Analysis
-
max time kernel
5s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 00:06
Behavioral task
behavioral1
Sample
a991010ec527616eb57429c4fe1080b0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a991010ec527616eb57429c4fe1080b0.exe
Resource
win10v2004-20240802-en
General
-
Target
a991010ec527616eb57429c4fe1080b0.exe
-
Size
2.0MB
-
MD5
a991010ec527616eb57429c4fe1080b0
-
SHA1
a41d9a1fa4d8404f6a599b4fccb1b706868e0e83
-
SHA256
604c50d5c328e806b656d92431f5d0c99acd380f5052c0e9a3db148992d165e7
-
SHA512
a30e6ed9c0a2f4485790da677ea7b097bdefc0ea8668df6a6f07666483ba26a20112c69c52e40a045a4519b1f4fa598006873bb9e0303c7cbe39af5a4dc9ea45
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYm:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YA
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar behavioral2/memory/2868-32-0x0000000000170000-0x00000000001CE000-memory.dmp family_quasar C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a991010ec527616eb57429c4fe1080b0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation a991010ec527616eb57429c4fe1080b0.exe -
Executes dropped EXE 3 IoCs
Processes:
vnc.exewindef.exewinsock.exepid process 1408 vnc.exe 2868 windef.exe 3432 winsock.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
a991010ec527616eb57429c4fe1080b0.exedescription ioc process File opened (read-only) \??\p: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\u: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\x: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\i: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\l: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\m: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\n: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\g: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\h: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\k: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\q: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\r: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\s: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\b: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\e: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\v: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\z: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\o: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\t: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\w: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\y: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\a: a991010ec527616eb57429c4fe1080b0.exe File opened (read-only) \??\j: a991010ec527616eb57429c4fe1080b0.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a991010ec527616eb57429c4fe1080b0.exedescription pid process target process PID 368 set thread context of 4808 368 a991010ec527616eb57429c4fe1080b0.exe a991010ec527616eb57429c4fe1080b0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1580 1408 WerFault.exe vnc.exe 228 3432 WerFault.exe winsock.exe 4776 4716 WerFault.exe vnc.exe 4208 3744 WerFault.exe winsock.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
windef.exea991010ec527616eb57429c4fe1080b0.exeschtasks.exeschtasks.exewinsock.exeschtasks.exea991010ec527616eb57429c4fe1080b0.exevnc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a991010ec527616eb57429c4fe1080b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winsock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a991010ec527616eb57429c4fe1080b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEpid process 3868 PING.EXE 3972 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4320 schtasks.exe 2468 schtasks.exe 2776 schtasks.exe 412 schtasks.exe 3212 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a991010ec527616eb57429c4fe1080b0.exepid process 368 a991010ec527616eb57429c4fe1080b0.exe 368 a991010ec527616eb57429c4fe1080b0.exe 368 a991010ec527616eb57429c4fe1080b0.exe 368 a991010ec527616eb57429c4fe1080b0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
windef.exewinsock.exedescription pid process Token: SeDebugPrivilege 2868 windef.exe Token: SeDebugPrivilege 3432 winsock.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winsock.exepid process 3432 winsock.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
