000000005762000-memory.dmp
          Filesize

          136KB

          Download
        • memory/2772-35-0x0000000006E70000-0x0000000006EA2000-memory.dmp
          Filesize

          200KB

          Download
        • memory/2772-30-0x00000000058C0000-0x0000000005C14000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2772-31-0x0000000005E90000-0x0000000005EAE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2772-32-0x0000000005F50000-0x0000000005F9C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/2772-53-0x0000000007420000-0x000000000742E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/2772-51-0x0000000007470000-0x0000000007506000-memory.dmp
          Filesize

          600KB

          Download
        • memory/2772-50-0x0000000007260000-0x000000000726A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2772-49-0x00000000071F0000-0x000000000720A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/2772-47-0x00000000070B0000-0x0000000007153000-memory.dmp
          Filesize

          652KB

          Download
        • memory/2772-48-0x0000000007830000-0x0000000007EAA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/2836-68-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2836-1-0x0000000000140000-0x00000000001CC000-memory.dmp
          Filesize

          560KB

          Download
        • memory/2836-2-0x0000000005090000-0x0000000005634000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/2836-4-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2836-3-0x0000000004AE0000-0x0000000004B72000-memory.dmp
          Filesize

          584KB

          Download
        • memory/2836-5-0x0000000004B80000-0x0000000004BE6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/2836-60-0x000000007462E000-0x000000007462F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2836-61-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2836-0-0x000000007462E000-0x000000007462F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2836-6-0x0000000005030000-0x0000000005042000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2836-7-0x0000000005E20000-0x0000000005E5C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/4148-34-0x00000000061A0000-0x00000000061AA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4148-63-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4148-62-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4148-14-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4148-13-0x0000000074620000-0x0000000074DD0000-memory.dmp
          Filesize

          7.7MB

          Download