Analysis
-
max time kernel
3s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 02:26
Behavioral task
behavioral1
Sample
Adobe Download Manager.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Adobe Download Manager.exe
Resource
win10v2004-20240802-en
General
-
Target
Adobe Download Manager.exe
-
Size
2.0MB
-
MD5
fdb4791c0883935dd02cc7edafca23cf
-
SHA1
05d4862a798647a2ff0999deb00efae430ebee27
-
SHA256
56cf98c5ed8c5335f981544efebfd53e14ba0e168e4519125d20a492b82ac3c6
-
SHA512
49e4577493d47d0227f1ca096c5ddced4f06eece4097961b3dcbf0a50eedbe7c9f48bc2bcc18d6a9042f7d14a696428e9d02ad0f87a73e6acf18ba2c636b4710
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYO:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YQ
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\windef.exe family_quasar behavioral1/memory/2300-45-0x0000000000C90000-0x0000000000CEE000-memory.dmp family_quasar behavioral1/memory/2332-60-0x0000000000FD0000-0x000000000102E000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
vnc.exewindef.exepid process 2364 vnc.exe 2300 windef.exe -
Loads dropped DLL 12 IoCs
Processes:
Adobe Download Manager.exeWerFault.exepid process 3036 Adobe Download Manager.exe 3036 Adobe Download Manager.exe 3036 Adobe Download Manager.exe 3036 Adobe Download Manager.exe 3036 Adobe Download Manager.exe 3036 Adobe Download Manager.exe 3036 Adobe Download Manager.exe 3036 Adobe Download Manager.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Adobe Download Manager.exedescription ioc process File opened (read-only) \??\e: Adobe Download Manager.exe File opened (read-only) \??\g: Adobe Download Manager.exe File opened (read-only) \??\k: Adobe Download Manager.exe File opened (read-only) \??\o: Adobe Download Manager.exe File opened (read-only) \??\r: Adobe Download Manager.exe File opened (read-only) \??\z: Adobe Download Manager.exe File opened (read-only) \??\j: Adobe Download Manager.exe File opened (read-only) \??\n: Adobe Download Manager.exe File opened (read-only) \??\t: Adobe Download Manager.exe File opened (read-only) \??\y: Adobe Download Manager.exe File opened (read-only) \??\b: Adobe Download Manager.exe File opened (read-only) \??\q: Adobe Download Manager.exe File opened (read-only) \??\v: Adobe Download Manager.exe File opened (read-only) \??\w: Adobe Download Manager.exe File opened (read-only) \??\u: Adobe Download Manager.exe File opened (read-only) \??\a: Adobe Download Manager.exe File opened (read-only) \??\h: Adobe Download Manager.exe File opened (read-only) \??\i: Adobe Download Manager.exe File opened (read-only) \??\l: Adobe Download Manager.exe File opened (read-only) \??\m: Adobe Download Manager.exe File opened (read-only) \??\p: Adobe Download Manager.exe File opened (read-only) \??\s: Adobe Download Manager.exe File opened (read-only) \??\x: Adobe Download Manager.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Adobe Download Manager.exedescription pid process target process PID 3036 set thread context of 2872 3036 Adobe Download Manager.exe Adobe Download Manager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2820 2364 WerFault.exe vnc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Adobe Download Manager.exevnc.exewindef.exeAdobe Download Manager.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adobe Download Manager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adobe Download Manager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2696 schtasks.exe 1380 schtasks.exe 1780 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Adobe Download Manager.exepid process 3036 Adobe Download Manager.exe 3036 Adobe Download Manager.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
windef.exedescription pid process Token: SeDebugPrivilege 2300 windef.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Adobe Download Manager.exevnc.exedescription pid process target process PID 3036 wrote to memory of 2364 3036 Adobe Download Manager.exe vnc.exe PID 3036 wrote to memory of 2364 3036 Adobe Download Manager.exe vnc.exe PID 3036 wrote to memory of 2364 3036 Adobe Download Manager.exe vnc.exe PID 3036 wrote to memory of 2364 3036 Adobe Download Manager.exe vnc.exe PID 2364 wrote to memory of 1796 2364 vnc.exe svchost.exe PID 2364 wrote to memory of 1796 2364 vnc.exe svchost.exe PID 2364 wrote to memory of 1796 2364 vnc.exe svchost.exe PID 2364 wrote to memory of 1796 2364 vnc.exe svchost.exe PID 3036 wrote to memory of 2300 3036 Adobe Download Manager.exe windef.exe PID 3036 wrote to memory of 2300 3036 Adobe Download Manager.exe windef.exe PID 3036 wrote to memory of 2300 3036 Adobe Download Manager.exe windef.exe PID 3036 wrote to memory of 2300 3036 Adobe Download Manager.exe windef.exe PID 2364 wrote to memory of 1796 2364 vnc.exe svchost.exe PID 3036 wrote to memory of 2872 3036 Adobe Download Manager.exe Adobe Download Manager.exe PID 3036 wrote to memory of 2872 3036 Adobe Download Manager.exe Adobe Download Manager.exe PID 3036 wrote to memory of 2872 3036 Adobe Download Manager.exe Adobe Download Manager.exe PID 3036 wrote to memory of 2872 3036 Adobe Download Manager.exe Adobe Download Manager.exe PID 3036 wrote to memory of 2872 3036 Adobe Download Manager.exe Adobe Download Manager.exe PID 3036 wrote to memory of 2872 3036 Adobe Download Manager.exe Adobe Download Manager.exe PID 3036 wrote to memory of 2696 3036 Adobe Download Manager.exe schtasks.exe PID 3036 wrote to memory of 2696 3036 Adobe Download Manager.exe schtasks.exe PID 3036 wrote to memory of 2696 3036 Adobe Download Manager.exe schtasks.exe PID 3036 wrote to memory of 2696 3036 Adobe Download Manager.exe schtasks.exe PID 2364 wrote to memory of 2820 2364 vnc.exe WerFault.exe PID 2364 wrote to memory of 2820 2364 vnc.exe WerFault.exe PID 2364 wrote to memory of 2820 2364 vnc.exe WerFault.exe PID 2364 wrote to memory of 2820 2364 vnc.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵PID:1796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1603⤵
- Loads dropped DLL
- Program crash
PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1380
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵PID:2332
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1780
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb