Analysis
-
max time kernel
37s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
22-12-2023 20:22
General
-
Target
Adobe Download Manager.exe
-
Size
2.0MB
-
MD5
cc38554b00499e85149b2c1c0a22473e
-
SHA1
13382965ec47a60dcf07aeadd7414f215099f564
-
SHA256
f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05
-
SHA512
0efe34a59ef8990aa40db6066128f44108c0bce914e450ba69cafae0664c3190cdbdfd0511e42a25e8f4d880e456ef2ccedcd690603e102ae4dcdf7170b2790c
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HNbUcxNO02ak.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyzU3zpyOygt.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 20406⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 18484⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4284 -ip 42841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2896 -ip 28961⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Temp\HNbUcxNO02ak.batFilesize
208B
MD51e2a9093d591442619ba8a1fec5c5725
SHA13c0dffc631f414aec3d1f50ec9132483a48b56f0
SHA256ead6136a6c4a93d27fff32ebdda107a394c17add34bfd754919f100395df93d2
SHA51277a3f093f1debeaaaa4345cbc48d7cbcc19661406310f42357ceef8c64e988deac1aa06f380211f30addbc19bc48d4ddc36971be3d30b7847ea145b0f884387c
-
C:\Users\Admin\AppData\Local\Temp\PyzU3zpyOygt.batFilesize
208B
MD5ea21a4f8b00fccf68c9d2317c9d8fe7d
SHA1efdb4f49a21f3864a7f5e38241f2f6c4596a4465
SHA256b1d26157a7765aa41cc2e12036ed2146680cfae4521d8ba1fae44cc320ce14bf
SHA51231484b86f8069ff194db17ec784afce390a95e190c9f1ff13124d9e68683d14c84594ec725cc54205fb3480262e9a4017a121fb4b399a0b312b58347c8b5dd60
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
21KB
MD5e21ec9c0d66627a70214e1fbe5a7b93a
SHA1daa31abdbcd52b2086c8fb3d439a26125d4fc2c2
SHA256b0d52b60e57f5cc39dc5208776386b332da4a9cc15291d6c4b6438f3688ef8b4
SHA512523e012d241c278f26902d6ee11852fb91a3aafa2c48efbb4f05278be5ddfb379b152d0dd69e70515c20867534f1a35cce65482f11cd1531029d84548eb3fd04
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\Logs\12-22-2023Filesize
224B
MD518b25a5859febcf6b9bb8f0e326801b9
SHA163a622e6d54a79553bf79178a0a359e6509c6168
SHA256e8feaae863337adab2a5e90284b418a1cd36f45d9c0fe6c5796fb380f8f4b301
SHA51273607d576454c733949e41b3f0fdd26ec8cdf5e307dbf5b0431c367603cb1d9f5102575a59eb178511c6c8ecb1e1c64f04ede51774c0076b820eb51802476f34
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD503a740fec4932baa8f5f7c049073aaae
SHA13dc8b049973e9bfe46761add1e871ab988ece982
SHA25671cab7b77c557e3b49454c12b632644d6571dca938b2d0154db7b40767f13759
SHA5129c76c90241e450296e278794fd718c4e5a6265c9a3f2c0b5e51632b7e132fada4e3ee484261ff19c6e631041fe316515f7cb4e92b24ef66054bf0c46c4a8d59b
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
1.1MB
MD5cb7ddae1e0c5a29e366d87a04698ea69
SHA16ac67a228de5f748590bbc4051ab4c343ed88ed3
SHA25617281e3a6adf50645a674e630f6e1f14fda6bedfa0d998c46ac0a8f8f542b0df
SHA512f1e2242c4d5722ee6e68418e271957c71fe660531e6822b6d304ff4f0eb2a89a90d6a48dfb30da26d4dc8bfeae1a2b95afbd85ffff1aed214cd5076dd23333e0
-
memory/1740-54-0x0000000005070000-0x0000000005080000-memory.dmpFilesize
64KB
-
memory/1740-43-0x0000000005420000-0x0000000005486000-memory.dmpFilesize
408KB
-
memory/1740-26-0x00000000005C0000-0x000000000061E000-memory.dmpFilesize
376KB
-
memory/1740-35-0x0000000005560000-0x0000000005B04000-memory.dmpFilesize
5.6MB
-
memory/1740-56-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/1740-44-0x0000000006170000-0x0000000006182000-memory.dmpFilesize
72KB
-
memory/1740-45-0x00000000065B0000-0x00000000065EC000-memory.dmpFilesize
240KB
-
memory/1740-47-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/1740-21-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/1740-42-0x0000000005070000-0x0000000005080000-memory.dmpFilesize
64KB
-
memory/1740-39-0x0000000005080000-0x0000000005112000-memory.dmpFilesize
584KB
-
memory/1776-52-0x0000000000470000-0x000000000050C000-memory.dmpFilesize
624KB
-
memory/1776-28-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/1776-37-0x0000000000470000-0x000000000050C000-memory.dmpFilesize
624KB
-
memory/1776-27-0x0000000000470000-0x000000000050C000-memory.dmpFilesize
624KB
-
memory/2116-124-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/2116-122-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/2116-121-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/2732-102-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/2732-91-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/2732-90-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/2896-110-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/2896-111-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/2896-125-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/2896-115-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/2896-114-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/3756-92-0x0000000000BD0000-0x0000000000BF0000-memory.dmpFilesize
128KB
-
memory/3756-101-0x0000000000BD0000-0x0000000000BF0000-memory.dmpFilesize
128KB
-
memory/3932-38-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3932-19-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3952-22-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/4076-74-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/4076-107-0x0000000000E30000-0x0000000000ECC000-memory.dmpFilesize
624KB
-
memory/4076-80-0x0000000000E30000-0x0000000000ECC000-memory.dmpFilesize
624KB
-
memory/4076-76-0x0000000000E30000-0x0000000000ECC000-memory.dmpFilesize
624KB
-
memory/4284-59-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/4284-65-0x0000000004E70000-0x0000000004E80000-memory.dmpFilesize
64KB
-
memory/4284-108-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB
-
memory/4284-58-0x0000000006810000-0x000000000681A000-memory.dmpFilesize
40KB
-
memory/4284-53-0x0000000073020000-0x00000000737D0000-memory.dmpFilesize
7.7MB