Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
12-07-2024 01:04
General
-
Target
RDP Brute_Cracked.exe
-
Size
1.7MB
-
MD5
bd5cd7f77a38e709cb03b8b60cfcc15c
-
SHA1
ed59b52ea4c63ffd6322bcb43155f2245048a541
-
SHA256
4f66d0ced260b21359d60081d26c57bdeb3b54a293d084201589019d79379e8e
-
SHA512
0f5973d3b16362cc2540065188bd3650be6622a8bf3b1bb6e310ec3f395292b916c0b1dd3514497a78efee847da16bf559eb21b3225d80ffb4ded4819a8a4b63
-
SSDEEP
24576:Cj5yx6uJa4WiXV15W/F4A8A3GpF8EfE1FF1ehGXeRxm8F0EJSoUkgBbt:e59+WaV1J6GpFDEV1eEox10EPEbt
Malware Config
Extracted
quasar
2.1.0.0
kgf6
23.105.131.187:7812
VNM_MUTEX_Yv6S9FB2pcVgrrmUN6
-
encryption_key
4Kz1OwOQ5f9Qc8aAEQ9S
-
install_name
Windows Security Health Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
SubDir
Extracted
quasar
2.1.0.0
kgf5
23.105.131.187:7812
VNM_MUTEX_NOLy9wmTFSi1F4L2HO
-
encryption_key
8jlBZS9It7EamPWEVqxP
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE 13 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RDP Brute_Cracked.exe"C:\Users\Admin\AppData\Local\Temp\RDP Brute_Cracked.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUIU0E70fV8G.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security Health Service.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEdmf2jADmeq.bat" "4⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\RDP Brute_Cracked.exe"C:\Users\Admin\AppData\Roaming\RDP Brute_Cracked.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD51b078d78e73002021f4dd7d664994c4b
SHA155a0e705823a78167f8555a011922ce11cd52632
SHA256d037fa9fcd062ca5c2f8bec1b1a92adede33b9d2546e12b78dd413f1f5c07b40
SHA5127ceb0622c3a05305b203f3e4402f573ce3c46619ee1505ed09c4efa75671fd3fd9567338b156dfe7c576e3aa5252939c973b1e2b807a8423c66a79bb56ebf0eb
-
Filesize
507B
MD529b1c5a4105d370da2522f68d9c52bd1
SHA1c952a431188c21c550ba710be0e1375df4d7a74d
SHA2567bb26a298a5bff4d6935ef09f7bc80114835e0a7a8858d1ddffc34d31918d23b
SHA51274934a93170b794349b91c6e05f3d2eb7edd48a5b88eebeef4368eba5f089139888a6fe6f4e5de557b3ce1d061468e6ace99d26848bdbc4c2b798f7c24782e5d
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
Filesize
18KB
MD54458604205aa1aff7b94ec432a9ea79b
SHA19e19870ef40cf30725bce0d80bb00b1b5794ca9c
SHA256a8a1f01cc74df5d60645fd4fb3fe34d9889dae94aa34605f2da5f829ffd080b2
SHA5129385323781dd196bf6a831e35b74001f2918dc220e94175151788c9ea180ef6d9daabbc343c3e5471dfab98df4aa4d47f4d9817267bf575e32cffcc058da379d
-
Filesize
219B
MD5c1cd4df8dd54c52254572a6a2d74930b
SHA17e975e61667ff025220bdbc07b2d23fcbe5a8f44
SHA25616dab7f955c690933036e65c38e6b0f0aee5e1d4adc3529b7835a9b5bb920ccf
SHA5123bb4e2bcfe11975db51d7a3e1348bfcfeb611de5bb143ea66cbb02b0eae3224af736af474c27a9e9230288bfd9a55c5b1424ee1f132da89ea27873f804ac0aec
-
Filesize
208B
MD56f3407ad0aadad52f4c719ec0afdfd4c
SHA1c1a933fb8382eb8d13ec126a0a9c361ea9cdd133
SHA256440f6ef9de00e98d0d54427e9c2c6c8f8c1ea7c4e0df77671c44966cd1dcf10b
SHA51262e09cb3c80618cdce518f0bec09d668467ed933a22833b505ace60c8fd6c9aa2384659eff6d1d1d8136a26c8584b20712e65fe6cc2f590acc57c977a826832f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
224B
MD5dcf7f40283ead6147d43be681b775f81
SHA1ad052f2661ace84b9f9758fcb3306cde1cfc20f7
SHA2564dc5b4ba75091c8cb7c3915153271ac0150e9c8fa4c84baee3e019400189ab76
SHA512adc136cd8c479fd11a591f8d956d59c0df9d61390d5f1c24f1ab49fd3e63f90af53abdf40cb5015656b2ca505169c6a556682fe3df32a62374f913d3b8fbe617
-
Filesize
680KB
MD511fd02d3ea805ec220aa7365977a91fd
SHA1515f8b62940c7a3121647f8fb21a735b570a7ae2
SHA256c9bdc04ed6f4c4641d445a8de2df40fdc4caeb475b747f129d870948df53ff25
SHA51225b31d38259545625bc85926ab148a3d3c1c5d494f68c5c916d2a2d37ba066e1c65119325eece62e2dd715f6a8b79dc148f228929680a812413d25a9100eec8b
-
Filesize
659KB
MD564d8e9454e6aee8ab06ff04de44b5a78
SHA1ec3882f5fcd42fb5cba64f36c8e8aad053ce0809
SHA25688328daff21d049a4b50d0a997e747efe559faa8a6345f6637730ad5679311e1
SHA512ece5de5ecf5ad8b4db363a8701206ac47b76e313368ce3bf30a5b22634ac3ff621d348be5441ed85c2adf61a405b6917dde2cb793e3095a9c71d26378d8dc7d8
-
Filesize
560KB
MD5a1840a96c2aac71cc19d6d16e79ed089
SHA1a5e6648c4424385954a9bf0d5680006c7ff959fc
SHA2564b522519d68c7a32d1586526f74a5cc5b84827a0c606d2ea21b064d893016e86
SHA512e3c779077adea0081d38da4c6601e3d130c514cbb7bf21be353a7fbf0d1e6fb321b8278e08386f90b7d7ee19f6a340e0b273e75fe5f9edea985920cb421dc229
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
408KB
-
Filesize
560KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
688KB
-
Filesize
8KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
84KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
656KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
208KB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
6.5MB
-
Filesize
32KB
-
Filesize
68KB
-
Filesize
688KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
560KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB