Analysis
-
max time kernel
4s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2023 18:22
Behavioral task
behavioral1
Sample
Adobe Download Manager.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Adobe Download Manager.exe
Resource
win10v2004-20231215-en
General
-
Target
Adobe Download Manager.exe
-
Size
2.0MB
-
MD5
2e9ba9334449304220a549e7a75447f4
-
SHA1
791d1648ee703e05b4749fcb99c8f45692e73787
-
SHA256
f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153
-
SHA512
91f5e99e4e69ece69f1eb4a72b69bf77e42092ad2bb40d6f480768148a2490f3bf747b507b3a52446d60eb53373f7f3b64d16fe1993e58dd10ec0430cf91bcff
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY1:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YL
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar behavioral2/memory/2956-29-0x0000000000710000-0x000000000076E000-memory.dmp family_quasar C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Adobe Download Manager.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation Adobe Download Manager.exe -
Executes dropped EXE 3 IoCs
Processes:
vnc.exewindef.exewinsock.exepid process 3756 vnc.exe 2956 windef.exe 1628 winsock.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Adobe Download Manager.exedescription ioc process File opened (read-only) \??\r: Adobe Download Manager.exe File opened (read-only) \??\s: Adobe Download Manager.exe File opened (read-only) \??\z: Adobe Download Manager.exe File opened (read-only) \??\b: Adobe Download Manager.exe File opened (read-only) \??\n: Adobe Download Manager.exe File opened (read-only) \??\o: Adobe Download Manager.exe File opened (read-only) \??\q: Adobe Download Manager.exe File opened (read-only) \??\i: Adobe Download Manager.exe File opened (read-only) \??\j: Adobe Download Manager.exe File opened (read-only) \??\k: Adobe Download Manager.exe File opened (read-only) \??\t: Adobe Download Manager.exe File opened (read-only) \??\a: Adobe Download Manager.exe File opened (read-only) \??\e: Adobe Download Manager.exe File opened (read-only) \??\g: Adobe Download Manager.exe File opened (read-only) \??\h: Adobe Download Manager.exe File opened (read-only) \??\y: Adobe Download Manager.exe File opened (read-only) \??\w: Adobe Download Manager.exe File opened (read-only) \??\l: Adobe Download Manager.exe File opened (read-only) \??\p: Adobe Download Manager.exe File opened (read-only) \??\u: Adobe Download Manager.exe File opened (read-only) \??\v: Adobe Download Manager.exe File opened (read-only) \??\m: Adobe Download Manager.exe File opened (read-only) \??\x: Adobe Download Manager.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Adobe Download Manager.exedescription pid process target process PID 3996 set thread context of 3432 3996 Adobe Download Manager.exe Adobe Download Manager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3128 3756 WerFault.exe vnc.exe 4340 1628 WerFault.exe winsock.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3784 schtasks.exe 1444 schtasks.exe 2436 schtasks.exe 4684 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Adobe Download Manager.exepid process 3996 Adobe Download Manager.exe 3996 Adobe Download Manager.exe 3996 Adobe Download Manager.exe 3996 Adobe Download Manager.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
windef.exewinsock.exedescription pid process Token: SeDebugPrivilege 2956 windef.exe Token: SeDebugPrivilege 1628 winsock.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winsock.exepid process 1628 winsock.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Adobe Download Manager.exevnc.exewindef.exewinsock.exedescription pid process target process PID 3996 wrote to memory of 3756 3996 Adobe Download Manager.exe vnc.exe PID 3996 wrote to memory of 3756 3996 Adobe Download Manager.exe vnc.exe PID 3996 wrote to memory of 3756 3996 Adobe Download Manager.exe vnc.exe PID 3996 wrote to memory of 2956 3996 Adobe Download Manager.exe windef.exe PID 3996 wrote to memory of 2956 3996 Adobe Download Manager.exe windef.exe PID 3996 wrote to memory of 2956 3996 Adobe Download Manager.exe windef.exe PID 3756 wrote to memory of 3464 3756 vnc.exe svchost.exe PID 3756 wrote to memory of 3464 3756 vnc.exe svchost.exe PID 3756 wrote to memory of 3464 