Analysis
-
max time kernel
3s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 10:22
Behavioral task
behavioral1
Sample
29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
Resource
win10v2004-20241007-en
General
-
Target
29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
-
Size
2.0MB
-
MD5
f66c44d5c01660f38193a4a7c482a580
-
SHA1
aecb6d2a32208efc945bc304e39ec9c4b10265d3
-
SHA256
29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5
-
SHA512
a04aba7650eb0487c64792ba960b0194b403b8412233c72ffa0161ca87cdc8f641d078bbff8d6a0b70d5f214664ace003b9d331eeb755cd88cdf76dc04d3c062
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYJ:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yj
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Quasar family
-
Quasar payload 5 IoCs
resource yara_rule behavioral1/files/0x000800000001660b-20.dat family_quasar behavioral1/memory/2040-54-0x0000000001280000-0x00000000012DE000-memory.dmp family_quasar behavioral1/memory/2964-62-0x00000000001F0000-0x000000000024E000-memory.dmp family_quasar behavioral1/memory/2004-81-0x0000000001260000-0x00000000012BE000-memory.dmp family_quasar behavioral1/files/0x0008000000016c23-82.dat family_quasar -
Executes dropped EXE 2 IoCs
pid Process 2052 vnc.exe 2040 windef.exe -
Loads dropped DLL 8 IoCs
pid Process 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\o: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\r: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\t: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\x: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\y: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\e: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\g: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\z: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\u: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\a: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\s: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\l: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\p: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\q: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\h: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\i: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\k: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\n: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\v: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\w: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\b: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe File opened (read-only) \??\j: 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000016c23-82.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2572 set thread context of 2424 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 34 PID 2052 set thread context of 596 2052 vnc.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2224 2964 WerFault.exe 41 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2204 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2204 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2736 schtasks.exe 2612 schtasks.exe 320 schtasks.exe 1720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2052 vnc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2052 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 30 PID 2572 wrote to memory of 2052 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 30 PID 2572 wrote to memory of 2052 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 30 PID 2572 wrote to memory of 2052 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 30 PID 2572 wrote to memory of 2040 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 32 PID 2572 wrote to memory of 2040 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 32 PID 2572 wrote to memory of 2040 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 32 PID 2572 wrote to memory of 2040 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 32 PID 2052 wrote to memory of 596 2052 vnc.exe 33 PID 2052 wrote to memory of 596 2052 vnc.exe 33 PID 2052 wrote to memory of 596 2052 vnc.exe 33 PID 2052 wrote to memory of 596 2052 vnc.exe 33 PID 2052 wrote to memory of 596 2052 vnc.exe 33 PID 2572 wrote to memory of 2424 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 34 PID 2572 wrote to memory of 2424 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 34 PID 2572 wrote to memory of 2424 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 34 PID 2572 wrote to memory of 2424 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 34 PID 2572 wrote to memory of 2424 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 34 PID 2572 wrote to memory of 2424 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 34 PID 2572 wrote to memory of 2736 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 35 PID 2572 wrote to memory of 2736 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 35 PID 2572 wrote to memory of 2736 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 35 PID 2572 wrote to memory of 2736 2572 29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe 35 PID 2052 wrote to memory of 596 2052 vnc.exe 33 PID 2052 wrote to memory of 596 2052 vnc.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe"C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
PID:596
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2612
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵PID:2964
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:320
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HBKuWhANV3b1.bat" "4⤵PID:2388
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1944
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2204
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵PID:2004
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1720
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 15204⤵
- Program crash
PID:2224
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe"C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2736
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1F84D056-C748-4580-ADA0-19FD7D4F5748} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵PID:1680
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe2⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"3⤵PID:2180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k4⤵PID:580
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"3⤵PID:868
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD527cbccc6b34632714f4ecc3697c82991
SHA161c27bb191be31688613347c9a65c60a86e7b0e3
SHA2565edc656577cc4535dda0002e07eb88979d7d955107d12b497b7b4f6bffe43bcd
SHA5122f52f5349bd32f9badf0dbb6ad447045ff4a34e479f5037d3e5dbe399f9abffb93d41415ddd64bf2560c7b0c5a3e901d2eb5d3e25b047baaec8f20023baf1991
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
Filesize
224B
MD54dae201c33ad3c1dad6bb75d1ef97463
SHA102a27b58427f150905e6e01dccaf901350776503
SHA256633474d06a49a82a0a8ee878ede9015774f7dd299e5f66782981f2c8bfc6cafd
SHA512a43ea7826548a1fbd57fbec66af46143942aad2e56e584bb457457457f37bc06ef8a1f2b5d31841d3ee16644c2c30f0615afb9e35978d97ae765484f1b151b65
-
Filesize
2.0MB
MD5026936d5dbb9b0bee9e5a37a38862761
SHA158f30c8ef01a08627a2c485fa396bcf5b0195507
SHA25695d196430059860f0e3135339e5d21bd69be8c48c39de533c021c573a5e53507
SHA51228fffd25865661ee1f8c23227e61925604a593450a80b136f6c78748ba8372906cbf92d17e70d7a503a72e4515775730e8872cf903bdbbe64ee9f88cb27d374c