Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2024 04:59

General

  • Target

    Venom.exe

  • Size

    3.1MB

  • MD5

    1348632fc2ede08cab5db1cb174ff0d3

  • SHA1

    2a1966291aa0e7aee1b039a1a75fa4879489a2be

  • SHA256

    900cb76890979aa50347b7b929ef1babd7c677966f642aa4d74cf973136a48bf

  • SHA512

    52f68303d71f1293b02784539ef3250a95cf9ef4cb868e26e381a86667ab4f5cfc5a36d462ff746dc021bc0420cf8f0b31b050ec4142fb1be4b8f626fae39edb

  • SSDEEP

    49152:avht62XlaSFNWPjljiFa2RoUYItFW7Bxn+oGdzTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYIrW2

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.246:4782

Mutex

1e9de725-2f46-4350-b6c8-78b3b776a085

Attributes
  • encryption_key

    ACF3D3BDCC7612495B863F26348AD4EE3B96458B

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    venom

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Venom.exe
    "C:\Users\Admin\AppData\Local\Temp\Venom.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "venom" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4296
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "venom" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4408
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3bbccc40,0x7ffd3bbccc4c,0x7ffd3bbccc58
      2⤵
        PID:5000
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,1444920733750782867,12583820843056452278,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1904 /prefetch:2
        2⤵
          PID:2880
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,1444920733750782867,12583820843056452278,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2356 /prefetch:3
          2⤵
            PID:2972
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,1444920733750782867,12583820843056452278,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2388 /prefetch:8
            2⤵
              PID:3492
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,1444920733750782867,12583820843056452278,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3096 /prefetch:1
              2⤵
                PID:1728
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,1444920733750782867,12583820843056452278,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
                2⤵
                  PID:2500
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4008,i,1444920733750782867,12583820843056452278,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4536 /prefetch:1
                  2⤵
                    PID:1516
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,1444920733750782867,12583820843056452278,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:8
                    2⤵
                      PID:2840
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,1444920733750782867,12583820843056452278,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:8
                      2⤵
                        PID:3100
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1032,i,1444920733750782867,12583820843056452278,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=208 /prefetch:8
                        2⤵
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1256
                    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                      1⤵
                        PID:1204
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                        1⤵
                          PID:1340

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1256f6d4-506f-4a90-b6e1-d8dceaba3721.tmp

                          Filesize

                          7KB

                          MD5

                          8c6867c1896a210cec37e4ba0a6a35cd

                          SHA1

                          0500133c8e5c3d90ef93cb5529f60537a9e6cf6d

                          SHA256

                          1da5ca7de896a07df29fda81b23879c5594ffa559db9b9a10bd13ce37e165e2d

                          SHA512

                          cedc509cb39dacf7e35c105653e212d7ab86dc3414b9d5869e9597afb0bac6b126d79259b5b6d84141835268ef3c70a11fe62d5d4bf101e9f93756c6164272ad

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                          Filesize

                          1KB

                          MD5

                          c0d84a323bad9a9feac382b4c809e7f6

                          SHA1

                          5d7bae57d7d625e5cdd0376c375ea9f81a0b6916

                          SHA256

                          a607194f812b174cadf74f3c0c59df42512168bb5180b04852683a7d29d5bd54

                          SHA512

                          e56e3fcc7b0bd07d109168ce16c9633545bdac1696b425bc5cdd0968e3dccb1c9de7f5f4504188d11520ce92c0a45b3ae5d1e99795cfcf432dea81cad2d4680a

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                          Filesize

                          356B

                          MD5

                          d4d931fc5d355d48c715df1785958936

                          SHA1

                          0fcb4fbf86422e666fa1b2e49c5f838bbaad591e

                          SHA256

                          4fc79ff13ac541ad42ba1fda11fbd81a6c523cbe4207e490a9eade169377ae40

                          SHA512

                          bafb999c14fd03c0501681beacd6983c66e6c678ced15d2eb4da02421e87d6b37c6bdea132af5746d386896a34c422879c83e6c8e5870c2a03ec5777fe41a480

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          334af685017cc7b20c171bd8eb901caf

                          SHA1

                          d8d94d66e060eae889d484de4fbdb3cbb344828b

                          SHA256

                          557d0fe269a728aaf3e4915d19787da233fa37c36bf4759906d594fadf441303

                          SHA512

                          e9b5b38b174f722fcdccd89e9f11e2c7aadd9d03da2e10a22f3f19b9f7c067bcdf4753546c97638a885b0b517f471e6896f58b0d304dfac2ba1686cb224a86a4

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          b5b010045c1f41e82da8f7def6cb0552

                          SHA1

                          72d934d46d08800ff52bbb90df0c5189aaab166c

                          SHA256

                          ce5ca79b238db1ceda20767b1dca520a5093814d9f151e72585615df614f982f

                          SHA512

                          8dfbe03cba3af96e8d47ed0c10c4ee66cd4b6cbf0d3f1c32e65cb11f0a87200d60cc89ca830223da0e5c922605bcacbe06bd4cc1a82370ef3acd2e46502ce997

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          7KB

                          MD5

                          c58dfd5f206a4686f82c690debeacd25

                          SHA1

                          40e555b64f591abcf53a829b5aebc0c9b63324ee

                          SHA256

                          add3078e6fa91be4a6ac7c5d161442065d1b33644fb26a414802664a4e36eb1c

                          SHA512

                          61ee654d9cc6b9d112559c2680bbc7a6eb8899353692e09ea0728db88e83c59ca9a4bdf9219bf57c631edad0a6c2dc1c2c678318cb77fe9d4d024298046751ac

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          4c21c092355b343db326d62bc2391a3b

                          SHA1

                          27a8db149a681296c31ec09efdb0847dc3fd43aa

                          SHA256

                          a4940217f542a9870f436cc8c9ad0be7de8eb1b5c2fa35c47b6a705ed8e4b827

                          SHA512

                          4e34e55933f3db43700f8ed5882137c879ae97805a68d8ca800708f13f8be63a2d9d29e9476b8c2e4dfccb1665e25d91a153e786594dd3a2f3a19d82182a0da6

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          d8267d473cd09d2fb64fcea978451754

                          SHA1

                          40fa5dd97f011c373ea85eecce69af2892eb93e3

                          SHA256

                          0fec9dc986e3db77b8b093a29c57f3ba3880ee6e1c1901fcf5a7cb67a1ad7797

                          SHA512

                          9bf3115e2793129071441a9f48f8b729217f453eb0366def302ba4dd60d29ec3bc74a94e21568666ede8242cdc2eb521cf2e1971d301c66b5577a001a2146bf5

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          6f3df8637eeee3f9acecb49d7d9885a0

                          SHA1

                          7f3771ee2a766e25ea93d3685c2881f2ddc8199c

                          SHA256

                          502dddafa929152271fd130154ddbe7b494b5996fd487d479e6e67db90c4caa6

                          SHA512

                          f18f0fa894771730cd56c1fd3ffb2cd0ac28b5b80e9b371654bbd6d0a68ef049387cb80c86aea4eed71930f53387af55c98f81e84dd70333dfd1cb668050d3ca

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          07f7cba81302ceb5ad7e8e41bb4e4a0f

                          SHA1

                          94e62fdfe0f6e36c9d783564158dc3fd88691919

                          SHA256

                          b8c37c91f42ba5e1ef92c0c400927ae9ddc296b8a700f096a2bacca6d0534dfb

                          SHA512

                          e2e659d574b025359f8d9715b5e56ed32eb8999154c57167c72ffdd9a2b468d0434d7db1c1f8aa96da894c08b3c2fea14800772d8a82cbd19b726fa168084b99

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          6d1003467600bd39a6183f02ac10a92a

                          SHA1

                          096a9c8815120b70917bfb6a462bedae2223e1d3

                          SHA256

                          d187ff6ded7f0735cde6198c5620349cc16f637c01b088f28d82d13bb0741341

                          SHA512

                          f311928c3d92dc434c96e431748f8c40c234872554357c6d3dd5b1b157b71eb0d9061ff86df8837c1902dbeea28be47055c00a553c78cc778336236befe24ed4

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          32fa1e116565d9149e7316da2bcb56cc

                          SHA1

                          de8f9483da80b919f517be0e32d3931318d7bfea

                          SHA256

                          b92e1d6eada74bb77ae079f178db0872b0a55de503cc938f354a9ea082d7cbc1

                          SHA512

                          9d56a269caa08becb0b487dce383640828f3ffcfdb35106dc92c73b10a0e3ff6244b56816f7e04e44a9ba8269a085831631db3d050ec965bb753c91c97a76d57

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                          Filesize

                          195KB

                          MD5

                          14c0ec83403940ffeb908eb14d0bc6e8

                          SHA1

                          15cd7ceaef3328ed40d117a1e24db4eac97f376f

                          SHA256

                          ca13ef97fd0021c9adc2bee0648aaf10bf1893d1fe4a24efe890c54b8dd4cdae

                          SHA512

                          2a7e525dc808e9ba1f923ef3288afe4be5ebb3185fd2022b3e12e25d0ce9ad11f1aa3bb105f86d2f4752579ca3f9e07afcad03cdc80e7f43281c29ff349f983b

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                          Filesize

                          195KB

                          MD5

                          cedd96495cd91b23aa374f9fd1a2edb4

                          SHA1

                          0afef949085e5d6939e742a8fa22f4695b7d1eae

                          SHA256

                          fe7aaa7d31ab9b4411f436091e4f4a06b051a955866f085df49803268d1dfdf8

                          SHA512

                          b81d1aeb6ab880373451b6b99ffc928acfeef88f582b65a72e35e47081cdc87615cdb06229c7ea88d68f64b75656f20e0ed175788c58f6c682e2289c708c6a78

                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

                          Filesize

                          3.1MB

                          MD5

                          1348632fc2ede08cab5db1cb174ff0d3

                          SHA1

                          2a1966291aa0e7aee1b039a1a75fa4879489a2be

                          SHA256

                          900cb76890979aa50347b7b929ef1babd7c677966f642aa4d74cf973136a48bf

                          SHA512

                          52f68303d71f1293b02784539ef3250a95cf9ef4cb868e26e381a86667ab4f5cfc5a36d462ff746dc021bc0420cf8f0b31b050ec4142fb1be4b8f626fae39edb

                        • \??\pipe\crashpad_4800_CIYZBBCVXLSFDZNO

                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • memory/4804-1-0x0000000000600000-0x0000000000924000-memory.dmp

                          Filesize

                          3.1MB

                        • memory/4804-2-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4804-9-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4804-0-0x00007FFD3ADA3000-0x00007FFD3ADA5000-memory.dmp

                          Filesize

                          8KB

                        • memory/4844-14-0x000000001C6F0000-0x000000001C740000-memory.dmp

                          Filesize

                          320KB

                        • memory/4844-58-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4844-57-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4844-56-0x000000001CFF0000-0x000000001D518000-memory.dmp

                          Filesize

                          5.2MB

                        • memory/4844-15-0x000000001C800000-0x000000001C8B2000-memory.dmp

                          Filesize

                          712KB

                        • memory/4844-11-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4844-10-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

                          Filesize

                          10.8MB