Analysis
-
max time kernel
10s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-09-2021 09:08
General
-
Target
c468c0cee1e4f984dddcd81bfa0108b6f8fa97f6666ece1df8f912c52109feb9.exe
-
Size
2.0MB
-
MD5
5920ed3468ccde85c92f59e04d5130d4
-
SHA1
330083a380514918a1f0af9c4abfabf9aabf46e1
-
SHA256
c468c0cee1e4f984dddcd81bfa0108b6f8fa97f6666ece1df8f912c52109feb9
-
SHA512
5b5b97b8ad268d81bcc967dabb99ca3fdd855f443502a634de2ac3405c87eb525f4390dd240536ece3bff9ac8c2fc1a772faf5b16692ca769aa98456e1f30723
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar Payload 10 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c468c0cee1e4f984dddcd81bfa0108b6f8fa97f6666ece1df8f912c52109feb9.exe"C:\Users\Admin\AppData\Local\Temp\c468c0cee1e4f984dddcd81bfa0108b6f8fa97f6666ece1df8f912c52109feb9.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k4Ce2KiUEZBW.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 18644⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\c468c0cee1e4f984dddcd81bfa0108b6f8fa97f6666ece1df8f912c52109feb9.exe"C:\Users\Admin\AppData\Local\Temp\c468c0cee1e4f984dddcd81bfa0108b6f8fa97f6666ece1df8f912c52109feb9.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logMD5
1efce85e583a7a2f123317a20f889d04
SHA160f71aa73ea2e2a48ed1c17e3c6d440abf39c914
SHA2562b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d
SHA51245a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c
-
C:\Users\Admin\AppData\Local\Temp\k4Ce2KiUEZBW.batMD5
922dc70a1558eee1fd5b0b53b7a6f4ca
SHA1832b77faad6c433672c889b4e97e0c5c6a30d87a
SHA256427570be12939775947354bbd69ee3573cb475e6a7a5468c7fbd8d4d4ccdbd31
SHA5126d6a410589588e095e7a10bc0a51f7cd70c90f9a94403dff09737ac51758d5c55b906e0561373d03418a13697d9dc16751f56827fd801397164aee6712a1acb0
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeMD5
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeMD5
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeMD5
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeMD5
8e730c9dceb6d63ea3032e5bd4e60368
SHA1ef2d5cdf5d1a9f3050f9d1f39ba55edd71083a01
SHA25687c3eb89af770962b714bdfddefb1d1b75b71893f506fdaf7ecfb54670a99792
SHA5120826e609f702816e07a78e2423dd3ffa75bd2aee442273a9d670498f2cfa2d232e532264eb7d0ee9cc4db4aa8e88f9f2f2475c10384193d3c481dc528c750c61
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeMD5
8e730c9dceb6d63ea3032e5bd4e60368
SHA1ef2d5cdf5d1a9f3050f9d1f39ba55edd71083a01
SHA25687c3eb89af770962b714bdfddefb1d1b75b71893f506fdaf7ecfb54670a99792
SHA5120826e609f702816e07a78e2423dd3ffa75bd2aee442273a9d670498f2cfa2d232e532264eb7d0ee9cc4db4aa8e88f9f2f2475c10384193d3c481dc528c750c61
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeMD5
8e730c9dceb6d63ea3032e5bd4e60368
SHA1ef2d5cdf5d1a9f3050f9d1f39ba55edd71083a01
SHA25687c3eb89af770962b714bdfddefb1d1b75b71893f506fdaf7ecfb54670a99792
SHA5120826e609f702816e07a78e2423dd3ffa75bd2aee442273a9d670498f2cfa2d232e532264eb7d0ee9cc4db4aa8e88f9f2f2475c10384193d3c481dc528c750c61
-
memory/412-162-0x0000000005360000-0x000000000585E000-memory.dmpFilesize
5.0MB
-
memory/412-156-0x0000000000000000-mapping.dmp
-
memory/616-114-0x0000000000000000-mapping.dmp
-
memory/768-168-0x0000000000000000-mapping.dmp
-
memory/768-178-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/768-179-0x0000000000950000-0x00000000009EC000-memory.dmpFilesize
624KB
-
memory/808-126-0x0000000001130000-0x000000000127A000-memory.dmpFilesize
1.3MB
-
memory/1084-155-0x0000000000000000-mapping.dmp
-
memory/1336-128-0x0000000000010000-0x00000000000AC000-memory.dmpFilesize
624KB
-
memory/1336-127-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1336-119-0x0000000000000000-mapping.dmp
-
memory/1404-130-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/1404-137-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/1404-134-0x0000000005590000-0x0000000005A8E000-memory.dmpFilesize
5.0MB
-
memory/1404-117-0x0000000000000000-mapping.dmp
-
memory/1404-135-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/1404-132-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/1404-136-0x00000000065C0000-0x00000000065C1000-memory.dmpFilesize
4KB
-
memory/1404-133-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/1472-125-0x000000000041A1F8-mapping.dmp
-
memory/1472-120-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1600-186-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/1664-177-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/1664-169-0x0000000000000000-mapping.dmp
-
memory/1720-184-0x000000000041A1F8-mapping.dmp
-
memory/2136-129-0x0000000000000000-mapping.dmp
-
memory/2268-139-0x0000000000000000-mapping.dmp
-
memory/2268-146-0x0000000005470000-0x000000000596E000-memory.dmpFilesize
5.0MB
-
memory/2268-151-0x0000000006A10000-0x0000000006A11000-memory.dmpFilesize
4KB
-
memory/2480-166-0x0000000000000000-mapping.dmp
-
memory/3184-187-0x0000000000000000-mapping.dmp
-
memory/3456-152-0x0000000000000000-mapping.dmp
-
memory/3496-150-0x0000000000000000-mapping.dmp
-
memory/3568-138-0x0000000000000000-mapping.dmp
-
memory/3752-154-0x0000000000000000-mapping.dmp