Analysis
-
max time kernel
15s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 20:22
Behavioral task
behavioral1
Sample
Adobe Download Manager.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Adobe Download Manager.exe
Resource
win10v2004-20231215-en
General
-
Target
Adobe Download Manager.exe
-
Size
2.0MB
-
MD5
cc38554b00499e85149b2c1c0a22473e
-
SHA1
13382965ec47a60dcf07aeadd7414f215099f564
-
SHA256
f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05
-
SHA512
0efe34a59ef8990aa40db6066128f44108c0bce914e450ba69cafae0664c3190cdbdfd0511e42a25e8f4d880e456ef2ccedcd690603e102ae4dcdf7170b2790c
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\windef.exe family_quasar \Users\Admin\AppData\Local\Temp\windef.exe family_quasar C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar \Users\Admin\AppData\Local\Temp\windef.exe family_quasar C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar behavioral1/memory/2884-49-0x0000000000350000-0x00000000003AE000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar behavioral1/memory/576-67-0x00000000010B0000-0x000000000110E000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
vnc.exewindef.exepid process 2160 vnc.exe 2884 windef.exe -
Loads dropped DLL 8 IoCs
Processes:
Adobe Download Manager.exepid process 2488 Adobe Download Manager.exe 2488 Adobe Download Manager.exe 2488 Adobe Download Manager.exe 2488 Adobe Download Manager.exe 2488 Adobe Download Manager.exe 2488 Adobe Download Manager.exe 2488 Adobe Download Manager.exe 2488 Adobe Download Manager.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Adobe Download Manager.exedescription ioc process File opened (read-only) \??\u: Adobe Download Manager.exe File opened (read-only) \??\z: Adobe Download Manager.exe File opened (read-only) \??\g: Adobe Download Manager.exe File opened (read-only) \??\h: Adobe Download Manager.exe File opened (read-only) \??\m: Adobe Download Manager.exe File opened (read-only) \??\q: Adobe Download Manager.exe File opened (read-only) \??\s: Adobe Download Manager.exe File opened (read-only) \??\t: Adobe Download Manager.exe File opened (read-only) \??\i: Adobe Download Manager.exe File opened (read-only) \??\p: Adobe Download Manager.exe File opened (read-only) \??\w: Adobe Download Manager.exe File opened (read-only) \??\b: Adobe Download Manager.exe File opened (read-only) \??\e: Adobe Download Manager.exe File opened (read-only) \??\j: Adobe Download Manager.exe File opened (read-only) \??\k: Adobe Download Manager.exe File opened (read-only) \??\l: Adobe Download Manager.exe File opened (read-only) \??\y: Adobe Download Manager.exe File opened (read-only) \??\a: Adobe Download Manager.exe File opened (read-only) \??\n: Adobe Download Manager.exe File opened (read-only) \??\o: Adobe Download Manager.exe File opened (read-only) \??\r: Adobe Download Manager.exe File opened (read-only) \??\v: Adobe Download Manager.exe File opened (read-only) \??\x: Adobe Download Manager.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
