Analysis
-
max time kernel
17s -
max time network
45s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
19-10-2022 19:02
General
-
Target
d281a343a9dc6952701c2eb3e6817b5604a0d824e2fca702f2ad1a7e102f1595.exe
-
Size
2.0MB
-
MD5
61dbc8c0bd5d8a83ab6e0aec3e4fe5b4
-
SHA1
32d85ed2a2cd2fa32b1234b97eb1afcf223f5b01
-
SHA256
d281a343a9dc6952701c2eb3e6817b5604a0d824e2fca702f2ad1a7e102f1595
-
SHA512
fc15940fa4e2847fedf3ac738e3f8bfb4b4baf3fa594d6be4a2b3abfcbe9be839383a3f5a8a127302d095409804600034cefe806f43dde50dc9d4bc6602b4eec
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYc:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yi
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 10 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d281a343a9dc6952701c2eb3e6817b5604a0d824e2fca702f2ad1a7e102f1595.exe"C:\Users\Admin\AppData\Local\Temp\d281a343a9dc6952701c2eb3e6817b5604a0d824e2fca702f2ad1a7e102f1595.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\d281a343a9dc6952701c2eb3e6817b5604a0d824e2fca702f2ad1a7e102f1595.exe"C:\Users\Admin\AppData\Local\Temp\d281a343a9dc6952701c2eb3e6817b5604a0d824e2fca702f2ad1a7e102f1595.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD51efce85e583a7a2f123317a20f889d04
SHA160f71aa73ea2e2a48ed1c17e3c6d440abf39c914
SHA2562b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d
SHA51245a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD582d5712099a57d33b0d5375cbb9312f5
SHA10595e4bef150b4bc1f2c90c3210c6953b337eed1
SHA256057e7736fbd45a36bb80c274099cc189c67fbaa0ade6b90ff2a5f9d8831dadf8
SHA512f814666ab5e9af61d35960d079241bd5c68677532375cdc7a571500ff4f9045190d0c62c8552fc9fcd8608b7ec9c843c2aac5aea8d3c5b69dbbb5b663349698e
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD582d5712099a57d33b0d5375cbb9312f5
SHA10595e4bef150b4bc1f2c90c3210c6953b337eed1
SHA256057e7736fbd45a36bb80c274099cc189c67fbaa0ade6b90ff2a5f9d8831dadf8
SHA512f814666ab5e9af61d35960d079241bd5c68677532375cdc7a571500ff4f9045190d0c62c8552fc9fcd8608b7ec9c843c2aac5aea8d3c5b69dbbb5b663349698e
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD582d5712099a57d33b0d5375cbb9312f5
SHA10595e4bef150b4bc1f2c90c3210c6953b337eed1
SHA256057e7736fbd45a36bb80c274099cc189c67fbaa0ade6b90ff2a5f9d8831dadf8
SHA512f814666ab5e9af61d35960d079241bd5c68677532375cdc7a571500ff4f9045190d0c62c8552fc9fcd8608b7ec9c843c2aac5aea8d3c5b69dbbb5b663349698e
-
memory/340-702-0x0000000000000000-mapping.dmp
-
memory/520-168-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-177-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-136-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-137-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-138-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-139-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-140-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-141-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-142-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-143-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-144-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-145-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-146-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-147-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-148-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-149-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-150-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-151-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-152-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-153-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-154-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-155-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-156-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-157-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-158-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-159-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-160-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-161-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-162-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-163-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-164-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-165-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-166-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-167-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-120-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-169-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-170-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-171-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-172-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-173-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-174-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-175-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-176-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-135-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-178-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-179-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-180-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-181-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-134-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-121-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-122-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-123-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-133-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-124-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-132-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-125-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-127-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-126-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-131-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-128-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-129-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/520-130-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/640-486-0x0000000000000000-mapping.dmp
-
memory/1232-386-0x0000000000000000-mapping.dmp
-
memory/1792-406-0x0000000000000000-mapping.dmp
-
memory/1792-507-0x0000000006F60000-0x0000000006F6A000-memory.dmpFilesize
40KB
-
memory/3468-185-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/3468-184-0x0000000077D60000-0x0000000077EEE000-memory.dmpFilesize
1.6MB
-
memory/3468-182-0x0000000000000000-mapping.dmp
-
memory/3552-280-0x00000000004B0000-0x000000000054C000-memory.dmpFilesize
624KB
-
memory/3552-253-0x0000000000000000-mapping.dmp
-
memory/3992-604-0x0000000000000000-mapping.dmp
-
memory/4044-654-0x0000000000E90000-0x0000000000F2C000-memory.dmpFilesize
624KB
-
memory/4044-603-0x0000000000000000-mapping.dmp
-
memory/4320-384-0x0000000006970000-0x00000000069AE000-memory.dmpFilesize
248KB
-
memory/4320-310-0x0000000005850000-0x00000000058E2000-memory.dmpFilesize
584KB
-
memory/4320-286-0x0000000000F70000-0x0000000000FCE000-memory.dmpFilesize
376KB
-
memory/4320-363-0x0000000006580000-0x0000000006592000-memory.dmpFilesize
72KB
-
memory/4320-300-0x0000000005E10000-0x000000000630E000-memory.dmpFilesize
5.0MB
-
memory/4320-186-0x0000000000000000-mapping.dmp
-
memory/4320-353-0x0000000005A10000-0x0000000005A76000-memory.dmpFilesize
408KB
-
memory/4372-662-0x000000000023A1F8-mapping.dmp
-
memory/4860-259-0x0000000000000000-mapping.dmp
-
memory/5088-248-0x000000000030A1F8-mapping.dmp
-
memory/5096-571-0x0000000000000000-mapping.dmp