3756 vnc.exe svchost.exe PID 3996 wrote to memory of 3432 3996 Adobe Download Manager.exe Adobe Download Manager.exe PID 3996 wrote to memory of 3432 3996 Adobe Download Manager.exe Adobe Download Manager.exe PID 3996 wrote to memory of 3432 3996 Adobe Download Manager.exe Adobe Download Manager.exe PID 3996 wrote to memory of 3432 3996 Adobe Download Manager.exe Adobe Download Manager.exe PID 3996 wrote to memory of 3432 3996 Adobe Download Manager.exe Adobe Download Manager.exe PID 3996 wrote to memory of 3784 3996 Adobe Download Manager.exe schtasks.exe PID 3996 wrote to memory of 3784 3996 Adobe Download Manager.exe schtasks.exe PID 3996 wrote to memory of 3784 3996 Adobe Download Manager.exe schtasks.exe PID 2956 wrote to memory of 1444 2956 windef.exe schtasks.exe PID 2956 wrote to memory of 1444 2956 windef.exe schtasks.exe PID 2956 wrote to memory of 1444 2956 windef.exe schtasks.exe PID 2956 wrote to memory of 1628 2956 windef.exe winsock.exe PID 2956 wrote to memory of 1628 2956 windef.exe winsock.exe PID 2956 wrote to memory of 1628 2956 windef.exe winsock.exe PID 1628 wrote to memory of 2436 1628 winsock.exe schtasks.exe PID 1628 wrote to memory of 2436 1628 winsock.exe schtasks.exe PID 1628 wrote to memory of 2436 1628 winsock.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 5563⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwVprb15a27G.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 16764⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3756 -ip 37561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1628 -ip 16281⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EwVprb15a27G.batFilesize
208B
MD570a4b49e6b7ea0c9afc528bdec279c97
SHA1060b0cd460002d665365c1c064b6b4e62e443764
SHA25694f508cc55550b78d1238d4fa43f0e05aba7fb1ab95e9f24b9ac897af8d37834
SHA512b122a66fd0f6fa58f2fa2249c4cbbbe8d857517e62994c48d43af50b2fbdf131d6b65abbfd65805fd378fa9a885884f79f85a0186ab50332f80648ff04e3f912
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\Logs\12-21-2023Filesize
224B
MD59b692dd221c3df7114fc4b961abba657
SHA1c7ef7eda878916c946260ced3155c1910c58498f
SHA25603d47f8a448eb209dd6695a74f7a7ea4deaf6ac464ca06c3286a245e0f78ac51
SHA5128ea8e6dccd1735395754d2a63fa73f22bbd7e7e726161bac9fb3d822af0e4f4bef7eed965432c820c02e2e39e8bba19dba4f7b2ffebed313ac041f45981c1215
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD5edc5b54b22a7aacb303ea9e293750c14
SHA10b686e54828380699904c8d6788d951e7d82319c
SHA25620b78c6282aa58696cba56880a82b0c81c7414493d90e670590ce5c02bd5fc4b
SHA512784273119475abb719df24615d1e465b90883c8f659c429511014181b2caf0c14aa0bd9b615f28996d1565f0dadcd25fb5c0736f89dfa23e85a8683734b166a9
-
memory/1628-55-0x0000000072BF0000-0x00000000733A0000-memory.dmpFilesize
7.7MB
-
memory/1628-50-0x0000000072BF0000-0x00000000733A0000-memory.dmpFilesize
7.7MB
-
memory/1628-49-0x0000000006510000-0x000000000651A000-memory.dmpFilesize
40KB
-
memory/1628-47-0x0000000005220000-0x0000000005230000-memory.dmpFilesize
64KB
-
memory/1628-46-0x0000000072BF0000-0x00000000733A0000-memory.dmpFilesize
7.7MB
-
memory/2956-38-0x0000000006290000-0x00000000062CC000-memory.dmpFilesize
240KB
-
memory/2956-27-0x0000000072BF0000-0x00000000733A0000-memory.dmpFilesize
7.7MB
-
memory/2956-36-0x0000000005040000-0x00000000050A6000-memory.dmpFilesize
408KB
-
memory/2956-35-0x0000000004FC0000-0x0000000004FD0000-memory.dmpFilesize
64KB
-
memory/2956-45-0x0000000072BF0000-0x00000000733A0000-memory.dmpFilesize
7.7MB
-
memory/2956-34-0x00000000050F0000-0x0000000005182000-memory.dmpFilesize
584KB
-
memory/2956-31-0x00000000056A0000-0x0000000005C44000-memory.dmpFilesize
5.6MB
-
memory/2956-37-0x0000000005D50000-0x0000000005D62000-memory.dmpFilesize
72KB
-
memory/2956-29-0x0000000000710000-0x000000000076E000-memory.dmpFilesize
376KB
-
memory/3432-30-0x0000000000A80000-0x0000000000AA0000-memory.dmpFilesize
128KB
-
memory/3432-20-0x0000000000A80000-0x0000000000AA0000-memory.dmpFilesize
128KB
-
memory/3996-18-0x0000000003780000-0x0000000003781000-memory.dmpFilesize
4KB
-
memory/4444-57-0x0000000072BF0000-0x00000000733A0000-memory.dmpFilesize
7.7MB
-
memory/4444-61-0x0000000072BF0000-0x00000000733A0000-memory.dmpFilesize
7.7MB
-
memory/4444-62-0x0000000005080000-0x0000000005090000-memory.dmpFilesize
64KB