vnc.exeAdobe Download Manager.exedescription pid process target process PID 2160 set thread context of 2296 2160 vnc.exe svchost.exe PID 2488 set thread context of 2640 2488 Adobe Download Manager.exe Adobe Download Manager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2440 schtasks.exe 3068 schtasks.exe 1540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Adobe Download Manager.exepid process 2488 Adobe Download Manager.exe 2488 Adobe Download Manager.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vnc.exepid process 2160 vnc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Adobe Download Manager.exevnc.exedescription pid process target process PID 2488 wrote to memory of 2160 2488 Adobe Download Manager.exe vnc.exe PID 2488 wrote to memory of 2160 2488 Adobe Download Manager.exe vnc.exe PID 2488 wrote to memory of 2160 2488 Adobe Download Manager.exe vnc.exe PID 2488 wrote to memory of 2160 2488 Adobe Download Manager.exe vnc.exe PID 2160 wrote to memory of 2296 2160 vnc.exe svchost.exe PID 2160 wrote to memory of 2296 2160 vnc.exe svchost.exe PID 2160 wrote to memory of 2296 2160 vnc.exe svchost.exe PID 2160 wrote to memory of 2296 2160 vnc.exe svchost.exe PID 2488 wrote to memory of 2884 2488 Adobe Download Manager.exe windef.exe PID 2488 wrote to memory of 2884 2488 Adobe Download Manager.exe windef.exe PID 2488 wrote to memory of 2884 2488 Adobe Download Manager.exe windef.exe PID 2488 wrote to memory of 2884 2488 Adobe Download Manager.exe windef.exe PID 2160 wrote to memory of 2296 2160 vnc.exe svchost.exe PID 2488 wrote to memory of 2640 2488 Adobe Download Manager.exe Adobe Download Manager.exe PID 2488 wrote to memory of 2640 2488 Adobe Download Manager.exe Adobe Download Manager.exe PID 2488 wrote to memory of 2640 2488 Adobe Download Manager.exe Adobe Download Manager.exe PID 2488 wrote to memory of 2640 2488 Adobe Download Manager.exe Adobe Download Manager.exe PID 2488 wrote to memory of 2640 2488 Adobe Download Manager.exe Adobe Download Manager.exe PID 2160 wrote to memory of 2296 2160 vnc.exe svchost.exe PID 2488 wrote to memory of 2640 2488 Adobe Download Manager.exe Adobe Download Manager.exe PID 2488 wrote to memory of 2440 2488 Adobe Download Manager.exe schtasks.exe PID 2488 wrote to memory of 2440 2488 Adobe Download Manager.exe schtasks.exe PID 2488 wrote to memory of 2440 2488 Adobe Download Manager.exe schtasks.exe PID 2488 wrote to memory of 2440 2488 Adobe Download Manager.exe schtasks.exe PID 2160 wrote to memory of 2296 2160 vnc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWiTC4dk98DU.bat" "4⤵
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ZWiTC4dk98DU.batFilesize
208B
MD582c98e7d10a90b2daf68f4b8760f5dcf
SHA175a86a676afde809868d3f7458602bd766ff4eb5
SHA25698a2356683361045503c800135e33e72e9cdf560820d6e9f8a40f355417d7221
SHA5128e561512e758ff742c58d0ec388e6304660be617420f7a142e93b084c22b2314c826811bdc7a0cc13ac8de6ca08858a9efc4f7877fa7919cecfac04ed92e86dc
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
334KB
MD54f6ea1405fef425639688dbfe289547c
SHA1e1bf123bd0a394f0e0bf4b4d4fce8126344f0599
SHA2564782076c2c755267fa97ec048fcd53dc666c928446177e4222271095911ad5b2
SHA5120610b04f4995a46a4e4d7f7b76ebbcafb2e7fa9bf87e82b41402d8570b54dc67fcc488ca2ab94628b0b611e420c11b0bd608f2eeb80fdf394e30bd74f51e478b
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
280KB
MD5923b4774825a50409f2720c2266ee7ff
SHA18cc9c1f9f578b32228ea783abc505581003a7aa4
SHA25634c2cb7b6a218fabdfd8e239c214f3d74214d7a22d2a4fe2138e60e198bc8ad3
SHA512f68d8afec524510b159e2f4029a161ae1bfaf2f18feb60fdb975837d98f52284bf613178a7fb7592475e9a574e235d3e1f9491ecba0262f27b6b8063f965067d
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
122KB
MD5e270f61a8ad0d7899edf088c36485516
SHA144d1f054cb7d5c996fd86a812ea770dd3921895d
SHA256a9362e691c895a4f3ff1c4a59611e4bd6cbc5b051d62e0ed02b914ae8a3f2a71
SHA512c29df0487154939b354cfeb5782b7566810973773879fef818c3e83d6afa983094ff7c2478b01636887856223b50837beb6bd23893571148ca8dd76c6214b597
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
61KB
MD59d9b40b9f36bd639d5c47171205deba5
SHA10c14c59ae754af3000edd3ac96c63b94f498b44d
SHA256cca9e5b2ca4195d85f333d867287c73f30049360ff49d457775b68de034f711e
SHA512d9966a98f33cd79c4401075ed2f59d176ca662c6d8c51674fa968e25bea6dfae7932ce3beab6232104d68b24caa5e7b350c62ec58975838641d43a2d4d790e4b
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
334KB
MD5b2bc4bfa5cd7a7442334b44a03746393
SHA1aa9d2eed0d2dfa51a3e922b8076ea7ca438f1747
SHA2563c240a7626120d8324f37fb5fa8956acc0e0c33b658702632a8e4297127d9a46
SHA512d9abc465867aed961e169512f34e082f194c98bc7b99f8a418a55553836457b304ec1a63fafbe6909274466cef9290e0fda41df60ab2f9618100f479748419bd
-
\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
\Users\Admin\AppData\Local\Temp\windef.exeFilesize
341KB
MD59cbcd4eba51e251ad9bfbb9c2e580988
SHA13b06f544375526a121c8c7e69a096a759c64d853
SHA256d74efdc4bda3d33c3e1cd4aa67dde4bc22664a04314d738afdfd86d8894b4f17
SHA512dc528ce94ae7852f7eb5682acb139c79f04a8556429c5b8dce01cee5447a0c49ac9dff7d7d0debdbbfb95cb48f3658d14828df1d4b964ad7d7283ed55112feb9
-
\Users\Admin\AppData\Local\Temp\windef.exeFilesize
303KB
MD54bc8a69c888f2e749865e7c31a436a85
SHA178fced407df3eea9e151796b649aadefec622095
SHA2566ae9db0a5a9435510911f3e52a91b42f42e1c3ef66fce2e9040ae06a9be76cd1
SHA51233c73fc8ab8500c916b3422489f0aaa0ee306afd8a5e97932e4b47a649e28f0b38a6d7e6f7db54de213edda44472dd176fa3d78ceefe1611e849bdb3e4eed420
-
\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
55KB
MD57fdc28b6baa5c8bacde1c7f8d4425244
SHA11ee6a8e1b4e35db4d5cfd5edf4e33e0c5f9f60fd
SHA2567efc58e9c9eb5e86404625ae8c9fb181519d3a5614c921045d36d2ebab11918c
SHA512b8035d350e3f20706ef5bba1bdf3a7f4adb85932d3fcf7d39ff5f1fdd2b4ee03fee9490c267f2f3fda94489476ed079fbe6865f94f7d6f9569e60ae9156416a8
-
memory/576-66-0x00000000740F0000-0x00000000747DE000-memory.dmpFilesize
6.9MB
-
memory/576-70-0x00000000740F0000-0x00000000747DE000-memory.dmpFilesize
6.9MB
-
memory/576-67-0x00000000010B0000-0x000000000110E000-memory.dmpFilesize
376KB
-
memory/2296-57-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2296-35-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2296-42-0x0000000000270000-0x000000000030C000-memory.dmpFilesize
624KB
-
memory/2296-50-0x0000000000270000-0x000000000030C000-memory.dmpFilesize
624KB
-
memory/2296-56-0x0000000000270000-0x000000000030C000-memory.dmpFilesize
624KB
-
memory/2296-39-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmpFilesize
4KB
-
memory/2488-29-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/2640-33-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/2640-31-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/2640-43-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2640-52-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/2884-58-0x00000000049D0000-0x0000000004A10000-memory.dmpFilesize
256KB
-
memory/2884-55-0x00000000740F0000-0x00000000747DE000-memory.dmpFilesize
6.9MB
-
memory/2884-49-0x0000000000350000-0x00000000003AE000-memory.dmpFilesize
376KB
-
memory/2884-68-0x00000000740F0000-0x00000000747DE000-memory.dmpFilesize
6.9MB