Analysis

  • max time kernel
    5s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 00:06

General

  • Target

    a991010ec527616eb57429c4fe1080b0.exe

  • Size

    2.0MB

  • MD5

    a991010ec527616eb57429c4fe1080b0

  • SHA1

    a41d9a1fa4d8404f6a599b4fccb1b706868e0e83

  • SHA256

    604c50d5c328e806b656d92431f5d0c99acd380f5052c0e9a3db148992d165e7

  • SHA512

    a30e6ed9c0a2f4485790da677ea7b097bdefc0ea8668df6a6f07666483ba26a20112c69c52e40a045a4519b1f4fa598006873bb9e0303c7cbe39af5a4dc9ea45

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYm:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YA

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a991010ec527616eb57429c4fe1080b0.exe
    "C:\Users\Admin\AppData\Local\Temp\a991010ec527616eb57429c4fe1080b0.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:368
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
          PID:1056
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 556
          3⤵
          • Program crash
          PID:1580
      • C:\Users\Admin\AppData\Local\Temp\windef.exe
        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3212
        • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3432
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4320
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcgbcKQwe1on.bat" "
            4⤵
              PID:2876
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:3548
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3868
                • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                  5⤵
                    PID:3744
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
                      6⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:2468
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gRT6kECWEmLP.bat" "
                      6⤵
                        PID:2700
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 65001
                          7⤵
                            PID:2004
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 10 localhost
                            7⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:3972
                          • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                            "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                            7⤵
                              PID:1060
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2268
                            6⤵
                            • Program crash
                            PID:4208
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 2004
                        4⤵
                        • Program crash
                        PID:228
                  • C:\Users\Admin\AppData\Local\Temp\a991010ec527616eb57429c4fe1080b0.exe
                    "C:\Users\Admin\AppData\Local\Temp\a991010ec527616eb57429c4fe1080b0.exe"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:4808
                  • C:\Windows\SysWOW64\schtasks.exe
                    "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                    2⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:412
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1408 -ip 1408
                  1⤵
                    PID:400
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
                    1⤵
                      PID:220
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3432 -ip 3432
                      1⤵
                        PID:572
                      • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                        C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                        1⤵
                          PID:4488
                          • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                            "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
                            2⤵
                              PID:4716
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k
                                3⤵
                                  PID:3064
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 520
                                  3⤵
                                  • Program crash
                                  PID:4776
                              • C:\Users\Admin\AppData\Local\Temp\windef.exe
                                "C:\Users\Admin\AppData\Local\Temp\windef.exe"
                                2⤵
                                  PID:4548
                                • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                                  "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
                                  2⤵
                                    PID:4392
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                                    2⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2776
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4716 -ip 4716
                                  1⤵
                                    PID:3996
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3744 -ip 3744
                                    1⤵
                                      PID:2992

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log

                                      Filesize

                                      1KB

                                      MD5

                                      10eab9c2684febb5327b6976f2047587

                                      SHA1

                                      a12ed54146a7f5c4c580416aecb899549712449e

                                      SHA256

                                      f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

                                      SHA512

                                      7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

                                    • C:\Users\Admin\AppData\Local\Temp\gRT6kECWEmLP.bat

                                      Filesize

                                      208B

                                      MD5

                                      46fcb633a8d3eabb7dc825c47487af7f

                                      SHA1

                                      24ff95aff4194d50c4537be115d217d42ca49226

                                      SHA256

                                      36abd60b8b34a2ce94b17281012fd40a014eb96cb7f65cc7456b4cf66bdf93c7

                                      SHA512

                                      350ed7d94ada92f78671d2249534c615e3ae7edd14731f81288b5530b786d611b52ebc0607c4ff63bf32ae3530d51d594df022cac987c8def1996feadb93608d

                                    • C:\Users\Admin\AppData\Local\Temp\vcgbcKQwe1on.bat

                                      Filesize

                                      208B

                                      MD5

                                      2516c8a5b32968e2c438cb8e05163cf9

                                      SHA1

                                      4db9c3656c91b8b44848164a00a8b236a686d0fe

                                      SHA256

                                      97b1c361de5efe95a8c3fd5554d05fc0794e8c1a2b21b521b727e478e998ecc2

                                      SHA512

                                      fa012657a19a39e86fbfbed184d8cad2eb62327e8d91c27b96e4d496f85faf859a1ca8144778ffc88635fbe4a8310c06b4536527ba8c1892be21a0eb49836bd7

                                    • C:\Users\Admin\AppData\Local\Temp\vnc.exe

                                      Filesize

                                      405KB

                                      MD5

                                      b8ba87ee4c3fc085a2fed0d839aadce1

                                      SHA1

                                      b3a2e3256406330e8b1779199bb2b9865122d766

                                      SHA256

                                      4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

                                      SHA512

                                      7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

                                    • C:\Users\Admin\AppData\Local\Temp\windef.exe

                                      Filesize

                                      349KB

                                      MD5

                                      b4a202e03d4135484d0e730173abcc72

                                      SHA1

                                      01b30014545ea526c15a60931d676f9392ea0c70

                                      SHA256

                                      7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

                                      SHA512

                                      632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

                                    • C:\Users\Admin\AppData\Roaming\Logs\09-17-2024

                                      Filesize

                                      224B

                                      MD5

                                      2ac5b6ec8a2d5219cdfe2e78d07724ad

                                      SHA1

                                      2b26422e3e394c5a1de26589a3f80f41b420d354

                                      SHA256

                                      bea2a1b4dd8ef43dee6334e228a0475126d2116520054784a9f220b1044b9e73

                                      SHA512

                                      68b6c9477f8fd2d6d6a5eeb3c015bca2e573c27e9ee6a6b5cba4e1f2e07442b56584634094f9b36cd5737d14a1ee6e0e7f9cc66b56f2136e739680f8a923cc67

                                    • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

                                      Filesize

                                      2.0MB

                                      MD5

                                      e779c9d52da26cf41fb236ad55497d68

                                      SHA1

                                      c02524578f82c4713f2e1a7186e7cac1b1e62f97

                                      SHA256

                                      c06bc37e6b248115c23295d9df4bcb034ac7e355c1cc07e71be9b3ddc3e12548

                                      SHA512

                                      62adf6f9be09a4ce9d3ae95956cd0caae70f408598a9332ef5c29fc200e710478078af7a9db06e011239bcdbf15dde525f7e78d25edf40c38993a351258cea80

                                    • memory/368-46-0x00000000044D0000-0x00000000044D1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/368-19-0x00000000044D0000-0x00000000044D1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2868-29-0x0000000072BBE000-0x0000000072BBF000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2868-36-0x00000000050F0000-0x0000000005102000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2868-37-0x0000000005CE0000-0x0000000005D1C000-memory.dmp

                                      Filesize

                                      240KB

                                    • memory/2868-35-0x0000000004B80000-0x0000000004BE6000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/2868-34-0x0000000004AB0000-0x0000000004B42000-memory.dmp

                                      Filesize

                                      584KB

                                    • memory/2868-33-0x0000000005130000-0x00000000056D4000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/2868-32-0x0000000000170000-0x00000000001CE000-memory.dmp

                                      Filesize

                                      376KB

                                    • memory/3432-45-0x0000000005FE0000-0x0000000005FEA000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/4392-75-0x0000000000400000-0x0000000000420000-memory.dmp

                                      Filesize

                                      128KB

                                    • memory/4392-81-0x0000000000400000-0x0000000000420000-memory.dmp

                                      Filesize

                                      128KB

                                    • memory/4808-28-0x0000000000370000-0x0000000000390000-memory.dmp

                                      Filesize

                                      128KB

                                    • memory/4808-20-0x0000000000370000-0x0000000000390000-memory.dmp

                                      Filesize

                                      128KB