Analysis
-
max time kernel
0s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
22-12-2023 20:19
General
-
Target
Adobe Download Manager.exe
-
Size
2.0MB
-
MD5
cc38554b00499e85149b2c1c0a22473e
-
SHA1
13382965ec47a60dcf07aeadd7414f215099f564
-
SHA256
f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05
-
SHA512
0efe34a59ef8990aa40db6066128f44108c0bce914e450ba69cafae0664c3190cdbdfd0511e42a25e8f4d880e456ef2ccedcd690603e102ae4dcdf7170b2790c
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 5563⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 10884⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iS2Tvt0VBiXL.bat" "4⤵
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2268 -ip 22681⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1252 -ip 12521⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 5362⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4612 -ip 46121⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"1⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"1⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Temp\iS2Tvt0VBiXL.batFilesize
208B
MD54f19e65d1f010fdbd064eb37fdd05f48
SHA14bbb1315e5d5f0e2da92fdd91ec21eeed9c8050a
SHA256d436167ff6aef3ab1f695fb776d0611695b6839f4d830a3d5375b1ac26d625e3
SHA51228b1d6e164a8b4277aa2f3451af74a3eb2bd47daef72745b024ab917341e76609073f40cf6c419744bc2fe7078c229fe361490bcedefd40885ed0d3513b87a03
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
30KB
MD5922c024c85d29e4d06dc6d4a6c72dc40
SHA1ef2ded08af2ba12023b5f94d750a927e76ac35fa
SHA256a6edcce5960fece5174c4acc2750578dd19438dfb0ff1a5bd80571a73447c12a
SHA512b385b95bbfbe79be07f5e4aa71c40e87d52122d18e3696bcae314269c9b3cc4cbe81de13297bf82a4ef131f70321d7998e6a5691488c412b1d334b16a7cad535
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
97KB
MD5aca4ff0a969e990c3736c8e8b3a877d9
SHA187c7d433024801b9f6b4d27932077a00875da48b
SHA25683e8a5df7fd75933370a151bb7b820a70329a4e35c95ba45f1c10c74f69beff4
SHA512892547cd15308ed712d6af73a09fde32b7b788241c46c49fa5a84a06dcf031077c3799b757434469c075a93850484499821629d7592cf4ae5c6ef6d46f2cc1d7
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
44KB
MD59e033d81a6ab732cdb1c11a16e5ef78c
SHA135d07b469dc7add52710c491590b2757d593b54c
SHA256d77850f203e4f0149ed11da0eb43126cc1300cc46248e2e50056f962ba97843b
SHA51295fe43a743bae337df9602262dd32e4caf04b95baf340be99eee59a9b40658b25d369bf2c326ecde08c53f441db0b4de3386e80a5150da747eefbf5590fe0521
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
272KB
MD53db7cf259ebe84d31d7bfa8eb2affc11
SHA1abf8badb7395298f66944e4addcd6db380a1e8cc
SHA2568a0d8c2e19bf3c30bbcdb54977f9669690179fc09853c6f19e6923e274f59dc4
SHA5125ccfe66bae264d93a953ba8f3f5d2f62a130ecf9fdd561829f5869fa72e140823fbba0ab8360d7ca0360f93a6d72f20c1a537e3238cd25b916ccad78dfd45e2f
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
158KB
MD5172b807ba0e863d10315402a7f97b27a
SHA165a4d5350c37621e8ce7bc6bc474a01e844e5147
SHA25645debc2234d001750604a48e0fc024285b5427458e548ac690260d0c9bfc5935
SHA51238f8eab79d07d722c7188c3ff31e91bbeb622766424f2c0cf07ea714e815fda50dc17241bc3519b6e6253ead7e187b460e5595f0d635a6de9ed98330d8a31e87
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
227KB
MD5c1e6e319c95ed2bc4804883589af376f
SHA1baaa1b0b0fdfe67bd50c1c2dca46864ae5c440e3
SHA256310f8856407447c6f57a3b81d84aa4663e59490319b06137b6bff90706d62735
SHA5126f7e7805197d50a7b9be25821c60455fc6b51eeada28cfa58027be9ed132983c270b3df36f04a890ac0f58ceaf645baab7c5730a4db61bcca8a4eb0d491d0656
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
163KB
MD5d14fce806c7b404f6e1f9dcd9da0df64
SHA1191473590803d015bf122abdf339f26134a64de2
SHA25661958fd372439e89baef921ac949c97b701a2727e91361ced3a05369e17a8bd7
SHA512c48639cc6ce7180e5e12e91c7b53758d6063b219f959f0165c9c69e79b14162e51916f511d559bafd1dc230b2cfa5a7e46e39385dd5205216a2b046a1ec96338
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
83KB
MD573b6ab3766c6ad9fbd6454a92d6cf917
SHA1ea4861b6cb59c31bfb5939509d985cf016afc985
SHA256e4bfc86df9175af0089b65b9e108a4cd57e941ba7546805ea37c25ec820ed27b
SHA5128af216b0a3383c6715945ff2fe25c8b1e1f9d31272e16cebfced45d265fcef0fbafdd9c86ab91cb404cc7085e91302c61df08a36227076a1eea9889b658d058f
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
58KB
MD523c0ebd04a8e6f258b4c5aeabc9fb18b
SHA17eb4e48473356844727b6d852203c4b171966016
SHA256d776a9d3f22145dfa8d1eef5acdd5288ddc6d0aa16610ccd69c8b8da3d4773e0
SHA51213490432174b6338d0c3428b5423b6359019b5add71028d686d774d8c5f86c84901200e09e267ec8d108fcd81608682b2da2064446d5a5c1d29ed0587aea8a95
-
C:\Users\Admin\AppData\Roaming\Logs\12-22-2023Filesize
224B
MD5571e14d5ebcd6a6cab3224d8591244f6
SHA1f13b94d8db8c0a0cd03455b6c9979b7b363e08cb
SHA2560c1ffa7308fffb39bc6c49c0e98ed8efdb4b2d10d58b31919e351da91eeb4c1e
SHA5124d7e50091dc1268c0e8a2a78009dd9a2cee91dee27d6618333cdb0d5b924a4c572b73363184f1d8ef17403034f58abf5286f7e88b43d4ce7eeb6e70b373cef03
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
23KB
MD52c9177e0b815572086199e7901c200b9
SHA16d18d34d6505d04d012fa08ed0ee18c373fcdfe0
SHA2566e009f9740d5973d1d5437ba424e0b572c39641307d9a14aa8904c8c76a424eb
SHA512be5b7c73d371378625f8fb6f8af80990398f338f7cbc3f50e8b9feba700d367203e1cfdddd0b4dfd97f01e6316cb0f3534f1cd8227d84de78d2c62b600468d80
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
43KB
MD5c42324e5b45cce9c68012290032daa11
SHA12c0073a6790e67c3759b1b87fe85df36d63e6414
SHA2567529c5531eb1b261f199810c65bcec777eea9bfd1d456bdb2da9552a33142622
SHA512f01305df8cb6bd75df70e09b504289fc8ee3be6dfa87dbf2ac2f3abb97e6ded10772e8578b9b5f6502e9b01c63c6fe2d6ea6fb82b7a1d86faf32cbb5ecfde286
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
46KB
MD5887eccb1b97d37425856840918e74613
SHA1e7b96d9db44a664d8d5f956a68856d725ce071c3
SHA256aa99e1c1bf9efff00e3cf34641b043e60ba4e94bba51d2dac976b5cf7af77795
SHA51236705db9e39988797dc04ff06cdcb06e20145d87d89698170739303a48a4a883dfec6e2c488dbbdde702f7fd5428b39d7ed3a3c2b09d2ff99c3b2b287bb966b8
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
24KB
MD582662e9e3ef154fd199896c82287599f
SHA11f23a8c4662daa305ee8e9321874afc6daf09f5d
SHA256187e9ea95e66fd8e5ff822cc2450b5612b1b23a52f0d0c51f1390d8024b5e0d0
SHA5120e78db238d919109a0636aa99d5c1cc9255f5706ba1527baceb9639b68ebc12dcc1ebb6da7b01419560eade94f0edfbb9fa78e6a18dcf409269d8921a221a67c
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
69KB
MD5bd4d18f97ef5c820614eab149a26450f
SHA1c3dc13d985a002482ba08939a40dab64617fe102
SHA2561e53879c66ea1a64cb6ec195a140dbfa9b8f93ea10f9920bc7e5571e8f2ad3b8
SHA512c3e7f4aeb78cdb8689912b40604e6a0da362bd4fbba173452aa577b58529a8f0243e3240f3f4fb6960609f5cc66602624806fa2f0100747b5c8b8b901dd6f276
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
30KB
MD52f45735c24809419ba4a29ce48fef02d
SHA10a61e2f738b013f77174fb4917290dd88dbf90d3
SHA2565dc6ba0e1deddd5395dc651954cce80f42d686f9a2be72dd3a52109b1f63909a
SHA512f5d17bc998c5cae5f4c2fea94d7c66202b2546d39eedb33b0fccad9b31155626cbdf112b1522fcbd2627c7cfe68fbae7cf119ce710316ab363fb3a7d715849a4
-
memory/1252-47-0x00000000057F0000-0x0000000005800000-memory.dmpFilesize
64KB
-
memory/1252-55-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/1252-45-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/1252-49-0x0000000006C80000-0x0000000006C8A000-memory.dmpFilesize
40KB
-
memory/1252-50-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/2388-21-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/2664-37-0x0000000005290000-0x00000000052A2000-memory.dmpFilesize
72KB
-
memory/2664-28-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/2664-38-0x0000000006080000-0x00000000060BC000-memory.dmpFilesize
240KB
-
memory/2664-29-0x00000000052D0000-0x0000000005874000-memory.dmpFilesize
5.6MB
-
memory/2664-46-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/2664-25-0x00000000003D0000-0x000000000042E000-memory.dmpFilesize
376KB
-
memory/2664-35-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/2664-36-0x0000000004DC0000-0x0000000004E26000-memory.dmpFilesize
408KB
-
memory/2664-32-0x0000000004D20000-0x0000000004DB2000-memory.dmpFilesize
584KB
-
memory/2812-58-0x0000000004E40000-0x0000000004E50000-memory.dmpFilesize
64KB
-
memory/2812-57-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/2812-95-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/3672-82-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/3672-83-0x0000000005610000-0x0000000005620000-memory.dmpFilesize
64KB
-
memory/3672-94-0x0000000072DF0000-0x00000000735A0000-memory.dmpFilesize
7.7MB
-
memory/4352-31-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4352-19-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB