Analysis

  • max time kernel
    3s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 10:22

General

  • Target

    29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe

  • Size

    2.0MB

  • MD5

    f66c44d5c01660f38193a4a7c482a580

  • SHA1

    aecb6d2a32208efc945bc304e39ec9c4b10265d3

  • SHA256

    29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5

  • SHA512

    a04aba7650eb0487c64792ba960b0194b403b8412233c72ffa0161ca87cdc8f641d078bbff8d6a0b70d5f214664ace003b9d331eeb755cd88cdf76dc04d3c062

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYJ:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yj

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
    "C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
        • Maps connected drives based on registry
        PID:596
    • C:\Users\Admin\AppData\Local\Temp\windef.exe
      "C:\Users\Admin\AppData\Local\Temp\windef.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2040
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2612
      • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        3⤵
          PID:2964
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:320
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\HBKuWhANV3b1.bat" "
            4⤵
              PID:2388
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:1944
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2204
                • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                  5⤵
                    PID:2004
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
                      6⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:1720
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1520
                  4⤵
                  • Program crash
                  PID:2224
            • C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe
              "C:\Users\Admin\AppData\Local\Temp\29678abb9e2bdd0f1c68453413a32e5498541ccb3a5335794df70076aa8c0bf5N.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2424
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
              2⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2736
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {1F84D056-C748-4580-ADA0-19FD7D4F5748} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
            1⤵
              PID:1680
              • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                2⤵
                  PID:1084
                  • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                    "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
                    3⤵
                      PID:2180
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k
                        4⤵
                          PID:580
                      • C:\Users\Admin\AppData\Local\Temp\windef.exe
                        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
                        3⤵
                          PID:868

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\HBKuWhANV3b1.bat

                      Filesize

                      208B

                      MD5

                      27cbccc6b34632714f4ecc3697c82991

                      SHA1

                      61c27bb191be31688613347c9a65c60a86e7b0e3

                      SHA256

                      5edc656577cc4535dda0002e07eb88979d7d955107d12b497b7b4f6bffe43bcd

                      SHA512

                      2f52f5349bd32f9badf0dbb6ad447045ff4a34e479f5037d3e5dbe399f9abffb93d41415ddd64bf2560c7b0c5a3e901d2eb5d3e25b047baaec8f20023baf1991

                    • C:\Users\Admin\AppData\Local\Temp\vnc.exe

                      Filesize

                      405KB

                      MD5

                      b8ba87ee4c3fc085a2fed0d839aadce1

                      SHA1

                      b3a2e3256406330e8b1779199bb2b9865122d766

                      SHA256

                      4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

                      SHA512

                      7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

                    • C:\Users\Admin\AppData\Local\Temp\windef.exe

                      Filesize

                      349KB

                      MD5

                      b4a202e03d4135484d0e730173abcc72

                      SHA1

                      01b30014545ea526c15a60931d676f9392ea0c70

                      SHA256

                      7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

                      SHA512

                      632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

                    • C:\Users\Admin\AppData\Roaming\Logs\12-17-2024

                      Filesize

                      224B

                      MD5

                      4dae201c33ad3c1dad6bb75d1ef97463

                      SHA1

                      02a27b58427f150905e6e01dccaf901350776503

                      SHA256

                      633474d06a49a82a0a8ee878ede9015774f7dd299e5f66782981f2c8bfc6cafd

                      SHA512

                      a43ea7826548a1fbd57fbec66af46143942aad2e56e584bb457457457f37bc06ef8a1f2b5d31841d3ee16644c2c30f0615afb9e35978d97ae765484f1b151b65

                    • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

                      Filesize

                      2.0MB

                      MD5

                      026936d5dbb9b0bee9e5a37a38862761

                      SHA1

                      58f30c8ef01a08627a2c485fa396bcf5b0195507

                      SHA256

                      95d196430059860f0e3135339e5d21bd69be8c48c39de533c021c573a5e53507

                      SHA512

                      28fffd25865661ee1f8c23227e61925604a593450a80b136f6c78748ba8372906cbf92d17e70d7a503a72e4515775730e8872cf903bdbbe64ee9f88cb27d374c

                    • memory/580-114-0x0000000000450000-0x00000000004EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/580-109-0x0000000000450000-0x00000000004EC000-memory.dmp

                      Filesize

                      624KB

                    • memory/580-108-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

                      Filesize

                      4KB

                    • memory/596-49-0x00000000003A0000-0x000000000043C000-memory.dmp

                      Filesize

                      624KB

                    • memory/596-46-0x0000000000020000-0x0000000000021000-memory.dmp

                      Filesize

                      4KB

                    • memory/596-53-0x00000000003A0000-0x000000000043C000-memory.dmp

                      Filesize

                      624KB

                    • memory/596-48-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

                      Filesize

                      4KB

                    • memory/2004-81-0x0000000001260000-0x00000000012BE000-memory.dmp

                      Filesize

                      376KB

                    • memory/2040-54-0x0000000001280000-0x00000000012DE000-memory.dmp

                      Filesize

                      376KB

                    • memory/2424-31-0x0000000000080000-0x00000000000A0000-memory.dmp

                      Filesize

                      128KB

                    • memory/2424-33-0x0000000000080000-0x00000000000A0000-memory.dmp

                      Filesize

                      128KB

                    • memory/2424-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                      Filesize

                      4KB

                    • memory/2424-43-0x0000000000080000-0x00000000000A0000-memory.dmp

                      Filesize

                      128KB

                    • memory/2572-29-0x0000000000960000-0x0000000000961000-memory.dmp

                      Filesize

                      4KB

                    • memory/2964-62-0x00000000001F0000-0x000000000024E000-memory.dmp

                      Filesize

                      376KB