Overview

overview

10

Static

static

10

dttcodexgigas.exe

windows7-x64

10

dttcodexgigas.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    6s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dttcodexgigas.exe

  • Size

    2.0MB

  • MD5

    8aeaa6718ce427daaca9f0caa278ae82

  • SHA1

    ad000b872c9f3b222067aa2020df3e411d379601

  • SHA256

    70d5f8d60099cef22ba93cbaf5e7a00b7afc3b824dc7e89aca45bf955568fc9b

  • SHA512

    52f71e5ccb43a59eacec72e543f7c673c5821b1838c825f44a248b2ac63c6fead671d3ab4cc40ee1d5f8c55234d680ac95f7f97547a25784f918a1031ef37b2c

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYG:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Ys

Score
10/10
azorultquasarebayprofilesdiscoveryinfostealerspywaretrojan

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443
Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dttcodexgigas.exe
    "C:\Users\Admin\AppData\Local\Temp\dttcodexgigas.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
          PID:2692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 548
          3⤵
          • Program crash
          PID:208
      • C:\Users\Admin\AppData\Local\Temp\windef.exe
        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4820
        • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:640
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3x8JrznfI2aB.bat" "
            4⤵
              PID:4924
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:3352
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3388
                • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                  5⤵
                    PID:1064
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
                      6⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:1516
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e6Fp2ghiXERK.bat" "
                      6⤵
                        PID:4036
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 65001
                          7⤵
                            PID:3556
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 10 localhost
                            7⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:5108
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 2256
                          6⤵
                          • Program crash
                          PID:528
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1080
                      4⤵
                      • Program crash
                      PID:3044
                • C:\Users\Admin\AppData\Local\Temp\dttcodexgigas.exe
                  "C:\Users\Admin\AppData\Local\Temp\dttcodexgigas.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:4356
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:3716
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4152 -ip 4152
                1⤵
                  PID:1020
                • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                  C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                  1⤵
                    PID:3088
                    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
                      2⤵
                        PID:3592
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k
                          3⤵
                            PID:4936
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 520
                            3⤵
                            • Program crash
                            PID:3280
                        • C:\Users\Admin\AppData\Local\Temp\windef.exe
                          "C:\Users\Admin\AppData\Local\Temp\windef.exe"
                          2⤵
                            PID:1080
                          • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                            "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
                            2⤵
                              PID:3536
                            • C:\Windows\SysWOW64\schtasks.exe
                              "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                              2⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:3136
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3592 -ip 3592
                            1⤵
                              PID:2224
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1044 -ip 1044
                              1⤵
                                PID:2760
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1064 -ip 1064
                                1⤵
                                  PID:4488

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
                                  Filesize

                                  1KB

                                  MD5

                                  10eab9c2684febb5327b6976f2047587

                                  SHA1

                                  a12ed54146a7f5c4c580416aecb899549712449e

                                  SHA256

                                  f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

                                  SHA512

                                  7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\3x8JrznfI2aB.bat
                                  Filesize

                                  208B

                                  MD5

                                  c638a39c21d86e413336c70b244b22b7

                                  SHA1

                                  5add876c9193f94784bb48bb021b81b5cb1a86f8

                                  SHA256

                                  771904104f5b17d1dd74d17f513c0aa83cb2f58d4af32ef4262cf9f69ee58929

                                  SHA512

                                  c257d4d831400dc8052380d1b42eea545799a3d3b135958515edf07d0f8939fc6901dbe2c8ae7aa42fc1f699d26f112feaadaa84bc0c679497235c7cdd5c9e01

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\e6Fp2ghiXERK.bat
                                  Filesize

                                  208B

                                  MD5

                                  9452ae875da85546d11769ba2bdd072d

                                  SHA1

                                  e01ae2789196b3b89ea8551095a9d217ffda575e

                                  SHA256

                                  c33e0c4ab62831bb5d72ba299e12d96d7b221254465cf81c16e080613cb0566b

                                  SHA512

                                  db88c8fee3740202fb570cbb1c2ee2a0d01e341dca418690967d8366ac2a0abcd045cac3c2ee9d262fa6e528ca7318a062744e3535f25e10e5a69d0759a4dcbc

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                                  Filesize

                                  405KB

                                  MD5

                                  b8ba87ee4c3fc085a2fed0d839aadce1

                                  SHA1

                                  b3a2e3256406330e8b1779199bb2b9865122d766

                                  SHA256

                                  4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

                                  SHA512

                                  7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\windef.exe
                                  Filesize

                                  349KB

                                  MD5

                                  b4a202e03d4135484d0e730173abcc72

                                  SHA1

                                  01b30014545ea526c15a60931d676f9392ea0c70

                                  SHA256

                                  7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

                                  SHA512

                                  632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Logs\09-17-2024
                                  Filesize

                                  224B

                                  MD5

                                  a1201e833d1c758305939b6b64e10a7d

                                  SHA1

                                  364a18a28a7b5040a3cd359640670c2d54db9cf3

                                  SHA256

                                  5ce4ccaed560a43b90c3d6a5481fe32547c10ce6171ef52ab7ebd738447c2be4

                                  SHA512

                                  5d5609897bb88baae6762658020edfc209936da05041c63492447458791370b1bba95085a2b588845928af50b88461a5df837234237125144760afb30b076614

                                  Download Submit

                                • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                                  Filesize

                                  2.0MB

                                  MD5

                                  3b8c25e36c6cf90b99b006e60073621d

                                  SHA1

                                  60a5f2b9bd93910a99dc0a0a9db31248ceacb224

                                  SHA256

                                  40822dcadced507a3a2ebc9e07b46fdcc852631ea933d5e02d05d984efd81349

                                  SHA512

                                  f7b59f8671b0a8cb95f400dacf1fe2bc61a56b3929fd9c595c92b8b73dbc91e290df0785e8e8723f0a753ed38f180fd070f4850f42ca6dbd57b088b62ab0b2c8

                                  Download Submit

                                • memory/1044-45-0x0000000006B90000-0x0000000006B9A000-memory.dmp

                                  Filesize

                                  40KB

                                  Download

                                • memory/1104-19-0x0000000004260000-0x0000000004261000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1604-34-0x0000000005980000-0x0000000005A12000-memory.dmp

                                  Filesize

                                  584KB

                                  Download

                                • memory/1604-36-0x0000000006720000-0x0000000006732000-memory.dmp

                                  Filesize

                                  72KB

                                  Download

                                • memory/1604-37-0x0000000006C60000-0x0000000006C9C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/1604-35-0x0000000005A20000-0x0000000005A86000-memory.dmp

                                  Filesize

                                  408KB

                                  Download

                                • memory/1604-33-0x0000000005E50000-0x00000000063F4000-memory.dmp

                                  Filesize

                                  5.6MB

                                  Download

                                • memory/1604-30-0x0000000000FF0000-0x000000000104E000-memory.dmp

                                  Filesize

                                  376KB

                                  Download

                                • memory/1604-27-0x00000000730BE000-0x00000000730BF000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4356-20-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/4356-29-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                  Download