Analysis
-
max time kernel
3s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 14:49
Behavioral task
behavioral1
Sample
5f4e720616c54e93f6d7196818063c30N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5f4e720616c54e93f6d7196818063c30N.exe
Resource
win10v2004-20240802-en
General
-
Target
5f4e720616c54e93f6d7196818063c30N.exe
-
Size
2.0MB
-
MD5
5f4e720616c54e93f6d7196818063c30
-
SHA1
73a5057343b59579fca093e64893043cc6a165a9
-
SHA256
7f1443e7977bd0f604036f3904ebeb46a375fb5d31c29f136c3638ed31fd35f8
-
SHA512
a1870d5ebae2d5691710efba344516abf127963e9e68b6c0bcdaaf19263c2759a561a1b650c794a111752368a65705ae591e9c11a51b2457e9ac7620b91f50d0
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYt:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yv
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\windef.exe family_quasar behavioral1/memory/2240-48-0x0000000000860000-0x00000000008BE000-memory.dmp family_quasar behavioral1/memory/2664-59-0x0000000001300000-0x000000000135E000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
Processes:
vnc.exewindef.exewinsock.exepid process 2756 vnc.exe 2240 windef.exe 2664 winsock.exe -
Loads dropped DLL 13 IoCs
Processes:
5f4e720616c54e93f6d7196818063c30N.exeWerFault.exewindef.exepid process 2260 5f4e720616c54e93f6d7196818063c30N.exe 2260 5f4e720616c54e93f6d7196818063c30N.exe 2260 5f4e720616c54e93f6d7196818063c30N.exe 2260 5f4e720616c54e93f6d7196818063c30N.exe 2260 5f4e720616c54e93f6d7196818063c30N.exe 2260 5f4e720616c54e93f6d7196818063c30N.exe 2260 5f4e720616c54e93f6d7196818063c30N.exe 2260 5f4e720616c54e93f6d7196818063c30N.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2804 WerFault.exe 2240 windef.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
5f4e720616c54e93f6d7196818063c30N.exedescription ioc process File opened (read-only) \??\h: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\r: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\w: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\q: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\s: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\v: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\b: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\l: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\n: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\k: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\y: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\e: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\i: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\j: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\o: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\p: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\t: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\u: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\x: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\a: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\g: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\m: 5f4e720616c54e93f6d7196818063c30N.exe File opened (read-only) \??\z: 5f4e720616c54e93f6d7196818063c30N.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5f4e720616c54e93f6d7196818063c30N.exedescription pid process target process PID 2260 set thread context of 2780 2260 5f4e720616c54e93f6d7196818063c30N.exe 5f4e720616c54e93f6d7196818063c30N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2804 2756 WerFault.exe vnc.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
winsock.exe5f4e720616c54e93f6d7196818063c30N.exevnc.exe5f4e720616c54e93f6d7196818063c30N.exewindef.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winsock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f4e720616c54e93f6d7196818063c30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f4e720616c54e93f6d7196818063c30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1476 schtasks.exe 2628 schtasks.exe 2076 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5f4e720616c54e93f6d7196818063c30N.exepid process 2260 5f4e720616c54e93f6d7196818063c30N.exe 2260 5f4e720616c54e93f6d7196818063c30N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
