Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
12-07-2024 01:04
General
-
Target
RDP Brute_Cracked.exe
-
Size
1.7MB
-
MD5
bd5cd7f77a38e709cb03b8b60cfcc15c
-
SHA1
ed59b52ea4c63ffd6322bcb43155f2245048a541
-
SHA256
4f66d0ced260b21359d60081d26c57bdeb3b54a293d084201589019d79379e8e
-
SHA512
0f5973d3b16362cc2540065188bd3650be6622a8bf3b1bb6e310ec3f395292b916c0b1dd3514497a78efee847da16bf559eb21b3225d80ffb4ded4819a8a4b63
-
SSDEEP
24576:Cj5yx6uJa4WiXV15W/F4A8A3GpF8EfE1FF1ehGXeRxm8F0EJSoUkgBbt:e59+WaV1J6GpFDEV1eEox10EPEbt
Malware Config
Extracted
quasar
2.1.0.0
kgf6
23.105.131.187:7812
VNM_MUTEX_Yv6S9FB2pcVgrrmUN6
-
encryption_key
4Kz1OwOQ5f9Qc8aAEQ9S
-
install_name
Windows Security Health Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
SubDir
Extracted
quasar
2.1.0.0
kgf5
23.105.131.187:7812
VNM_MUTEX_NOLy9wmTFSi1F4L2HO
-
encryption_key
8jlBZS9It7EamPWEVqxP
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RDP Brute_Cracked.exe"C:\Users\Admin\AppData\Local\Temp\RDP Brute_Cracked.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uLqPyvR7lkgl.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s8IjwR4OiJT6.bat" "4⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\RDP Brute_Cracked.exe"C:\Users\Admin\AppData\Roaming\RDP Brute_Cracked.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5f8bcaf312de8591707436c1dcebba8e4
SHA1a1269828e5f644601622f4a7a611aec8f2eda0b2
SHA256f0f5a90777c70cdceea22bd66b33c1703a318acc45cb012d0b01585a1ac12b29
SHA5123a714f5950584abbc94a27bbd4623bfc5acb1135c8c9fca4d74e70c8481b71ace7dbc1dfbf101dd07c76a050acfb4852f31dd57fc7ae196382336c5edc9e6413
-
Filesize
507B
MD576ffb2f33cb32ade8fc862a67599e9d8
SHA1920cc4ab75b36d2f9f6e979b74db568973c49130
SHA256f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310
SHA512f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5760ef2ed50f0f42213deb0c9b84eddd1
SHA198b547abb71eeb37036d6f4c002efbf1bdfba995
SHA256353db300891fe9708fccfedc5bd7c0ebd7a2e028b2d8e791c5b161726b32ea33
SHA512160a23ca6aacdae9bd0855308067c09ed6f7896dc9577b719a8a0fbb15b07d581ff754358499fd5ada07f2943f166f84ba9d29a6057554d0e1eb50cbc9b2d519
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
208B
MD5cdc11e0c869bb2dabe34481e71d820f5
SHA1949ab161254011adce9d9bca02aab44eacc07f65
SHA256678950c7bdbbbe1949419b5a23d79c8910246d7065a99da16761e6fe32ba41b6
SHA5124cdc17e413799d2d28e8611c9dc1b42f18b67e378d60177f2ab8d997901d1b89bceaf89ccfe8227400402a68d69c1a1f56d77b85df5c8589b0efaf99061c963a
-
Filesize
219B
MD501a67249866d08ad4c0c3b70319c43dd
SHA17ba139db4947fc10162f4111bcc3be9200cd9f85
SHA256ce8bd3693b8af002ecb78319ed821a1174f00bf69eef453e0951107522e9f2c5
SHA512fd5e1ccd0792f8623160fdc0d15b0606f8add5f62a57988475de878c8e5611bac77972590356ba7c7ee2792cda765a24f90335a48d7cb27624899dc3670d65ed
-
Filesize
224B
MD555871997210e9743c993f3335b7f065d
SHA1027e06fa871080f33aaf031a55ef67ebaf764cff
SHA256beb5f4fdd857fdb62e3cd6cb21dd604b79e6c81ec3076a10ce873a2207e5dc84
SHA5123d6a766371e87e92b8a9ea72eb1c6dac0c8272ed7f14be626f8a5d4ae3a390cd2380bdf4ef16e95e5627ab9b9adc20341068b569b8dc1290c03a2d2cfb484985
-
Filesize
680KB
MD511fd02d3ea805ec220aa7365977a91fd
SHA1515f8b62940c7a3121647f8fb21a735b570a7ae2
SHA256c9bdc04ed6f4c4641d445a8de2df40fdc4caeb475b747f129d870948df53ff25
SHA51225b31d38259545625bc85926ab148a3d3c1c5d494f68c5c916d2a2d37ba066e1c65119325eece62e2dd715f6a8b79dc148f228929680a812413d25a9100eec8b
-
Filesize
659KB
MD564d8e9454e6aee8ab06ff04de44b5a78
SHA1ec3882f5fcd42fb5cba64f36c8e8aad053ce0809
SHA25688328daff21d049a4b50d0a997e747efe559faa8a6345f6637730ad5679311e1
SHA512ece5de5ecf5ad8b4db363a8701206ac47b76e313368ce3bf30a5b22634ac3ff621d348be5441ed85c2adf61a405b6917dde2cb793e3095a9c71d26378d8dc7d8
-
Filesize
560KB
MD5a1840a96c2aac71cc19d6d16e79ed089
SHA1a5e6648c4424385954a9bf0d5680006c7ff959fc
SHA2564b522519d68c7a32d1586526f74a5cc5b84827a0c606d2ea21b064d893016e86
SHA512e3c779077adea0081d38da4c6601e3d130c514cbb7bf21be353a7fbf0d1e6fb321b8278e08386f90b7d7ee19f6a340e0b273e75fe5f9edea985920cb421dc229
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
652KB
-
Filesize
3.3MB
-
Filesize
80KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
72KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
688KB
-
Filesize
8KB
-
Filesize
688KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
584KB