Analysis
-
max time kernel
4s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
27-06-2024 23:44
General
-
Target
856ed8013769af776eef34ca1d294c1d8746407e7b51c2380b9da7501f4cb53d.exe
-
Size
2.0MB
-
MD5
8d07d5f9e4d8868c87a2319720478ec7
-
SHA1
92d1a1d47a79a359020d8b8bf8741d8f3e2a213a
-
SHA256
856ed8013769af776eef34ca1d294c1d8746407e7b51c2380b9da7501f4cb53d
-
SHA512
e56f18a795bc2d29a3b1957bbc7cdc641d9b366cc1502a1087c6a5b0c3d628f11d8887ef75ed9f79c7fd8cd572fbd99296602afdd5dc805357aa476ac5dbde3e
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YV
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\856ed8013769af776eef34ca1d294c1d8746407e7b51c2380b9da7501f4cb53d.exe"C:\Users\Admin\AppData\Local\Temp\856ed8013769af776eef34ca1d294c1d8746407e7b51c2380b9da7501f4cb53d.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 5483⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5fS28DLn7ij1.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qO5MXoXKVMXT.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 19646⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 22404⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\856ed8013769af776eef34ca1d294c1d8746407e7b51c2380b9da7501f4cb53d.exe"C:\Users\Admin\AppData\Local\Temp\856ed8013769af776eef34ca1d294c1d8746407e7b51c2380b9da7501f4cb53d.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Quasar RAT
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5100 -ip 51001⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 5203⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3432 -ip 34321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 444 -ip 4441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2628 -ip 26281⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
208B
MD59a26ed1382f105fe3731dd4efa696424
SHA10a9d69396b72a0a8559e5831128620688652b8ef
SHA2561b697504240058b9b5aa80970eb043f3d20d4af4330bfef7ac0f8f8d577de464
SHA51204e671e6c086565067ee126889cb46fb5ec2a1143c7a0f25a8863e86bc50c54dfbbfad407f7944ef03af756a44338c04e26260f3b3eb811c60401bc636daf12f
-
Filesize
208B
MD530bf50eea8e31deb175afd25a96e5e03
SHA1b8b57c337bd24d7c8e592aa8130f0c57881e73a2
SHA2565c2ca5f1631ce8fc3f94620c4ea62e45bf77e8c9c430f9eb3282cfaeabc2187c
SHA5129d19fd5aa3d7a659e39d702a2f21ef1cfe95c33cbcbe6cd8f62adab404c3160c2aebb6666fe36aca938a2317d98431778f82687a7ee49dfd92cba7ac1eb1bc37
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
Filesize
224B
MD5c3558799a90a2aa9fcffa6045718b912
SHA1a36fdd85c601772632643cbed47cb8c891773a11
SHA256866f7c31096f611671e2d8181d1b964d71ec8c50ac6838dd1f8dd1b24c25a361
SHA512147bb4cc6fba92282c4d625078ec19b4abd43d71d40934b5d2977e22b97a1119382ae8acfe47b7242154e7c9ab0787f02876a52c6b8f735ecc5d35b29744850a
-
Filesize
224B
MD55757bd60c9dcb6e15b0b9ad7bb308046
SHA1657b50430d4a2ecaf3561b69e0350b553e084a80
SHA25600ce79ea9d5cec2d45615fbb84c0093661e53d3f6b8a225a50195bb719a78dac
SHA512f4d98e4a74f2a2fc773abe604e5c3d0ce24fcd77fb342ea39c2c864369f8bc22be589add90d41fc6a99f6465640792e0b0f0f10123a906e0df4eb5932497b618
-
Filesize
2.0MB
MD5ec6ce2a289a4c53ee2856a675af9f415
SHA12c5c85dde95333b775ae90090ede47e23f58102b
SHA2569db8eb5da9f5297c1a25260e40556cefaf209d2891e223596be4f33166f89d4d
SHA51284baa4b0904beca924ba0e2e90bdc12dd5069c407f08ccc5b6621762da998af239e30763aff839b69c102a75818ce8eea1d103aedc37911805115473bcd7af4c
-
Filesize
40KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
376KB
-
Filesize
4KB