Overview

overview

10

Static

static

10

Adobe Down...er.exe

windows7-x64

10

Adobe Down...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    4s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2023 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Adobe Download Manager.exe

  • Size

    2.0MB

  • MD5

    2e9ba9334449304220a549e7a75447f4

  • SHA1

    791d1648ee703e05b4749fcb99c8f45692e73787

  • SHA256

    f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153

  • SHA512

    91f5e99e4e69ece69f1eb4a72b69bf77e42092ad2bb40d6f480768148a2490f3bf747b507b3a52446d60eb53373f7f3b64d16fe1993e58dd10ec0430cf91bcff

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY1:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YL

Score
10/10
azorultquasarebayprofilesinfostealerspywaretrojan

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443
Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
          PID:3464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 556
          3⤵
          • Program crash
          PID:3128
      • C:\Users\Admin\AppData\Local\Temp\windef.exe
        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:1444
        • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • Creates scheduled task(s)
            PID:2436
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwVprb15a27G.bat" "
            4⤵
              PID:4104
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:2376
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • Runs ping.exe
                  PID:4328
                • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                  5⤵
                    PID:4444
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
                      6⤵
                      • Creates scheduled task(s)
                      PID:4684
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 1676
                  4⤵
                  • Program crash
                  PID:4340
            • C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe
              "C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"
              2⤵
                PID:3432
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                2⤵
                • Creates scheduled task(s)
                PID:3784
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3756 -ip 3756
              1⤵
                PID:1308
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1628 -ip 1628
                1⤵
                  PID:752
                • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                  C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                  1⤵
                    PID:3340
                  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                    1⤵
                      PID:2920
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                        PID:3312

                      Network

                      MITRE ATT&CK Matrix ATT&CK v13

                      Initial Access

                      Execution

                      Scheduled Task/Job

                      1
                      T1053

                      Persistence

                      Scheduled Task/Job

                      1
                      T1053

                      Privilege Escalation

                      Scheduled Task/Job

                      1
                      T1053

                      Defense Evasion

                      Credential Access

                      Discovery

                      Query Registry

                      2
                      T1012

                      System Information Discovery

                      3
                      T1082

                      Peripheral Device Discovery

                      1
                      T1120

                      Remote System Discovery

                      1
                      T1018

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Resource Development

                      Reconnaissance

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\EwVprb15a27G.bat
                        Filesize

                        208B

                        MD5

                        70a4b49e6b7ea0c9afc528bdec279c97

                        SHA1

                        060b0cd460002d665365c1c064b6b4e62e443764

                        SHA256

                        94f508cc55550b78d1238d4fa43f0e05aba7fb1ab95e9f24b9ac897af8d37834

                        SHA512

                        b122a66fd0f6fa58f2fa2249c4cbbbe8d857517e62994c48d43af50b2fbdf131d6b65abbfd65805fd378fa9a885884f79f85a0186ab50332f80648ff04e3f912

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                        Filesize

                        405KB

                        MD5

                        b8ba87ee4c3fc085a2fed0d839aadce1

                        SHA1

                        b3a2e3256406330e8b1779199bb2b9865122d766

                        SHA256

                        4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

                        SHA512

                        7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\windef.exe
                        Filesize

                        349KB

                        MD5

                        b4a202e03d4135484d0e730173abcc72

                        SHA1

                        01b30014545ea526c15a60931d676f9392ea0c70

                        SHA256

                        7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

                        SHA512

                        632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Logs\12-21-2023
                        Filesize

                        224B

                        MD5

                        9b692dd221c3df7114fc4b961abba657

                        SHA1

                        c7ef7eda878916c946260ced3155c1910c58498f

                        SHA256

                        03d47f8a448eb209dd6695a74f7a7ea4deaf6ac464ca06c3286a245e0f78ac51

                        SHA512

                        8ea8e6dccd1735395754d2a63fa73f22bbd7e7e726161bac9fb3d822af0e4f4bef7eed965432c820c02e2e39e8bba19dba4f7b2ffebed313ac041f45981c1215

                        Download Submit
                      • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                        Filesize

                        2.0MB

                        MD5

                        edc5b54b22a7aacb303ea9e293750c14

                        SHA1

                        0b686e54828380699904c8d6788d951e7d82319c

                        SHA256

                        20b78c6282aa58696cba56880a82b0c81c7414493d90e670590ce5c02bd5fc4b

                        SHA512

                        784273119475abb719df24615d1e465b90883c8f659c429511014181b2caf0c14aa0bd9b615f28996d1565f0dadcd25fb5c0736f89dfa23e85a8683734b166a9

                        Download Submit
                      • memory/1628-55-0x0000000072BF0000-0x00000000733A0000-memory.dmp
                        Filesize

                        7.7MB

                        Download
                      • memory/1628-50-0x0000000072BF0000-0x00000000733A0000-memory.dmp
                        Filesize

                        7.7MB

                        Download
                      • memory/1628-49-0x0000000006510000-0x000000000651A000-memory.dmp
                        Filesize

                        40KB

                        Download
                      • memory/1628-47-0x0000000005220000-0x0000000005230000-memory.dmp
                        Filesize

                        64KB

                        Download
                      • memory/1628-46-0x0000000072BF0000-0x00000000733A0000-memory.dmp
                        Filesize

                        7.7MB

                        Download
                      • memory/2956-38-0x0000000006290000-0x00000000062CC000-memory.dmp
                        Filesize

                        240KB

                        Download
                      • memory/2956-27-0x0000000072BF0000-0x00000000733A0000-memory.dmp
                        Filesize

                        7.7MB

                        Download
                      • memory/2956-36-0x0000000005040000-0x00000000050A6000-memory.dmp
                        Filesize

                        408KB

                        Download
                      • memory/2956-35-0x0000000004FC0000-0x0000000004FD0000-memory.dmp
                        Filesize

                        64KB

                        Download
                      • memory/2956-45-0x0000000072BF0000-0x00000000733A0000-memory.dmp
                        Filesize

                        7.7MB

                        Download
                      • memory/2956-34-0x00000000050F0000-0x0000000005182000-memory.dmp
                        Filesize

                        584KB

                        Download
                      • memory/2956-31-0x00000000056A0000-0x0000000005C44000-memory.dmp
                        Filesize

                        5.6MB

                        Download
                      • memory/2956-37-0x0000000005D50000-0x0000000005D62000-memory.dmp
                        Filesize

                        72KB

                        Download
                      • memory/2956-29-0x0000000000710000-0x000000000076E000-memory.dmp
                        Filesize

                        376KB

                        Download
                      • memory/3432-30-0x0000000000A80000-0x0000000000AA0000-memory.dmp
                        Filesize

                        128KB

                        Download
                      • memory/3432-20-0x0000000000A80000-0x0000000000AA0000-memory.dmp
                        Filesize

                        128KB

                        Download
                      • memory/3996-18-0x0000000003780000-0x0000000003781000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/4444-57-0x0000000072BF0000-0x00000000733A0000-memory.dmp
                        Filesize

                        7.7MB

                        Download
                      • memory/4444-61-0x0000000072BF0000-0x00000000733A0000-memory.dmp
                        Filesize

                        7.7MB

                        Download
                      • memory/4444-62-0x0000000005080000-0x0000000005090000-memory.dmp
                        Filesize

                        64KB

                        Download