windef.exewinsock.exedescription pid process Token: SeDebugPrivilege 2240 windef.exe Token: SeDebugPrivilege 2664 winsock.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
5f4e720616c54e93f6d7196818063c30N.exevnc.exewindef.exedescription pid process target process PID 2260 wrote to memory of 2756 2260 5f4e720616c54e93f6d7196818063c30N.exe vnc.exe PID 2260 wrote to memory of 2756 2260 5f4e720616c54e93f6d7196818063c30N.exe vnc.exe PID 2260 wrote to memory of 2756 2260 5f4e720616c54e93f6d7196818063c30N.exe vnc.exe PID 2260 wrote to memory of 2756 2260 5f4e720616c54e93f6d7196818063c30N.exe vnc.exe PID 2756 wrote to memory of 2364 2756 vnc.exe svchost.exe PID 2756 wrote to memory of 2364 2756 vnc.exe svchost.exe PID 2756 wrote to memory of 2364 2756 vnc.exe svchost.exe PID 2756 wrote to memory of 2364 2756 vnc.exe svchost.exe PID 2756 wrote to memory of 2364 2756 vnc.exe svchost.exe PID 2260 wrote to memory of 2240 2260 5f4e720616c54e93f6d7196818063c30N.exe windef.exe PID 2260 wrote to memory of 2240 2260 5f4e720616c54e93f6d7196818063c30N.exe windef.exe PID 2260 wrote to memory of 2240 2260 5f4e720616c54e93f6d7196818063c30N.exe windef.exe PID 2260 wrote to memory of 2240 2260 5f4e720616c54e93f6d7196818063c30N.exe windef.exe PID 2260 wrote to memory of 2780 2260 5f4e720616c54e93f6d7196818063c30N.exe 5f4e720616c54e93f6d7196818063c30N.exe PID 2260 wrote to memory of 2780 2260 5f4e720616c54e93f6d7196818063c30N.exe 5f4e720616c54e93f6d7196818063c30N.exe PID 2260 wrote to memory of 2780 2260 5f4e720616c54e93f6d7196818063c30N.exe 5f4e720616c54e93f6d7196818063c30N.exe PID 2260 wrote to memory of 2780 2260 5f4e720616c54e93f6d7196818063c30N.exe 5f4e720616c54e93f6d7196818063c30N.exe PID 2260 wrote to memory of 2780 2260 5f4e720616c54e93f6d7196818063c30N.exe 5f4e720616c54e93f6d7196818063c30N.exe PID 2260 wrote to memory of 2780 2260 5f4e720616c54e93f6d7196818063c30N.exe 5f4e720616c54e93f6d7196818063c30N.exe PID 2260 wrote to memory of 2076 2260 5f4e720616c54e93f6d7196818063c30N.exe schtasks.exe PID 2260 wrote to memory of 2076 2260 5f4e720616c54e93f6d7196818063c30N.exe schtasks.exe PID 2260 wrote to memory of 2076 2260 5f4e720616c54e93f6d7196818063c30N.exe schtasks.exe PID 2260 wrote to memory of 2076 2260 5f4e720616c54e93f6d7196818063c30N.exe schtasks.exe PID 2756 wrote to memory of 2804 2756 vnc.exe WerFault.exe PID 2756 wrote to memory of 2804 2756 vnc.exe WerFault.exe PID 2756 wrote to memory of 2804 2756 vnc.exe WerFault.exe PID 2756 wrote to memory of 2804 2756 vnc.exe WerFault.exe PID 2240 wrote to memory of 1476 2240 windef.exe schtasks.exe PID 2240 wrote to memory of 1476 2240 windef.exe schtasks.exe PID 2240 wrote to memory of 1476 2240 windef.exe schtasks.exe PID 2240 wrote to memory of 1476 2240 windef.exe schtasks.exe PID 2240 wrote to memory of 2664 2240 windef.exe winsock.exe PID 2240 wrote to memory of 2664 2240 windef.exe winsock.exe PID 2240 wrote to memory of 2664 2240 windef.exe winsock.exe PID 2240 wrote to memory of 2664 2240 windef.exe winsock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f4e720616c54e93f6d7196818063c30N.exe"C:\Users\Admin\AppData\Local\Temp\5f4e720616c54e93f6d7196818063c30N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵PID:2364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1603⤵
- Loads dropped DLL
- Program crash
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1476 -
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\5f4e720616c54e93f6d7196818063c30N.exe"C:\Users\Admin\AppData\Local\Temp\5f4e720616c54e93f6d7196818063c30N.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb