General
-
Target
00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c
-
Size
934KB
-
Sample
241112-xr2r7axqdz
-
MD5
fee0d9b8fd3d7765f902463817e0db71
-
SHA1
a2e83ee17368cfbcaa52fa36eeb5b192e3d21c42
-
SHA256
00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c
-
SHA512
dfdf07b1c8211bb0bf3db619cbc07f7746f793bbb284247e6865d08e15dd83bccf668ea752f1431df51b508e69acb6eed291692119a4c72b3564bcc0124166fa
-
SSDEEP
12288:BkMv6/ZKWZFZJuugJ7PxAv1HXyg+S4ZcTAPxAGvxnnOF0T2l5sZjJ:BkMvOZJu/7Zsyg+eEP2GZEJOJ
Malware Config
Targets
-
-
Target
00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c
-
Size
934KB
-
MD5
fee0d9b8fd3d7765f902463817e0db71
-
SHA1
a2e83ee17368cfbcaa52fa36eeb5b192e3d21c42
-
SHA256
00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c
-
SHA512
dfdf07b1c8211bb0bf3db619cbc07f7746f793bbb284247e6865d08e15dd83bccf668ea752f1431df51b508e69acb6eed291692119a4c72b3564bcc0124166fa
-
SSDEEP
12288:BkMv6/ZKWZFZJuugJ7PxAv1HXyg+S4ZcTAPxAGvxnnOF0T2l5sZjJ:BkMvOZJu/7Zsyg+eEP2GZEJOJ
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
UAC bypass
-
Windows security bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies Security services
Modifies the startup behavior of a security service.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
5Disable or Modify Tools
4Indicator Removal
2File Deletion
2Modify Registry
8