Analysis
-
max time kernel
14s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
12-01-2024 02:15
General
-
Target
5535f55418f15b6d9b5a0b1ce0e188fa.exe
-
Size
2.0MB
-
MD5
5535f55418f15b6d9b5a0b1ce0e188fa
-
SHA1
8ec5ef888cea7a6e26a2966567027729c59a5930
-
SHA256
cfcd49d4cdda56c40650cd1a751cb2be9b4f4e679c8723586933638c2b8d369f
-
SHA512
c910b20f5655a89064856c36cdc2a09a3170f4a63d9c0c5bcae7d20c8c2f457f7cfef1b343e3a28415e848508b70c353635d442833fac361723e08dd2b683b0d
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YF
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5535f55418f15b6d9b5a0b1ce0e188fa.exe"C:\Users\Admin\AppData\Local\Temp\5535f55418f15b6d9b5a0b1ce0e188fa.exe"1⤵
- Quasar RAT
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\22qZPYDPwqEG.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 23084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\5535f55418f15b6d9b5a0b1ce0e188fa.exe"C:\Users\Admin\AppData\Local\Temp\5535f55418f15b6d9b5a0b1ce0e188fa.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4344 -ip 43441⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mJXGQirmCFZt.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 23004⤵
- Program crash
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3460 -ip 34601⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winsock.exe.logFilesize
701B
MD55de8527438c860bfa3140dc420a03e52
SHA1235af682986b3292f20d8d71a8671353f5d6e16d
SHA256d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92
SHA51277c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8
-
C:\Users\Admin\AppData\Local\Temp\22qZPYDPwqEG.batFilesize
208B
MD5d5e5d4132a333cfaf14574077c2b4571
SHA18c432a4d3f9082627d9d3bc6abd9363b6cc2057e
SHA256552a5d9c60e416d6b630577c8b5466c217450610f64cc8b1fb62cad1662a1e58
SHA5122a53a5e2b7639138fd991ec6ca6a6d4c59d9353f9c5d5df09c369eb680fe70babb96f8843c638fa297487d85594136f82def80f6e7beba573b8a8fc2b6e25ce0
-
C:\Users\Admin\AppData\Local\Temp\mJXGQirmCFZt.batFilesize
208B
MD502ae7ab480815c344bb8b31a69b95812
SHA1c98babc3fc209f34d5e354bdf1f088059d367c73
SHA256eb57c6169a79f00aab5976f5f0fa64c2b5b8b3876191a868d395f7166e1486fc
SHA512e07719aad0e37fe939a25c871c0ac0209b69ec4cb6c8fd6648cf5734dc8ae800db9c2e01539f70fed629030ab74d9b76e50aa2d07a4748526d9fc6f1a0859aee
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\Logs\01-12-2024Filesize
224B
MD5924ef3e14f90ce3d7d8629615d37f765
SHA1656a7b8a18d3ea30f58b5cb6333e52d8b42a908f
SHA2564b65b4b7cd19e4f31df40002e1ed91953efcdedb58c3103018f894c3ab56d2ef
SHA512f9f22fe1af7a42a9b7eadbc40d21328a830bbd70a533e843bb767cb9655dae7f96372c095c2039d4e17570cdcc4f701b7fd9fc02c832889b7e8d507bcffaf232
-
C:\Users\Admin\AppData\Roaming\Logs\01-12-2024Filesize
224B
MD50c9a3aa00ab8ffbf81b1bf89250ca418
SHA17230b9fbe73c4f2d4c969747210a3cebec71f0c3
SHA256d0dddb0846cba956a5abe643b46c08176a8f774311a4b2713499b0233c9ec70d
SHA51201a933cb8968d11694a76bdc807b813a287dcfcebbd0d304602d3fd58b03d557724ac5e895c6b45248c72d3f697e4e3653e4ef18bfea22a1a790a14d69ea31d2
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD56c83f51bcd49aa9fe01919b71622980c
SHA10553dbe44bccfdf1c1f186ec082dc3598da48627
SHA256020f9c036dabeb829b75b476a314f5a48b74fe34e213309aaba277c531b07050
SHA51237ceea7c536182d96e7f084fc661cf2bf021f77560d4ec8884c048e48fcff826c41a1858bb566dd0c04a42748f719738d97a72d626a62dca49a06e92aa454a9d
-
memory/1208-35-0x0000000000DC0000-0x0000000000E5C000-memory.dmpFilesize
624KB
-
memory/1208-31-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1208-30-0x0000000000DC0000-0x0000000000E5C000-memory.dmpFilesize
624KB
-
memory/1208-57-0x0000000000DC0000-0x0000000000E5C000-memory.dmpFilesize
624KB
-
memory/1272-117-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/1272-97-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/1960-89-0x0000000000330000-0x00000000003CC000-memory.dmpFilesize
624KB
-
memory/1960-88-0x0000000000330000-0x00000000003CC000-memory.dmpFilesize
624KB
-
memory/1960-87-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1960-118-0x0000000000330000-0x00000000003CC000-memory.dmpFilesize
624KB
-
memory/1960-93-0x0000000000330000-0x00000000003CC000-memory.dmpFilesize
624KB
-
memory/2044-28-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2044-19-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2260-42-0x0000000005790000-0x00000000057A0000-memory.dmpFilesize
64KB
-
memory/2260-39-0x0000000000CE0000-0x0000000000D3E000-memory.dmpFilesize
376KB
-
memory/2260-36-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/2260-40-0x0000000005C00000-0x00000000061A4000-memory.dmpFilesize
5.6MB
-
memory/2260-41-0x00000000057A0000-0x0000000005832000-memory.dmpFilesize
584KB
-
memory/2260-44-0x0000000006650000-0x0000000006662000-memory.dmpFilesize
72KB
-
memory/2260-53-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/2260-43-0x0000000005940000-0x00000000059A6000-memory.dmpFilesize
408KB
-
memory/2260-45-0x0000000006A90000-0x0000000006ACC000-memory.dmpFilesize
240KB
-
memory/3460-116-0x0000000005010000-0x0000000005020000-memory.dmpFilesize
64KB
-
memory/3460-121-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/3460-127-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/3460-122-0x0000000005010000-0x0000000005020000-memory.dmpFilesize
64KB
-
memory/3460-115-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/4308-129-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/4308-130-0x0000000005860000-0x0000000005870000-memory.dmpFilesize
64KB
-
memory/4308-133-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/4308-134-0x0000000005860000-0x0000000005870000-memory.dmpFilesize
64KB
-
memory/4344-58-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/4344-56-0x0000000006C50000-0x0000000006C5A000-memory.dmpFilesize
40KB
-
memory/4344-54-0x0000000005470000-0x0000000005480000-memory.dmpFilesize
64KB
-
memory/4344-52-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/4344-70-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/4412-64-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/4412-65-0x0000000004F60000-0x0000000004F70000-memory.dmpFilesize
64KB
-
memory/4412-68-0x0000000072CF0000-0x00000000734A0000-memory.dmpFilesize
7.7MB
-
memory/4980-20-0x0000000003A40000-0x0000000003A41000-memory.dmpFilesize
4KB