Analysis
-
max time kernel
4s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
21-12-2023 18:24
General
-
Target
Adobe Download Manager.exe
-
Size
2.0MB
-
MD5
2e9ba9334449304220a549e7a75447f4
-
SHA1
791d1648ee703e05b4749fcb99c8f45692e73787
-
SHA256
f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153
-
SHA512
91f5e99e4e69ece69f1eb4a72b69bf77e42092ad2bb40d6f480768148a2490f3bf747b507b3a52446d60eb53373f7f3b64d16fe1993e58dd10ec0430cf91bcff
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY1:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YL
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 5 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 5483⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hI8lJN5gZi9c.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 22324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3924 -ip 39241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 836 -ip 8361⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 5203⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 948 -ip 9481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Temp\hI8lJN5gZi9c.batFilesize
208B
MD5b6aa593a3359161270eb56e5657e4315
SHA1a59d567dae33147508a387d524f8394c2c65f2ca
SHA2566adc04a0891cbcb05f106f32b6dff8683aaa453e77d530cab65c59dd15ff0c79
SHA512a62309a7a15daf7b407c718f10dc1657e9de2683621f46770f4dade8f9cc38d3e3f264da2de54a0f48259661cc01650559c9eb1d3bd2a47ad233ce828a7b2418
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
222KB
MD5423f7c5ae6986da923e73ee601b20b91
SHA1ef317db62be906ac6a86b8dcbb22cae088c130dc
SHA256be0cb4366fe2792a194ab3e76a791d02c724b7cc2267c68b56be1b1307e0a016
SHA5120a72324c1dee3df6ff50b64c95ca7e8e31241c021576c995c20bf8f810b39d20b0dc2ce01c84a24bafdfba4ec3e1a01f73e2fefcf8d03fbbe331a32019e0c6fa
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
116KB
MD54bbb0fde08e4401fade8a58f9eb7865d
SHA13ace12e20ece35ab52f37f3463c127e0e5c33375
SHA2566bb4a37cbaefccca0d3c207133dbf725b4207cba0eb788d3f4bcd573658b4659
SHA51216b25e775040b73de15744125c808489b233d6752ed332a94fc9d2132168ef85692ebac4610fadae86edcbd0bd4beb6f5da8ea17a12ccf60e03e07eff66263c3
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
140KB
MD5ada67babf6db79cbc5261ed1b2590cde
SHA133059c0382f74f144021623ef9fbaa7072550267
SHA2566d387713af6008908c8c19abb526d46ab6ef59eca4678e8e481552cd3cf69466
SHA5127ff5069676f1ddfc7843dab27b7f8b1e4dd2ec1d18dd5dd8a743551bd981a6db3abdcf0adab7641589fcc09cbe3ec50d831f760d4e9084c59ce9252ce57a4afb
-
C:\Users\Admin\AppData\Roaming\Logs\12-21-2023Filesize
224B
MD5a3c3d9bd3d2ce99ba99dfbb5313e6483
SHA1356b908cbbc9ebad153be8c1b79ddf2faf62a604
SHA2561fb284ae7739900833b59323b0bbf68376699a2888d4099689e97601e50d6d19
SHA51259d402cd332deca147c5761da109560d294f515e69cf3e0ea004097f529ea44da218e0de274bd84faf93e40a7024da16a33821ab0d58f926345c6e36a8b6a200
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD50022f81e42d102d0817f9ba2621f077b
SHA16274e0e9fc2f26dc2128f35d96c46d3e9d9cf874
SHA25654988ba51806326275f64addb198137d3807e1fbf3ac03d74eea994be9b65541
SHA512aca6a00feec5a63e7fd370890562273bc40fe7c7e8aaac64e60fb020181f565a45126af07ff69402154e9edfad9c619bc27de1b6892483d8b267bea76198b409
-
memory/836-55-0x00000000737D0000-0x0000000073F80000-memory.dmpFilesize
7.7MB
-
memory/836-47-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/836-50-0x00000000737D0000-0x0000000073F80000-memory.dmpFilesize
7.7MB
-
memory/836-49-0x0000000006340000-0x000000000634A000-memory.dmpFilesize
40KB
-
memory/836-45-0x00000000737D0000-0x0000000073F80000-memory.dmpFilesize
7.7MB
-
memory/1148-82-0x00000000737D0000-0x0000000073F80000-memory.dmpFilesize
7.7MB
-
memory/1148-83-0x0000000004F60000-0x0000000004F70000-memory.dmpFilesize
64KB
-
memory/1148-94-0x00000000737D0000-0x0000000073F80000-memory.dmpFilesize
7.7MB
-
memory/2212-58-0x0000000004E10000-0x0000000004E20000-memory.dmpFilesize
64KB
-
memory/2212-96-0x0000000004E10000-0x0000000004E20000-memory.dmpFilesize
64KB
-
memory/2212-95-0x00000000737D0000-0x0000000073F80000-memory.dmpFilesize
7.7MB
-
memory/2212-57-0x00000000737D0000-0x0000000073F80000-memory.dmpFilesize
7.7MB
-
memory/2264-31-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2264-19-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3100-21-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/3552-26-0x00000000737D0000-0x0000000073F80000-memory.dmpFilesize
7.7MB
-
memory/3552-33-0x0000000005340000-0x0000000005350000-memory.dmpFilesize
64KB
-
memory/3552-32-0x0000000005200000-0x0000000005292000-memory.dmpFilesize
584KB
-
memory/3552-27-0x00000000057B0000-0x0000000005D54000-memory.dmpFilesize
5.6MB
-
memory/3552-24-0x0000000000860000-0x00000000008BE000-memory.dmpFilesize
376KB
-
memory/3552-46-0x00000000737D0000-0x0000000073F80000-memory.dmpFilesize
7.7MB
-
memory/3552-36-0x0000000002C30000-0x0000000002C96000-memory.dmpFilesize
408KB
-
memory/3552-37-0x0000000005FA0000-0x0000000005FB2000-memory.dmpFilesize
72KB
-
memory/3552-38-0x00000000064E0000-0x000000000651C000-memory.dmpFilesize
240KB
-
memory/5028-97-0x00000000042E0000-0x00000000042E1000-memory.dmpFilesize
4KB