a991010ec527616eb57429c4fe1080b0.exevnc.exewindef.exewinsock.exedescription pid process target process PID 368 wrote to memory of 1408 368 a991010ec527616eb57429c4fe1080b0.exe vnc.exe PID 368 wrote to memory of 1408 368 a991010ec527616eb57429c4fe1080b0.exe vnc.exe PID 368 wrote to memory of 1408 368 a991010ec527616eb57429c4fe1080b0.exe vnc.exe PID 368 wrote to memory of 2868 368 a991010ec527616eb57429c4fe1080b0.exe windef.exe PID 368 wrote to memory of 2868 368 a991010ec527616eb57429c4fe1080b0.exe windef.exe PID 368 wrote to memory of 2868 368 a991010ec527616eb57429c4fe1080b0.exe windef.exe PID 1408 wrote to memory of 1056 1408 vnc.exe svchost.exe PID 1408 wrote to memory of 1056 1408 vnc.exe svchost.exe PID 368 wrote to memory of 4808 368 a991010ec527616eb57429c4fe1080b0.exe a991010ec527616eb57429c4fe1080b0.exe PID 368 wrote to memory of 4808 368 a991010ec527616eb57429c4fe1080b0.exe a991010ec527616eb57429c4fe1080b0.exe PID 368 wrote to memory of 4808 368 a991010ec527616eb57429c4fe1080b0.exe a991010ec527616eb57429c4fe1080b0.exe PID 368 wrote to memory of 4808 368 a991010ec527616eb57429c4fe1080b0.exe a991010ec527616eb57429c4fe1080b0.exe PID 368 wrote to memory of 4808 368 a991010ec527616eb57429c4fe1080b0.exe a991010ec527616eb57429c4fe1080b0.exe PID 1408 wrote to memory of 1056 1408 vnc.exe svchost.exe PID 368 wrote to memory of 412 368 a991010ec527616eb57429c4fe1080b0.exe schtasks.exe PID 368 wrote to memory of 412 368 a991010ec527616eb57429c4fe1080b0.exe schtasks.exe PID 368 wrote to memory of 412 368 a991010ec527616eb57429c4fe1080b0.exe schtasks.exe PID 2868 wrote to memory of 3212 2868 windef.exe schtasks.exe PID 2868 wrote to memory of 3212 2868 windef.exe schtasks.exe PID 2868 wrote to memory of 3212 2868 windef.exe schtasks.exe PID 2868 wrote to memory of 3432 2868 windef.exe winsock.exe PID 2868 wrote to memory of 3432 2868 windef.exe winsock.exe PID 2868 wrote to memory of 3432 2868 windef.exe winsock.exe PID 3432 wrote to memory of 4320 3432 winsock.exe schtasks.exe PID 3432 wrote to memory of 4320 3432 winsock.exe schtasks.exe PID 3432 wrote to memory of 4320 3432 winsock.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a991010ec527616eb57429c4fe1080b0.exe"C:\Users\Admin\AppData\Local\Temp\a991010ec527616eb57429c4fe1080b0.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵PID:1056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 5563⤵
- Program crash
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3212 -
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcgbcKQwe1on.bat" "4⤵PID:2876
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:3548
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3868 -
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵PID:3744
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gRT6kECWEmLP.bat" "6⤵PID:2700
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:2004
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3972 -
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"7⤵PID:1060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 22686⤵
- Program crash
PID:4208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 20044⤵
- Program crash
PID:228 -
C:\Users\Admin\AppData\Local\Temp\a991010ec527616eb57429c4fe1080b0.exe"C:\Users\Admin\AppData\Local\Temp\a991010ec527616eb57429c4fe1080b0.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1408 -ip 14081⤵PID:400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:81⤵PID:220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3432 -ip 34321⤵PID:572
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵PID:4716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵PID:3064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 5203⤵
- Program crash
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵PID:4548
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵PID:4392
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4716 -ip 47161⤵PID:3996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3744 -ip 37441⤵PID:2992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
208B
MD546fcb633a8d3eabb7dc825c47487af7f
SHA124ff95aff4194d50c4537be115d217d42ca49226
SHA25636abd60b8b34a2ce94b17281012fd40a014eb96cb7f65cc7456b4cf66bdf93c7
SHA512350ed7d94ada92f78671d2249534c615e3ae7edd14731f81288b5530b786d611b52ebc0607c4ff63bf32ae3530d51d594df022cac987c8def1996feadb93608d
-
Filesize
208B
MD52516c8a5b32968e2c438cb8e05163cf9
SHA14db9c3656c91b8b44848164a00a8b236a686d0fe
SHA25697b1c361de5efe95a8c3fd5554d05fc0794e8c1a2b21b521b727e478e998ecc2
SHA512fa012657a19a39e86fbfbed184d8cad2eb62327e8d91c27b96e4d496f85faf859a1ca8144778ffc88635fbe4a8310c06b4536527ba8c1892be21a0eb49836bd7
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
Filesize
224B
MD52ac5b6ec8a2d5219cdfe2e78d07724ad
SHA12b26422e3e394c5a1de26589a3f80f41b420d354
SHA256bea2a1b4dd8ef43dee6334e228a0475126d2116520054784a9f220b1044b9e73
SHA51268b6c9477f8fd2d6d6a5eeb3c015bca2e573c27e9ee6a6b5cba4e1f2e07442b56584634094f9b36cd5737d14a1ee6e0e7f9cc66b56f2136e739680f8a923cc67
-
Filesize
2.0MB
MD5e779c9d52da26cf41fb236ad55497d68
SHA1c02524578f82c4713f2e1a7186e7cac1b1e62f97
SHA256c06bc37e6b248115c23295d9df4bcb034ac7e355c1cc07e71be9b3ddc3e12548
SHA51262adf6f9be09a4ce9d3ae95956cd0caae70f408598a9332ef5c29fc200e710478078af7a9db06e011239bcdbf15dde525f7e78d25edf40c38993a351258cea80