| File name: | WinUpdate.exe |
| Full analysis: | https://app.any.run/tasks/df4c307a-4533-4210-9198-689914e3faf5 |
| Verdict: | Malicious activity |
| Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
| Analysis date: | November 02, 2023, 15:00:53 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | A287ECEC15600C38E425E78B1CF874EC |
| SHA1: | B5F81463407620D9CDB78AB44B26691ED6F998B7 |
| SHA256: | D4CDF9FF5120046490950BF713506E1B9E5CD68613A7072BC37721E45C2130AD |
| SSDEEP: | 49152:0+gGOhX02hD2nPiLq3A6770DODdl/rADxXhCk/3DgqHTrwn9qkZmlt+crReujV/2:s2nP6q3A6770DODdl/rADxRLDg2ceyp |
MALICIOUS
Drops the executable file immediately after the start
- WinUpdate.exe (PID: 3140)
Changes the autorun value in the registry
- WinUpdatep.exe (PID: 2900)
QUASAR has been detected (YARA)
- WinUpdatep.exe (PID: 2900)
ASYNCRAT has been detected (SURICATA)
- WinUpdatep.exe (PID: 2900)
Connects to the CnC server
- WinUpdatep.exe (PID: 2900)
QUASAR has been detected (SURICATA)
- WinUpdatep.exe (PID: 2900)
Steals credentials from Web Browsers
- WinUpdatep.exe (PID: 2900)
Actions looks like stealing of personal data
- WinUpdatep.exe (PID: 2900)
SUSPICIOUS
Starts itself from another location
- WinUpdate.exe (PID: 3140)
Reads settings of System Certificates
- WinUpdatep.exe (PID: 2900)
Connects to unusual port
- WinUpdatep.exe (PID: 2900)
Reads the Internet Settings
- WinUpdatep.exe (PID: 2900)
Loads DLL from Mozilla Firefox
- WinUpdatep.exe (PID: 2900)
INFO
Creates files or folders in the user directory
- WinUpdate.exe (PID: 3140)
Checks supported languages
- WinUpdate.exe (PID: 3140)
- WinUpdatep.exe (PID: 2900)
- wmpnscfg.exe (PID: 3680)
Reads Environment values
- WinUpdate.exe (PID: 3140)
- WinUpdatep.exe (PID: 2900)
Reads the machine GUID from the registry
- WinUpdatep.exe (PID: 2900)
- WinUpdate.exe (PID: 3140)
- wmpnscfg.exe (PID: 3680)
Reads the computer name
- WinUpdate.exe (PID: 3140)
- WinUpdatep.exe (PID: 2900)
- wmpnscfg.exe (PID: 3680)
Create files in a temporary directory
- WinUpdatep.exe (PID: 2900)
Manual execution by a user
- wmpnscfg.exe (PID: 3680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Quasar
(PID) Process(2900) WinUpdatep.exe
Version1.4.1
C2 (2)83.113.104.241:39998
Sub_DirSubDir
Install_NameWinUpdatep.exe
Mutexf58810cb-52b2-4fec-bdc9-58721b545682
StartupWindows Updatep
TagWinUpdate
LogDirLogs
SignatureWQ+kUT54CIZ92LjvxO6JpFA2Ku14iVT23iLhc9jeUSygm6rKIJzx3MK7vRqOK6aQpWYRbYn8X6UhbLt82qbgtBRzEDY47zpQUvntSm7GTDjF5Uk/gia1BgiXPBNBoZSN9wkTvo6IJHLFUSr9brmj9qldwI78OAOG8Ux1VFfrWRd/79VTc2QNAtedKnFzeYIMBkcacDoYvA9sGZJxs6pMAZXNrIWBL98yKXkSJJJu5c1KTbeaZ4Ow88ostspTkpKRrXXxbb6Zps8+JjV+lQ4ki/CQhQbx5+siPzMLJKETS811...
CertificateMIIE9DCCAtygAwIBAgIQALgXOZ1uRnno7rzIjP6qjzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDQxODExNTQyNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq01N0OxYZAq1nMXMZrBXSzalcu7l8iJhs7uFNSiE6vzK8FaTpBZoCRzrk4XfiL/bQKlNhuvF...
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:03:12 17:16:39+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 3261440 |
| InitializedDataSize: | 3584 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x31e3ce |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.4.1.0 |
| ProductVersionNumber: | 1.4.1.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | Quasar Client |
| FileVersion: | 1.4.1 |
| InternalName: | Client.exe |
| LegalCopyright: | Copyright © MaxXor 2023 |
| LegalTrademarks: | - |
| OriginalFileName: | Client.exe |
| ProductName: | Quasar |
| ProductVersion: | 1.4.1 |
| AssemblyVersion: | 1.4.1.0 |
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2900 | "C:\Users\admin\AppData\Roaming\SubDir\WinUpdatep.exe" | C:\Users\admin\AppData\Roaming\SubDir\WinUpdatep.exe | WinUpdate.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Quasar Client Exit code: 0 Version: 1.4.1 Modules
Quasar(PID) Process(2900) WinUpdatep.exe Version1.4.1 C2 (2)83.113.104.241:39998 Sub_DirSubDir Install_NameWinUpdatep.exe Mutexf58810cb-52b2-4fec-bdc9-58721b545682 StartupWindows Updatep TagWinUpdate LogDirLogs SignatureWQ+kUT54CIZ92LjvxO6JpFA2Ku14iVT23iLhc9jeUSygm6rKIJzx3MK7vRqOK6aQpWYRbYn8X6UhbLt82qbgtBRzEDY47zpQUvntSm7GTDjF5Uk/gia1BgiXPBNBoZSN9wkTvo6IJHLFUSr9brmj9qldwI78OAOG8Ux1VFfrWRd/79VTc2QNAtedKnFzeYIMBkcacDoYvA9sGZJxs6pMAZXNrIWBL98yKXkSJJJu5c1KTbeaZ4Ow88ostspTkpKRrXXxbb6Zps8+JjV+lQ4ki/CQhQbx5+siPzMLJKETS811... CertificateMIIE9DCCAtygAwIBAgIQALgXOZ1uRnno7rzIjP6qjzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDQxODExNTQyNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq01N0OxYZAq1nMXMZrBXSzalcu7l8iJhs7uFNSiE6vzK8FaTpBZoCRzrk4XfiL/bQKlNhuvF... | |||||||||||||||
| 3140 | "C:\Users\admin\AppData\Local\Temp\WinUpdate.exe" | C:\Users\admin\AppData\Local\Temp\WinUpdate.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Quasar Client Exit code: 3 Version: 1.4.1 Modules
| |||||||||||||||
| 3680 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
5 431
Read events
5 399
Write events
27
Delete events
5
Modification events
| (PID) Process: | (3140) WinUpdate.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2900) WinUpdatep.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2900) WinUpdatep.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Windows Updatep |
Value: "C:\Users\admin\AppData\Roaming\SubDir\WinUpdatep.exe" | |||
| (PID) Process: | (3680) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{ACD29A38-E25E-4DCB-8F37-A3A27174191B}\{7068362D-BEE7-4858-9D9B-58A9A2346109} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3680) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D68BFB2E-B10B-4535-A09E-720BBE9CEFB4}\{7068362D-BEE7-4858-9D9B-58A9A2346109} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3680) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D68BFB2E-B10B-4535-A09E-720BBE9CEFB4} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3680) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{ACD29A38-E25E-4DCB-8F37-A3A27174191B} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3680) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{7935C721-396C-41FF-A0D5-CCDBB0FD22E7} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2900) WinUpdatep.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2900) WinUpdatep.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
1
Suspicious files
4
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2900 | WinUpdatep.exe | C:\Users\admin\AppData\Local\Temp\TarFE7A.tmp | binary | |
MD5:9441737383D21192400ECA82FDA910EC | SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5 | |||
| 2900 | WinUpdatep.exe | C:\Users\admin\AppData\Local\Temp\CabFE79.tmp | compressed | |
MD5:F3441B8572AAE8801C04F3060B550443 | SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF | |||
| 2900 | WinUpdatep.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:F3441B8572AAE8801C04F3060B550443 | SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF | |||
| 3140 | WinUpdate.exe | C:\Users\admin\AppData\Roaming\SubDir\WinUpdatep.exe | executable | |
MD5:A287ECEC15600C38E425E78B1CF874EC | SHA256:D4CDF9FF5120046490950BF713506E1B9E5CD68613A7072BC37721E45C2130AD | |||
| 2900 | WinUpdatep.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:33E632E92D13EC364B1763EF4F286A25 | SHA256:8B6F07639BCDCCCED42C634FBA68B11EB7FF408DD8145977066E44E72ADD4443 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
3
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2900 | WinUpdatep.exe | GET | 200 | 67.27.233.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?724b007489cfb5e7 | unknown | compressed | 61.6 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
868 | svchost.exe | 95.101.148.135:80 | — | Akamai International B.V. | NL | unknown |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2900 | WinUpdatep.exe | 83.113.104.241:39998 | — | Orange | FR | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
868 | svchost.exe | 184.30.24.134:80 | armmf.adobe.com | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2900 | WinUpdatep.exe | 67.27.233.254:80 | ctldl.windowsupdate.com | LEVEL3 | US | unknown |
2900 | WinUpdatep.exe | 195.201.57.90:443 | ipwho.is | Hetzner Online GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
armmf.adobe.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ipwho.is |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2900 | WinUpdatep.exe | Domain Observed Used for C2 Detected | ET MALWARE Observed Malicious SSL Cert (Quasar CnC) |
2900 | WinUpdatep.exe | Domain Observed Used for C2 Detected | ET MALWARE Generic AsyncRAT Style SSL Cert |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is) |
2900 | WinUpdatep.exe | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] QuasarRAT Successful Connection (CBC_SHA384) |